DCShadow是Mimikatz的lsadump模块中的功能。Mimikatz是用于基于Windows凭据的攻击中的开源后利用工具。DCShadow于2018年添加到Mimikatz中,它使攻击者可以在Windows Server Active Directory(AD)中实现持久特权访问,同时让攻击者掩盖自己的足迹。
针对AD的攻击很常见,因为它可以控制IT基础结构中大多数系统的安全性。如果黑客能够获得对AD的特权访问,那么他们还具有对加入AD域的所有服务器和设备的特权访问。
DCShadow如何工作?
DCShadow攻击通过在域的配置分区中创建两个新对象,将加入AD域的所有Windows设备注册为域控制器(DC)。它还会更改攻击中使用的计算机的服务主体名称(SPN)。
可以从Windows 10进行攻击。虽然Windows 10不能成为域控制器,但DCShadow会诱使AD认为Windows 10或另一个Windows客户端SKU实际上是DC。
一旦AD信任了用于攻击的设备将更改复制到目录中,攻击者便会推送更改,使他们能够控制域。
成功复制攻击者的更改之后,将删除配置分区中的新DC对象,从而帮助攻击者在逃避检测的同时创建对域的持久访问。总结一下:
攻击者通过在AD的Configuration分区中创建对象来注册流氓DC
攻击者将更改复制到AD,以便他们可以保持持久性
攻击者删除了可能仅存在几秒钟的“恶意” DC
对Active Directory的特权访问
在攻击者可以更改AD的配置分区之前,他们需要对域的特权访问。您可能会问,如果攻击者已经拥有对该域的特权访问权,为什么要竭尽全力注册一个恶意DC?因为DCShadow主要是关于攻击者试图尽可能长时间保持未被发现的状态。
预防胜于治疗
阻止DCShadow和其他针对AD的攻击的最佳方法是防止黑客获得特权访问。通常,当黑客利用Windows中的漏洞时,将收获域管理员凭据。例如,IT人员可能使用域管理员凭据登录Windows PC以支持用户。在稍后的阶段,可能会破坏设备以及域管理员凭据。
特权访问工作站
最佳做法是,在经过特别保护且旨在管理AD的工作站上,仅使用域管理员凭据和对AD具有特权访问权限的其他帐户。这些工作站称为特权访问工作站(PAW)。PAW不应连接到公共Internet。
委派常见管理任务的权限
可以将日常管理任务(例如管理AD用户,组和组策略对象)委派给用户,而无需授予他们对域的特权访问。Active Directory用户和计算机(ADUC)中的控制委派向导可用于委派执行常见管理任务的特权。
有关更多信息,请参见在Petri上管理对Active Directory的特权访问。
使用Windows 10 Credential Guard保护域帐户
Windows Defender Credential Guard通过将凭据隔离在Windows内核无法访问的安全区域中来提供对域帐户的额外保护,即使Windows内核已被破坏也是如此。Credential Guard需要设备支持基于虚拟化的安全性(VBS)。
Active Directory分层管理模型
Microsoft用于管理AD的分层管理模型可帮助组织更好地保护其环境。该模型定义了三个层次,这些层次创建缓冲区,以将高风险PC的管理与有价值的资产(例如域控制器)分开。
从一层转移到另一层并非不可能,但是该模型确实增加了攻击者的成本。
有关实现分层管理模型的更多信息,请参见为什么要使用Microsoft的Active Directory层管理模型并设置Active Directory以支持 Petri上的层级管理和特权访问工作站。
特权身份管理
特权身份管理(PIM)解决方案可以帮助组织监视和控制对AD的特权访问。Windows Server 2016影子主体和短暂的AD组与专门加固的AD林一起使用时,可帮助企业控制Active Directory。
原文
How to Protect Against Active Directory DCShadow Attacks
DCShadow is a feature in the lsadump module of Mimikatz. Mimikatz is an open-source post-exploitation tool used in Windows credential-based attacks. DCShadow was added to Mimikatz in 2018 and it lets attackers achieve persistent privileged access in Windows Server Active Directory (AD), while letting the attacker cover their tracks.
Attacks against AD are common because it controls the security for most systems in your IT infrastructure. If a hacker can get privileged access to AD, then they also have privileged access to all servers and devices joined to the AD domain.
How does DCShadow work?
A DCShadow attack registers any Windows device joined to the AD domain as a domain controller (DC) by creating two new objects in the domain’s Configuration partition. It also changes the service principal name (SPN) of the computer used in the attack.
The attack can be performed from Windows 10. And while Windows 10 cannot be a domain controller, DCShadow tricks AD into thinking Windows 10, or another Windows client SKU, is actually a DC.
Once the device used in the attack is trusted by AD to replicate changes to the directory, the attacker pushes changes that allows them to stay in control of the domain.
After the attacker’s changes have successfully replicated, the new DC objects in the Configuration partition are deleted, helping the attacker to create persistent access to the domain while evading detection. To summarize:
The attacker registers a rogue DC by creating objects in AD’s Configuration partition
The attacker replicates changes to AD so that they can maintain persistence
The attacker deletes the ‘rogue’ DC, which might only exist for a few seconds
Privileged access to Active Directory
Before an attacker can make changes to AD’s Configuration partition, they need privileged access to the domain. You might ask why go through all the effort to register a rogue DC if an attacker already has privileged access to the domain? Because DCShadow is primarily about the attacker trying to remain undiscovered for as long as possible.
Prevention is better than cure
The best way to stop DCShadow, and other attacks against AD, is to prevent hackers from getting privileged access. Domain administrator credentials are usually harvested when hackers exploit vulnerabilities in Windows. For example, IT staff might use domain admin credentials to log in to Windows PCs to support users. At a later stage, a device may be compromised, along with the domain admin credentials.
Privileged access workstations
It’s best practice to only use domain admin credentials and other accounts that have privileged access to AD, on workstations that are specially secured and purposed for managing AD. These workstations are known as privileged access workstations (PAW). PAWs shouldn’t be connected to the public Internet.
Delegating privileges for common admin tasks
Everyday admin tasks, like managing AD users, groups, and Group Policy Objects, can be delegated to users without giving them privileged access to the domain. The Delegation of Control Wizard in Active Directory Users and Computers (ADUC) can be used to delegate privileges for performing common admin tasks.
See Managing Privileged Access to Active Directory on Petri for more information.
Protecting domain accounts with Windows 10 Credential Guard
Windows Defender Credential Guard provides extra protection for domain accounts by isolating credentials in a secure zone that the Windows kernel cannot access, even if it is compromised. Credential Guard requires devices support virtualization-based security (VBS).
Active Directory tiered administration model
Microsoft’s tiered administration model for managing AD helps organizations better secure their environments. The model defines three tiers that create buffer zones to separate administration of high-risk PCs from valuable assets like domain controllers.
It’s not impossible to move from one tier to another but the model does increase the cost for attackers.
For more information on implementing a tiered administration model, see Why You Should Use Microsoft’s Active Directory Tier Administrative Model and Set Up Active Directory to Support Tiered Administration and Privileged Access Workstations on Petri.
Privileged identity management
A privileged identity management (PIM) solution can help organizations monitor and control privileged access to AD. Windows Server 2016 Shadow Principals and short-lived AD groups help businesses take control of Active Directory when used with a specially hardened AD forest for administration.
