The Domain Controller...An Achilles' Heel

How attackers use domain controller penetration for large-scale compromises

Download Whitepaper


One primary focus area for improving your cybersecurity posture should be the domain controller. Domain controller compromises affect governments, organizations, and businesses alike. Ransomware still leads the headlines in terms of quantity, but exfiltration and weaponization of intellectual property should be a focus area for your organization to not only protect personally identifiable information (PII) but to avoid regulatory consequences like hefty fines. 

At Pondurance, we spend considerable time analyzing common attack patterns to better reduce compromise, shorten dwell time, and prevent damaging breaches for our clients. In doing so, we identified the compelling common factors associated with most successful large-scale breaches, and the biggest business impact is the domain controller compromise. In this whitepaper, we analyze domain controller compromises, common techniques for unauthorized access, and tips for preventing an attack on your domain controller.

Prioritize the domain controller as a potential attack vector

A domain controller is a server that enables security authentication requests and allows host access to domain resources. It authenticates users, stores user information, and enforces security policies for a domain.

From an overall business perspective, relatively small investments focus on creating a strategy around domain controller security and ongoing monitoring and testing, and those may be some of the best dollars spent in your security program. When prioritizing assets, many overlook the domain controller as a critical asset, but in most cases, it should be at the top of the list. Several exploit paths are attributable to the success of a compromise, often blurring the lines between conduit, condition, and cause. For example, business email compromise is still a leading exploit path for getting an attachment onto a user’s system. 

Limited security awareness training is another factor that contributes to the propagation of a number of systems and data compromises, including unauthorized system access and ransomware. The nature of the root cause is also worth examining when considering the capability to broaden system access and ransomware deployment across an enterprise. That’s where the compromise of the domain controller comes into play. While completely eliminating unauthorized access and ransomware may not be an immediate reality, despite the hardening of the domain controller, reducing or eliminating the spread within your organization can be the difference between a nuisance and a business-crippling situation.

Compromises to the Domain Controller

The most common way a domain controller is initially compromised is through improper cybersecurity hygiene, like unpatched systems, open ports, misconfigurations, stolen credentials, and bad user behavior. However, there are more sophisticated attackers that break through even the most protected and advanced environments. While compromising a domain controller is not the only way, it is a common tactic that attackers use to quickly achieve their intended outcome and is by far the most common denominator related to large-scale breaches and sophisticated cyberattacks.

Ransomware receives a lot of attention, but the problem is not just ransomware. Many other attacks are accomplished through the domain controller. Governments, service providers, and technology organizations of all sizes are being targeted, and the number of attacks on these types of organizations only continues to rise.

Classifications of breaches typically fall into four categories:

  • Confidentiality breach — an unauthorized or accidental disclosure of or access to personal data
  • Integrity breach — an unauthorized or accidental alteration of personal data 
  • Availability breach — an accidental loss of access to or destruction of personal data
  • Intellectual property breach — critical information, trade secrets, or tools can be used nefariously at a much larger scale

The impact to an organization includes risk to: 

  • Revenues 
  • Mission 
  • Reputation 
  • Regulatory risk, compliance, and legal exposure 
  • National security 
  • Human life and safety

Exfiltration and Access

The average dwell time — the amount of time where an attack goes undetected — is between three and nine months. Historically, the longer the dwell time, the more negatively impacted the target becomes, often due to the number of systems impacted and the amount of data exfiltration. For more sophisticated compromises, typically involving nation-states, the threat actor can often be in the environment for a year. The following types of data and access are vulnerable:

  • Credit card information (payment card industry-regulated data) 
  • Consumer and customer information (PII) 
  • Employee information (including healthcare information and PII)
  • User credentials and domain controller access 
  • Business email access 
  • Automated clearinghouse and wire fraud 
  • Intellectual property

Third-party hop

Threat actors typically find the weakest link with third-party vendors, contractors, and connections. 

  • Threat actors use third-party relationships to attack by leveraging the vulnerabilities of their technology or engineering to gain access to other organizations
  • Another common exploit path is the use of shared local or domain administrator credentials across domain-joined devices and, in many cases within the same organization, nondomain devices


From phishing and business email hijacking to stolen credentials and social engineering, impersonation is a classic way to gain access, get information, or have someone take action on behalf of the threat actor.

Weaponized IPs

While not as common in the headlines, denial of service and distributed denial of service continue to be major issues for many businesses, especially those where online availability ties directly to revenue such as gaming, entertainment, and hospitality services. Compromise of a large number of systems is needed and often executed with significant dwell time before system owners, individuals, or businesses become aware.


Since 2016, over 4,000 ransomware attacks have occurred daily in the U.S.1 Unlike other compromises, a ransomware compromise may require a direct cost if the ransom is paid plus the cost for incremental cleanup and follow-up. Unlike a breach where the damage is done and the only option is cleanup, ransomware carries the heavy business decision burden of whether to pay or not pay.

Ownership of Your Domain Controller

The sensitivity and totality of the domain controller is not novel regarding breach or systemic exploitation. In fact, gaining domain administrator or enterprise administrator privileges is often the proverbial crown jewel of the most basic penetration test. Once a threat actor gains credentials with expansive local administrator privileges, the actor can run through a number of exploits that allow data exfiltration, extended reconnaissance and outright theft in addition to executing a ransomware payload. 

In almost all enterprise, big-impact, large-scale breaches, a compromised domain controller practically guarantees success. In fact, the actor can also weaken or entirely disable other controls with domain administrator privileges, which makes a defense-in-depth strategy so critical. If your organization places sole reliance on, for instance, an endpoint detection and response (EDR) platform to prevent a ransomware payload and the actor has gained access to the domain controller, you may be severely disappointed with the result. 

A defense-in-depth strategy contemplates ample prevention with dynamic detection controls to provide the most favorable outcomes. A key component of the preventive strategy should address technical and process controls related to your domain controller. 

There are many ways for a breach to occur. We’ve covered the nature of a broad ransomware infection distributed across the enterprise, but systems can be affected in much smaller numbers with stolen credentials, through email, via unpatched systems, using open ports, and more. In this case, the outcome is usually limited to a single or few systems. The impact of an event like this is relative.

Common techniques for unauthorized access to domain controllers

Red lock icon signifying cloud security over multiple devices

Let’s explore the methodologies that are the most common for accessing domain controllers:

  • Compromised user and administrative credentials continue to be a common vector for compromise. This technique takes advantage of human error, allowing user credentials to be captured or malware to be loaded. 
  • Legitimate credentials via remote desktop protocol (RDP) are common. RDP is a legitimate tool that enables information technology departments to remotely and easily access and manage Windows systems. When proper security is not applied, RDP can give attackers easy network entry or lateral movement routes. RDP exploit programs and services are easy to purchase and use, or the attacker can buy stolen credentials for organizations like the Conti, REvil, and DarkSide ransomware-as-a-software (RaaS) gangs. Many reported that RDP defensive measures are widely reported and less effective; however, all data supports that RDP is still the most frequently abused protocol when considering lateral movements, network entry, and exploitation.
  • Altering configurations over Server Message Block (SMB) to open access over certain protocols is another exploit method, targeting credentials but also using them as an initial entry point. SMB is a critical protocol for an active directory and also serves as a network file sharing protocol. It is widely deployed and used by billions of devices in most operating systems, including Windows, Linux, MacOS, iOS, and Android. Like RDP, administrators use SMB to access systems, but it is also used system to system for sharing files, data center replication, centralized data management, and mobile devices replicating storage to the cloud. Backdoor installation over SMB with legitimate credentials can occur based on the above technique and other user-initiated actions (i.e., phishing or clicking a malicious payload such as a file). 

For example, if your business is a dental office, a ransomware event may be all it takes to close your doors forever if you are unable to pay the ransom or otherwise recover. To affect large, medium, or even small businesses with a fair number of distributed systems using ransomware, it requires a catalyst to deliver the payload with precision, timing, and a level of engineering elegance. Ransomware attackers frequently use a technique to host their payload on a server, where many systems in the network have lateral routes over the SMB protocol and typically use a domain controller as a catalyst. From there, the attackers can systematically detonate a ransomware payload to each connecting system. The economy of scale of such an attack is the objective for a skilled attacker looking for a big payout. 

  • Compromised virtual private network user credentials often make the first step of a compromise much easier. Obviously, multifactor authentication (MFA) makes this vector much more challenging, if not impossible. 
  • Exploiting various vulnerable services running on the target domain controller due to lack of patching or from running an unsupported version is a common technique.
  • Exploiting other applications running on the domain controller is another method. Why would anyone have other applications running on the domain controller? Sometimes, it‘s a legitimate need for security, monitoring agents, or diagnostic tools. In some situations, however, organizations put other applications on servers as a temporary solution and the applications simply never get removed. In a large number of audits for clients, our Pondurance cybersecurity experts found unauthorized applications running on domain controllers.

