DA 101 - Protecting your Domain Admin Account

Justin Gardner

At SynerComm's Fall IT Summit 2018 we presented a talk about the top 5 attacks used to compromise a Domain Administrator account. As a short recap, the top five are the following:

  1. Permissive Global Group Access + mimikatz

    This is the classic case where a Domain Administrator logs into a machine where Domain Users group is a local administrator. Any user on the network can then log into the machine and extract the administrator's password from memory.

  2. LLMNR and NBT-NS Poisoning

    LLMNR and NBT-NS can be used to hijack the NTLMv2 hash for users who mistype the name of an SMB share of HTTP address.

  3. SYSVOL Passwords + Leaked AES Keys

    Although this vulnerability came out years ago, many companies still have cpassword fields in their SYSVOL XML files that can be decrypted using the Microsoft leaked AES key.

  4. Kerberoasting

    Due to Microsoft’s implementation of the Kerberos protocol, any domain account can get the krb5tgt hash for a domain user used as a service. Strong passwords must be enforced on these accounts.

  5. DC Backups

    If the backup file of a domain controller is discovered on a share that is not properly secured it is trivial to extract the NTDS.dit database and pull all the NTLM hashes for the domain.

The AssureIT team put together a list of tools to help you check for these vulnerabilities in your network. The presentation file and the self-audit kit can be found here:



Are you ready to start your technology journey? The friendly experts at SynerComm are here to help.

From design to deployment to troubleshooting and everything in between, the friendly experts at SynerComm are always here to help.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram