How to Detect a New Domain Controller in Your Network

Some malware can create a Domain Controller to infect your network and steal data. DCShadow is a late-stage kill chain attack that allows an attacker with compromised privileged credentials to register a rogue Active Directory (AD) domain controller (DC). Then the adversary can push any changes they like via replication — including changes that grant them elevated rights and create persistence. It can be extremely difficult to detect a new Domain Controller, so you need to know how to find one if you suspect an infection.

Overview

A domain controller is a server that manages the security and authentication of users and computers in a domain. A domain is a logical grouping of network resources that share a common name and directory database. A new domain controller can be added to a domain for various reasons, such as increasing redundancy, improving performance, or expanding the network.

However, a new domain controller can also pose a security risk if it is not authorized or configured properly. An unauthorized domain controller can compromise the security of the entire domain by granting access to unauthorized users or computers, or by intercepting and modifying network traffic. Therefore, it is important to detect and monitor any new domain controllers in your network.

In this blog post, we will show you how to detect a new domain controller in your network using some simple tools and techniques. We will assume that you have administrative privileges on your network and that you are familiar with basic Windows commands and PowerShell.

Use the Netdom Command

The netdom command is a Windows command-line tool that can be used to manage domains and trust relationships. One of the functions of the netdom command is to list all the domain controllers in a domain. To use the netdom command, you need to open a command prompt as an administrator and type the following command:

netdom query dc

This command will display all the domain controllers in your current domain. You can also specify a different domain name after the dc parameter if you want to query another domain. For example:

netdom query dc example.com

The output of this command will look something like this:

List of domain controllers with accounts in the domain:

DC1DC2DC3The command completed successfully.

You can compare this output with your previous records or expectations to see if there is any new or unexpected domain controller in your domain. If you find one, you should investigate further to determine its origin and purpose.

Use the Get-ADDomainController PowerShell Cmdlet

The Get-ADDomainController PowerShell cmdlet is another tool that can be used to retrieve information about domain controllers in a domain. To use this cmdlet, you need to open a PowerShell window as an administrator and type the following command:

Get-ADDomainController -Filter *

This command will display all the domain controllers in your current domain along with some additional information, such as their name, site, operating system, IP address, and roles. You can also specify a different domain name after the -Server parameter if you want to query another domain. For example:

Get-ADDomainController -Filter * -Server example.com

The output of this command will look something like this:

DistinguishedName : CN=DC1,OU=Domain Controllers,DC=eexample, DC comDNSHostName : DC1.example.comEnabled : TrueName : DC1ObjectClass : computerObjectGUID : 12345678-1234-1234-1234-123456789012SamAccountName : DC1$SID : S-1-5-21-1234567890-1234567890-1234567890-1000Site : Default-First-Site-NameOperatingSystem : Windows Server 2019OperatingSystemVersion : 10.0 (17763)Forest : example.comDomain : example.comIPv4Address : 192.168.1.1IPv6Address : fe80::1234:5678:90ab:cdef%12IsGlobalCatalog : TrueIsReadOnly : FalseIsSeized : FalseRoles : {PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster...}DistinguishedName : CN=DC2,OU=Domain Controllers,DC=example, DC ComDNSHostName : DC2.example.comEnabled : TrueName : DC2ObjectClass : computerObjectGUID : 23456789-2345-2345-2345-234567890123SamAccountName : DC2$SID : S-1-5-21-2345678901-2345678901-2345678901-1000Site : Default-First-Site-NameOperatingSystem : Windows Server 2019OperatingSystemVersion : 10.0 (17763)Forest : example.comDomain : example.comIPv4Address : 192.168.1.2IPv6Address : fe80::1235:5678:90ac:cdef%12IsGlobalCatalog : TrueIsReadOnly : FalseIsSeized : FalseRoles : {PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster...}

You can also use Event ID 4742 in your Security log to monitor the changes to your registered Domain Controllers. This event shows which user initiated the change, so you know which Domain Administrator account is being used to perform the attack.