Researchers at the Australian security company, Threat Intelligence Pty Ltd., have created a possibly devastating botnet that exploits infected victims Active Directory Domain Controllers, resulting in internally hosted command and control servers.

Active Directory is a Microsoft directory service for Windows that domain networks & stores information on network components, automates network management of user data, and authenticates and authorizes users while enforcing security policies.

The attack method can use the AD as a central connecting point for any infected node or endpoint in the system, allowing the attacker to enable two-way communication with each other even when segmented into separate security zones.

Hypothetically, if an organization were to get infected by an AD botnet through a phishing attack, the attacker could utilize one of over 50 writable and readable AD user attributes to take over the domain controllers as a central communications point. Ty Miller, Managing Director of Threat Intelligence, further explained, “This means that we can utilize that connection to bypass all of your network access controls and all of your firewall rules because you’ve got that gaping hole where everything can communicate in one central place.”

The AD botnet was demonstrated yesterday at Black Hat 2017 in Las Vegas, where the goal was to create a botnet that could potentially bypass internal firewalls, defeat network segmentation, and leverage an infected organization’s cloud domain controllers to exfiltrate data.

Threat Intelligence suggests a few tips to help mitigate the threat. First, separate your domains into different domains based on security roles. This will help prevent users in one domain from escalating privileges by bypassing network filtering. The company also suggests taking note of any odd values in standard user attributes, monitoring regular changes of personal information attributes, and restricting permissions for standard users to update their attributes.


NNT also suggests:

  • Regularly run File Integrity Monitoring checks to detect new or changed system files
  • Ensure ex-employees rights are removed promptly to prevent ex-employees retaining access rights
  • Regularly review Domain Admin accounts for any change of privilege or new account creation- using Event Log Management solutions like NNT Log Tracker


Read this article on SCMagazine



NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
NNT logo New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
email [email protected]
UK Office
NNT logo New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2020, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.