Lab of a Penetration Tester
Description: Official page of the DCShadow attack. Just transform my Windows 7 into a domain controller !
They told me I could be anything I wanted ... So I became a domain controller
DCShadow is a new feature in mimikatz located in the lsadump module . It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM . It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz). As a reminder a Domain Controller is a server controlling an "Active Directory", a shared authentication service used in enterprises.
DCShadow has been presented at the Bluehat IL 2018 conference by Vincent LE TOUX and Benjamin Delpy
Lab of a Penetration Tester