Hello, welcome to the Wednesday, January 31st, 2018 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich, and then I'm recording from Miami, Florida.

D.C. Shadow is a new attack released last week by Benjamin Delpy and Vincent Latu at Microsoft's Blue Hat, Illinois conference.

You may have heard about them from their popular work on mimicats.

The DC part of the name DC Shadow is short for domain controller,

and the attack really takes advantage of the replication feature built into

Windows domain controllers. To better understand how DC Shadow works and how it ties in with

mimicats, let's talk a little bit about how mimicads can be used to interact with domain controllers. If an attacker can run

mimic hats on a domain controller, of course, then the attacker has access to the hashes

within the domain controller and can issue what's often referred to as a golden ticket, which

gives access to features the domain controller offers.

This already provides an attacker with a far-reaching set of rights to access and modify

all thecation data. What's really more the problem here is how noisy all of this is. Later,

the DC sync attack was added to Later, the DC Sync attack was added to Mimicats.

DC Sync again uses replication now due to replication or by taking advantage of replication,

an attacker is able to read information from a domain controller across the network.

So this gives the attacker a little more persistent access to the domain controller

and requires less work to be done on the actual domain controller.

In order to run DC Syn, the attacker, however, does need to have credentials that do have permission

to request replication. Now, typically administrators and members of the domain controller

group have that kind of access. Replication can be detected using an IDS, of course.

The new DC shadow attack really takes us a step further.

...