So I became a Domain Controller

They told me I could be anything I wanted, so I became a Domain Controller."

While SAMBA did implement Active Directory replication protocol for years, it was not easy to abuse it, especially on the Windows OS. The lsadump::DCSync feature in mimikatz was a first breakout in this area. Red teamers could extract secrets needed for kerberos tokens abuse and even impersonate domain controllers. In short, a read access to the AD database.

Let's be granted write access! It's time to invoke the full power of a domain controller with the new lsadump::DCShadow attack implemented in mimikatz and introduced at BlueHat IL 2018 by the mimikatz and PingCastle authors.

The immediate benefit of DCShadow is to bypass SIEMs, looking at logs collected from all DC, except this specific one. But what if the replication data doesn't follow the specification ? Can we do more ?

Let's be creative and push partial changes or changes forbidden by the specification: can we create some backdoors with Golden ticket ? Reaching unprotected trust via NTLM? targeting admins via monitoring reports? Is object class inmutable? Can we play god by creating and killing objects at will ? More ?

That's not the end: by owing replication data and internal attributes, forensic analysts will now have a hard time doing their job. Is DCShadow a game changer like DCSync was at its time?

Presented by