{"id":18896187,"url":"https://github.com/tenable/uncoverdcshadow","last_synced_at":"2026-02-28T04:30:15.119Z","repository":{"id":136300607,"uuid":"593738659","full_name":"tenable/UncoverDCShadow","owner":"tenable","description":null,"archived":false,"fork":false,"pushed_at":"2023-01-26T18:22:25.000Z","size":26,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-12-31T08:13:23.789Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tenable.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-26T18:22:19.000Z","updated_at":"2024-01-11T06:51:15.000Z","dependencies_parsed_at":"2023-07-24T07:00:22.893Z","dependency_job_id":null,"html_url":"https://github.com/tenable/UncoverDCShadow","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2FUncoverDCShadow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2FUncoverDCShadow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2FUncoverDCShadow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tenable%2FUncoverDCShadow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tenable","download_url":"https://codeload.github.com/tenable/UncoverDCShadow/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239870843,"owners_count":19710795,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T08:32:50.302Z","updated_at":"2026-02-28T04:30:15.062Z","avatar_url":"https://github.com/tenable.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Uncover-DCShadow\r\n\r\n#### \"Yes, your good old SIEM can detects suspicious directory changes in a sec.\"\r\n![A basic example of DCShadow detection](/../screenshots/img/UncoverDCShadow01.png?raw=true \"A basic example of DCShadow detection\")\r\n\r\nUncoverDCShadow is a set of proof-of-concept designed to help blue teams detect the use of the [DCShadow](http://www.bluehatil.com/files/Active%20Directory%20What%20Can%20Make%20Your%20Million%20Dollar%20SIEM%20Go%20Blind.pdf) attack on their Active Directory infrastructure. These helpers have been designed to illustrate how security monitoring can be achieved without requiring network tap or event log forwarding.\r\n\r\nHigh-Definition example video available [here](https://youtu.be/yWFUKwZaT_4).\r\n\r\n---\r\n#### TABLE OF CONTENT\r\n1. Quick start\r\n2. What is DCShadow?\r\n3. Why UncoverDCShadow?\r\n2. How does it actually work?\r\n3. Documentation\r\n4. References\r\n8. Authors\r\n\r\n---\r\n\r\n## QUICK START\r\n\r\nFor those of you who like go straight to the point, here is the easiest way to start detecting DCShadow in a Windows PowerShell 5 shell:\r\n\r\n```Powershell\r\ngit clone git@github.com:AlsidOfficial/UncoverDCShadow.git\r\nSet-Location UncoverDCShadow\r\nGet-Help .\\UncoverDCShadow.ps1 -Examples\r\n.\\UncoverDCShadow.ps1 -Server domain-controller.domain.corp -Credential (Get-Credential -Message \"Domain account to use\")\r\n```\r\n\r\n## What is DCShadow?\r\n\r\nOn January 24th 2018, [Benjamin Delpy](https://twitter.com/gentilkiwi) and [Vincent Le Toux](https://twitter.com/mysmartlogon), two security researchers, have released during the “[BlueHat IL](http://www.bluehatil.com)” security conference a new attack technique against Active Directory infrastructure. Named “DCShadow”, this technique allows an attacker having the appropriate rights to create a rogue domain controller able to replicate malicious objects into a running Active Directory infrastructure.\r\n\r\nDCShadow is implemented in the famous swiss-army knife solution for manipulating Windows Credentials “[Mimikatz](https://github.com/gentilkiwi/mimikatz)”.\r\n\r\n[![DCShadow in Action - Modifying the Krbtgt property](https://img.youtube.com/vi/0fULtqISsMc/0.jpg)](https://www.youtube.com/watch?v=0fULtqISsMc)\r\n\r\nA technical analysis of the attack has been published on [Alsid's Blog](https://blog.alsid.eu/dcshadow-explained-4510f52fc19d) and provides a clear overview of the main steps of the attack. The attack can be summerized in 6 main steps:\r\n1. Obtain domain admin (or similar) privileges\r\n2. Set required SPNs on a computer account\r\n3. Create the NTDS-DSA object\r\n4. Impersonate environment as the computer account\r\n5. Start RPC server in charge of replication\r\n6. Force the replication process\r\n\r\n## Why UncoverDCShadow?\r\n\r\n### Standard detection approaches go blind\r\n\r\nOne of the main strength of DCShadow is its ability to be reasonably stealth for attackers. In a general case, Domain Controllers (DCs) are in charge of creating events when a security process occurs. With DCShadow, illegitimate actions are taken on a rogue DC. The event logs that could have helped blue teams to detect the attack (using their SIEM, for instance) will never be created.\r\n\r\nAs explained in the [article](https://blog.alsid.eu/dcshadow-explained-4510f52fc19d), blue teams need a complete redesign of their strategy and shift their focus from log analysis to AD configuration analysis. Thankfully, UncoverDCShadow is here for you!\r\n\r\n### Provide an efficient solution ...\r\n\r\nStandard detection approaches use network detection to monitor the addition of rogue SPNs and the call to the `DRSReplicaAdd` RPC.