Hackers Exploiting Domain Controller to Deploy Ransomware Using RDP

Microsoft has recently uncovered a sharp rise in ransomware attacks exploiting domain controllers (DCs) through Remote Desktop Protocol (RDP), with the average attack costing organizations $9.36 million in 2024.

These sophisticated campaigns aim to cripple enterprises by encrypting critical systems by leverage DCs, the pivotal role of RDP, and practical defenses, based on Microsoft’s findings and a real-world case.

Modern ransomware requires two key elements: high-privilege accounts, such as domain admin credentials, to authenticate across systems, and centralized network access to hit multiple devices simultaneously.

DCs, which manage Active Directory (AD) authentication and policies, are prime targets due to their control over accounts and network-wide visibility.

Exploiting Domain Controllers

DCs store the NTDS.dit file, containing password hashes for all AD accounts. Attackers use tools like Mimikatz to extract these hashes, enabling pass-the-hash attacks to impersonate domain admins.

They may also create or elevate accounts to maintain access. With privileged credentials, attackers move laterally across networks.

DCs’ connectivity lets attackers map networks using tools like BloodHound and deploy ransomware to numerous endpoints. Microsoft reports that 78% of human-operated ransomware attacks compromise DCs, with 35% using them as the main distribution point.

Real-World Attack: Storm-0300

Microsoft observed the Storm-0300 group targeting a manufacturer. Attackers likely breached the network via a vulnerable VPN, using Mimikatz to steal credentials (caught by Microsoft Defender for Endpoint, which blocked the initial account, User 1).

After securing domain admin credentials (User 2), they connected to a DC (DC1) via RDP. On DC1, they mapped servers with AD tools, disabled antivirus through Group Policy changes, and added two new admin accounts (User 3 and User 4).

They tried running ransomware on DC1, but Defender contained User 2, User 3, and the RDP-connected device. Switching to User 4, they attempted network-wide encryption from DC1, only for Defender to block DC1 and User 4, halting the attack on protected devices.

RDP, typically running on TCP 3389, is a common weak point. Attackers exploit exposed RDP ports with brute-force attacks, stolen credentials, or flaws like BlueKeep (CVE-2019-0708). Once inside, RDP’s interface lets them deploy tools and access DCs directly, as seen in the Storm-0300 attack.

DCs must stay accessible for authentication, making them hard to lock down. Microsoft Defender for Endpoint’s Contain High Value Assets feature tackles this by classifying DCs and containing them in under three minutes if compromised, while preserving critical functions like authentication. In the Storm-0300 case, this stopped the attack without disrupting the network.

How to Protect Your Network

Securing domain controllers is inherently challenging due to their operational criticality. Unlike other endpoints, DCs cannot be locked down without risking business continuity. Traditional measures like isolating DCs or restricting access often disrupt authentication and policy enforcement.

To address this, Microsoft Defender for Endpoint introduced the Contain High Value Assets (HVA) feature, which enhances its device containment capabilities. Key aspects include:

• Role-Based Containment: Defender classifies devices by role and criticality, applying tailored containment policies. For DCs, this ensures malicious activity is blocked while preserving essential functions like authentication.
• Rapid Response: Containment occurs in under three minutes, preventing lateral movement and ransomware deployment.
• Granular Control: The system distinguishes between malicious and benign behavior, maintaining operational continuity during containment.

This approach proved effective in the Storm-0300 case, where Defender contained compromised accounts and DC1 without disrupting the victim’s AD environment.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Also Read: