Forest Persistence β DCShadow
β’ DCShadow temporarily registers a new domain controller in the target domain and uses it to "push" attributes like SIDHistory, SPNs etc) on specified objects without leaving the change logs for modified object!
β’ The new domain controller is registered by modifying the Configuration
β’ container, SPNs of an existing computer object and couple of RPC services.
β’ Because the attributes are changed from a "domain controller", there are no
β’ directory change logs on the actual DC for the target object.
β’ By default, DA privileges are required to use DCShadow.
β’ In my experiments, the attacker's machine must be part of the root domain.
Last updated
Was this helpful?