Ransomware Execution

Compromising the domain controller is not the only way to execute ransomware or steal credentials. For example, if a user clicks a bad link or exposes credentials and accidentally downloads malware on a device, the outcome can range from an isolated nuisance to a horrible business-ending scenario, depending on the nature and size of the organization. However, if an attacker parlays an exposed system, ultimately escalating gained privileges to the domain administrator as a pivot to gaining access to the rest of the network, it can be disastrous, no matter your size or your industry and in spite of the technical controls put in place to prevent such an occurrence. 

To think that the initial set of compromised credentials can come from any system — not just a domain controller as the starting point — can be daunting. That is certainly the desired end state of an experienced penetration tester: Start with simple gains and work toward the domain administrator. Since pen testers have proven time and again that this methodology is not difficult, it’s easy to imagine a threat actor or group using the same approach, though with complete malfeasance and disregard for any parameters of engagement scope. 

One other consideration is domain administration privileges. A threat actor does not need to execute malware to systemically encrypt enterprise systems. In fact, Pondurance’s Incident Response team was involved in a case where the threat actor leveraged the native BitLocker tool to encrypt the environment, and at that instant, the systems administrators of the affected organization were unable to undo the deed. They had expected their EDR platform to prevent the issue, and it took some convincing to assure them they were not hit with malware but rather a legitimate tool. Based on our forensic review, a set of credentials to a single system was leveraged to gain a foothold, upon which the threat actor escalated privileges to the domain administrator. From there, the threat actor used the privileges and the conduit of the domain server to roll out BitLocker. 

It was fortunate that the master key generated by the threat actor was captured by the EDR tool, so while it didn’t prevent the attack, the tool demonstrated its merit by logging the key for detective discovery.

Industries Disproportionately Affected

Tablet icon being hooked / compromised via phishing hook.

Manufacturing, technology, and software

Companies that design physical products or Internet of Things (IoT), industrial IoT, and operational technology access and control should be on the lookout for:

  • Code and intellectual property exfiltration that can be weaponized 
  • Consumer and customer information (PII) 
  • Weaknesses and vulnerabilities in products or services 
  • Key personnel


Companies that sell products should protect:

  • Product and service pricing and planning information 
  • Employee information (PII)


Stolen healthcare data continues to increase in value on the dark web and black market, including:

  • Healthcare records 
  • Insurance information and insurance fraud 
  • Access to healthcare, medical, and IoT devices

Government and defense industrial base

The objectives of well-funded, state-affiliated, or government-sponsored threat actors align with the political, commercial, or military interests of their countries of origin.

Threat actors attempt to exfiltrate information about their targets or gain access to their targets through trusted relationships with a third-party company, such as contractors, government system integrators, and software and devices manufactured for networking, IT, or cybersecurity. Often, sensitive information held by a third party may not be as well protected as it is at the government-entity level, but more and more regulatory mandates are being put in place through the Defense Federal Acquisition Regulation Supplement and Cybersecurity Maturity Model Certification (CMMC) requirements. For both direct government entities and contractors, targets include:

  • Defense intellectual property 
  • Employee and contractor background checks and clearance levels 
  • Command and control of critical assets 
  • World secrets 

Power and utilities

As approximately 10,000 power and utility plants in the U.S. and the distribution infrastructure become more IT-based, internet-connected, and automated, specialized targeting of these facilities are increasing:

  • OT and IT infrastructure 
  • Design and engineering information 
  • Connectivity to other parties

Protection of Domain Controllers

The domain controller is the heart of any distributed network. Just like the heart of any living creature, it can deliver sustainability with every beat, or it can seize its host with paralysis or even death. Fortunately, prophylactic measures exist that, like with a living heart, can be employed to exercise and strengthen the domain controller, making it more resistant to defeat. 

In one final analogy to the living heart, despite adequate due diligence, there is no guarantee that the domain controller is impervious to all attacks or can stave off fluke conditions that might otherwise affect its rhythm (e.g., misconfigurations or other errors unrelated to a cyberattack). Healthy conditioning is the key, and a little bit of maintenance can make the difference without having to overengineer or overspend to protect your domain controller. Organizations looking to achieve compliance through configuration hardening (HIPAA, PCI-DSS, CMMC) can do so with real security in mind, not by simply checking a box. 

