New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Sale of Domain Could Pose Risk for Enterprises

Recently, the domain has gone up for sale for a price of $1.7 million USD. This domain would be particularly dangerous if a threat actor were to control it, due to the fact that many corporate domains have misconfigured settings to use “corp” instead of a domain name owned by the company. During a study in 2019, funded in part by the Department of Homeland Security, more than 375,000 Windows computers attempted to send sensitive information such as logins to the domain in just 15 minutes. When the domain was set up to receive email messages, over 12 million emails, including some with sensitive information, were received in just over an hour. Active Directory for Windows maps shared network resources to domains to allow easy access to these resources. These domains should be owned by the company deploying Active Directory (AD). However, in older AD instances, such as the Windows 2000 server, the default AD path was “corp,” and many companies began using these default settings without ever changing the corp domain path.

In a completely localized environment with no remote computers, issues shouldn’t arise from using the default domain path. However, if a user attempts to access an AD mapped device from an external network using default settings, data will be routed to, which exposes passwords and other sensitive information.

Analyst Notes

It is important to pay attention to who buys the domain, but it is better to correctly configure Active Directory to avoid the problem altogether. If a corporation has configured Active Directory to use, Binary Defense’s analysts recommend changing those settings to a domain that is controlled by the organization instead. Using Endpoint Detection and Response (EDR) tools to find attacker behavior is an important defense when attackers use stolen credentials to access corporate computers. Additionally, reducing the number of domain administrators, and ensuring that not all accounts have administrator access is a good way of securing AD.