\r\n\r\n![DCShadow network flows detection](https://pbs.twimg.com/media/DUVjS-MWAAcf1Pa.jpg \"A packets capture\")\r\n\r\nWe consider network detection approaches are unsuitable for real-world Active Directory infrastructures for at least three reasons:\r\n1. It requires to monitor every Domain Controllers, even if you have dozens of them. If you miss one of them, you are blind.\r\n2. There is several sneaky ways to inject illegitimate data without calling  `DRSReplicaAdd`.\r\n3. You want to tap/duplicate the whole traffic in and from of your most-sensitive infrastructure. Really?\r\n\r\nAt Alsid, we wanted to prove ourselves that better solutions exist. DCShadow needs to register several new objects (like a new `nTDSDSA ` object or the GUID `E3514235–4B06–11D1-AB04–00C04FC2DCD2` refering to a very characteristic SPN) to act as a rogue domain controller. Can't we simply monitor the Active Directory database to detect these specific events? Good news, Active Directory provides several ways of doing it!\r\n\r\n### ... to make your SIEM ubiquitous again!\r\n\r\nIf we are able to detect object changes in the directory, we are one step away from sending a message out to the SIEM and make it see again!\r\n\r\nGood news dear SIEM manufacturers, your solution are still in the game :).\r\n\r\n## How does it actually work?\r\n\r\n### General explanation\r\n\r\nUncoverDCShadow uses the ability to make asynchronous calls to the AD database using LDAP. Using the well-known (or not so well) LDAP server control [LDAP_SERVER_NOTIFICATION_OID (1.2.840.113556.1.4.528)](https://msdn.microsoft.com/en-us/library/cc223320.aspx), any user can receive information about any created, modified or deleted object of the entire Active Directory database!\r\n\r\nUsing what we know about how DCShadow works, detecting it becomes as easy as requesting in LDAP the content of:\r\n- the configuration partition (to detect the creation of `nTDSDSA` objects).\r\n- the domain partition (to detect the set of the infamous `E3514235–4B06–11D1-AB04–00C04FC2DCD2` SPN).\r\n\r\nThis innovative approach provides several goods:\r\n- NO privileges required (we only need to be part of the `Authenticated Users` group).\r\n- Only one DC per AD infrastructure needs to be monitored.\r\n- No need to monitor network traffic anymore.\r\n- It's completely safe for your AD infrastructure.\r\n\r\nEasy don't you think? Actually, we still need to be smart to differenciate a DCShadow attack from a regular DC promotion, and deal with replication.\r\n\r\n### Technical deep-dive\r\n\r\nTo understand the difference between a regular DC promotion and a DCShadow\r\nattack, the following timeline presents AD changes during both of these\r\nprocesses. The `computer` object representing the DC being promoted and the\r\n`computer` object used by the DCShadow attack is represented by the DN\r\n`CN=DC002,CN=Computers,DC=alsid,DC=corp`, but the object changed by the\r\nDCShadow attack isn't relevant here and thus not shown.\r\n\r\nOn this timeline, in black is a regular DC promotion being performed, green\r\nshows what is performed by both a regular DC promotion and the DCShadow attack,\r\nand red highlights steps that only DCShadow takes.\r\n\r\n![DCPromo/DCShadow AD changes timeline](/../screenshots/img/DC_join_and_promote.png?raw=true \"DCPromo/DCShadow AD changes timeline\")\r\n\r\nAs shown in this timeline, a few elements can be used to differentiate a\r\nlegitimate DC promotion from a DCShadow attack when tracking AD changes. Note\r\nthat the DCShadow attack on another DC than the one monitored may result in\r\nfewer objects being replicated: we've seen cases where only the deleted\r\n`server` and `nTDSDSA` objects, the targeted object and the computer object\r\n(without any modification) are replicated.\r\n\r\nThis **POC** registers LDAP asynchronous requests using the\r\n[LDAP_SERVER_NOTIFICATION_OID](https://msdn.microsoft.com/en-us/library/cc223320.aspx)\r\nOID and tracks what changes are registered in the AD infrastructure.\r\n\r\nThis **POC** focuses on the `server` and the `nTDSDSA` objects, and what\r\nhappens before they're being removed from the AD. Only 6 criteria are used on\r\nthese two objects, triggered once the `server` object has been deleted:\r\n\r\n* The root domain object's `masteredby` attribute hasn't been changed to\r\ninclude the `nTDSDSA` object's DN.\r\n* The `nTDSConnection` object hasn't been created under the `nTDSDSA` object.\r\n* The `server` object's `serverreference` attribute doesn't hold a DN located\r\nin the Domain Controllers OU.\r\n* The creation time and the last changed time aren't spaced by sufficient\r\ntime - 60 minutes by default.\r\n* The `server` object's USN changed and created aren't the same - that\r\nparticular criteria is to take replication into account.\r\n* `nTDSDSA` object hasn't been created before - that particular criteria is to\r\ntake replication into account.\r\n\r\nWith these criteria, the `Trap-DCShadowAttempt` cmdlet should catch most\r\nattempts at messing with your AD infrastructure through DCShadow.