At the highest level, known basic hygiene approaches to protecting domain controllers are the best long-term strategy. The following represent both simple and advanced approaches that your organization should take for protection, all of which can and should be baked into a system hardening program: 

  • Ensure that MFA is enabled on compatible protocols, without exception, for all domain-level systems to protect against the use of stolen credentials. This simple and relatively inexpensive approach can avoid many stolen credential scenarios.
  • Maintain domain controllers with supported release versions and ensure they are patched. 
  • If you must enable RDP, ensure that there are compensating controls associated with it such as registered origin IP addresses, destination-only access, and individual credentials with MFA added. 
  • Implement an email defense filtering system, combined with URL/IP outbound blocking capabilities. Malicious emails are privileged vectors for exploit campaigns, while weaponized documents and click-through to malware payload-bearing websites are the main ingredients for almost any spam and phishing attack. 
  • Similar to RDP, ensure adequate protections are enabled for SMB. SMB is a protocol needed among many applications, so it requires protection from attacks where a server or device might be tricked into contacting a malicious server running inside a trusted network or to a perceived trusted remote server outside the network perimeter. Segmentation, traffic monitoring, enhanced authentication, and firewall best practices can enhance security and prevent malicious traffic from accessing the system or its network. 
  • Ensure your organization has established a defense-in-depth strategy. With a distributed workforce (one that has seen the highest numbers of remote access in recent years), approaches that have been used in the past may not be enough. With the advent of software as a service, the cloud, and other hybrid models, it’s important to revisit logging and monitoring strategies to accommodate these evolutions. 
  • Separate the use of local system administration from domain administration. If an endpoint, such as a laptop, is compromised and an attacker is able to discern local administrator credentials, those credentials will be tested at the domain. If they are the same, an attacker can easily facilitate an attack against the domain controller. 
  • Monitor your domain controller at system and application log levels, check access logs for anomalies such as nondomain IPs and for failed attempts, monitor network traffic at port and payload levels, implement an EDR, and schedule more frequent enhanced audits.
  • Encrypt endpoints. The use of full disk encryption (FDE) makes a great deal of sense on a number of levels. Your organization should not make it easy for a bad actor to foster success. If your industry has reams of regulated data, FDE is assumed as a basic, reasonable control, if not outright mandated. Your organization should decrease the attack surface to create a more difficult target to exploit; otherwise, a threat actor can make easy lateral moves with the goal of escalating privileges. This can be accomplished through the effective use of a data classification program and least privilege and is mostly a continuous approach to hygiene and property prioritizing activities.
  • Prepare for the worst-case scenario and have an incident response plan in place. Test and practice your plan with key stakeholders across your organization.


As always, there is never absolute assurance where cybersecurity is concerned, and specifically, there is no single silver bullet that will fully protect your organization from all cyberattacks. However, Pondurance operates on both the red team side (performing penetration tests) and the blue team side (managed detection and response (MDR) solutions). We have analyzed varying attack methods and significant amounts of breach data, and the results support the commonality of the domain controller at the heart of nearly every ransomware attack. This whitepaper aims to identify controls and best practices that, when implemented, can reduce the likelihood and the risk of a successful cyberattack against your organization through protection of your domain controller.

In more cases than ever, data exfiltration is a viable threat that makes getting off unscathed a pipe dream, despite your ability to recover from something like a ransomware event. As a result, two other interesting things are happening: 

  1. There is now a question of legality relevant to paying a ransom. 
  2. Your ability to simply and entirely transfer the burden of risk in terms of payment using cyber insurance is not assured.

All of this should provide ample motivation for your organization to reduce the likelihood of a compromise in the first place. It is costly and damaging to any organization that is not actively working to protect itself from it or otherwise is not fully prepared from a defense-in-depth perspective. As the trend for this type of attack increases in frequency and continues to evolve, it is critical that your organization be aware of current attack patterns that lead to an attacker’s success and what you can do to reduce your exposure. By following the steps discussed in this whitepaper, you can lower the probability of a successful attack.


Pondurance delivers world-class managed detection and response services to industries facing today’s most pressing and dynamic cybersecurity challenges including ransomware, complex compliance requirements and digital transformation accelerated by a distributed workforce.

By combining our advanced platform with our experienced team of analysts, we continuously hunt, investigate, validate and contain threats so your own team can focus on what matters most.

Pondurance experts include seasoned security operations analysts, digital forensics and incident response professionals, and compliance and security strategists who provide always-on services to clients seeking broader visibility, faster response and containment and more unified risk management for their organizations.

Visit pondurance.com for more information.