DCShadow
DCShadow
A DCShadow attack on Active Directory is an attack designed to change directory objects using malicious replication. During this attack, DCShadow impersonates a Domain Controller using administrative rights and starts a replication process, so that changes made on one Domain Controller are synchronized with other Domain Controllers. DCShadow abuses the Directory Replication Service (DRS) Remote Protocol [MS-DRSR] and Active Directory Technical specification [MS-ADTS].
Exploitation
Start Mimikatz, running as an account that is part of Domain Admins or Enterprise Admins:
Now start another mimikatz process (leave the other window open) and push the object changes:
Last updated