\r\n\r\nSide note: the object modified by DCShadow isn't shown on the timeline, but\r\nwould appear between the last green and the first red boxes.\r\n\r\n## Documentation\r\n\r\n### Usage\r\n\r\nYou can either import the `.psm1` module, and run the `Trap-DCShadowAttempt`\r\nfunction, or run the `UncoverDCShadow.ps1` script - which imports the module\r\nand run this function.\r\nThe parameters for the function and the script are the same, optional, and are\r\nthe following ones:\r\n\r\n* **Server**: Server to monitor. If not given, will use the current user's\r\nlogon controller.\r\n* **Credential**: AD account to use to connect. If not given, will implicitly\r\nuse the current user's credentials.\r\n\r\n**Note that the AD account doesn't need to be privileged.**\r\n\r\nDon't forget that **this is a POC** (tested on Windows Server 2016 only), and\r\nthat this might have some false-positives and not catch any modified DCShadow\r\nexploit.\r\n\r\n### Command line documentation\r\n##### Implicit use\r\nImplicitly use the current user's credentials and domain\r\n```powershell\r\nTrap-DCShadowAttempt\r\n```\r\n##### Explicit domain specification\r\nImplicitly use the current user's credentials on the domain controller at 192.168.1.1\r\n```powershell\r\nTrap-DCShadowAttempt -Server 192.168.1.1\r\n```\r\n##### Explicit domain and credentials specification\r\nUse the explicitly-specified credentials on the domain controller at 192.168.1.1\r\n```powershell\r\nTrap-DCShadowAttempt -Server 192.168.1.1 -Credential (Get-Credential -Message \"Domain account to use\")\r\n```\r\n##### Display any database changes with implicit authentication\r\nImplicitly use the current user's credentials and domain, display any changes received by the AD database\r\n```powershell\r\n$InformationPreference = $VerbosePreference = $DebugPreference = 'Continue'\r\nTrap-DCShadowAttempt\r\n```\r\n##### Display any database changes with explicit authentication\r\nDisplay all available information while using the explicitly-specified credentials on the domain controller at 192.168.1.1\r\n```powershell\r\n$InformationPreference = $VerbosePreference = $DebugPreference = 'Continue'\r\nTrap-DCShadowAttempt -Server 192.168.56.5 -Credential (New-Object System.Management.Automation.PSCredential ('UnprivilegedUser', (ConvertTo-SecureString \"SecurePwd\" -AsPlainText -Force)))\r\n```\r\nNotes about this example:\r\n* A not-secure way to deal with credentials is shown in this example; prefer using the [`Get-Credential`](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential) cmdlet instead\r\n* This is the opportunity to show that you can use any unprivileged domain user to run this script\r\n\r\n### Uncover-DCShadow and Powershell streams\r\n\r\nAs you might know, Powershell [has multiple message streams](https://blogs.technet.microsoft.com/heyscriptingguy/2014/03/30/understanding-streams-redirection-and-write-host-in-powershell/).\r\n\r\nTrap-DCShadowAttempt leverages Powershell streams in the following fashion:\r\n- Output: An object for each detected DCShadow attempt, useful for piping into\r\nsomething else\r\n- Information: Information about the detection function state and how to\r\nproperly quit, in string format\r\n- Warning: Every state a \"potentially suspicious\" element can take - including\r\nlegit, newly-promoted DCs, so there's not only fully suspicious elements.\r\n- Verbose: Dump added/modified/deleted AD objects\r\n- Debug: Follow each module's step in its discovery\r\n\r\n### Friendly reminder\r\n\r\nWhile this software should be harmless for your AD, don't forget these helpers are a **POC** (tested on Windows Server 2016 with Windows PowerShell 5 only), provided as-is. It might have some false-positives and not catch any modified DCShadow exploit.\r\n\r\nFinally, Alsid team will not provide any support as part as [the open source license](LICENSE.md).\r\n\r\n## References\r\n- [Active Directory: What can make your million dollar SIEM go blind?](http://www.bluehatil.com/files/Active%20Directory%20What%20Can%20Make%20Your%20Million%20Dollar%20SIEM%20Go%20Blind.pdf)\r\n- [DCShadow explained: A technical deep dive into the latest AD attack technique](https://blog.alsid.eu/dcshadow-explained-4510f52fc19d)\r\n- [Mimikatz GitHub repository](https://github.com/gentilkiwi/mimikatz)\r\n- [[MS-ADTS]: Active Directory Technical Specification](https://msdn.microsoft.com/en-us/library/cc223122.aspx)\r\n- [[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol](https://msdn.microsoft.com/en-us/library/cc228086.aspx)\r\n\r\n## Authors\r\n-  Romain COLTEL - ALSID, 2018\r\n-  Luc DELSALLE - ALSID, 2018\r\n\r\nThanks to [@aurel26](https://github.com/aurel26) for all his pieces of advice and bottomless knowledge on AD internals.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftenable%2Funcoverdcshadow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftenable%2Funcoverdcshadow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftenable%2Funcoverdcshadow/lists"}