262-299-4600 • Email us

For hackers it can take as little as 24 hours to compromise domain admin once they’ve gained initial access to your system. Here’s how to disrupt the attack timeline so they can’t escalate up the ranks of privilege undetected.

By Steve Dodson

Steve provides research, analysis, insight and commentary on topical issues and events. He lives in New Zealand and has been working at FastTrack Software for 10 years as a cyber security analyst and technical writer.

Time Flies when you're Getting Hacked

A few years ago at the Microsoft Ignite conference – an annual event for developers and IT professionals – Raymond Comvalius did a presentation titled Halt Hackers, discussing the increasing sophistication of attacks and what you can do to protect yourself from them.

During the presentation, Raymond discussed a concept called The Attack Timeline: a breakdown from the point of time when an attacker gains entry, to when the attack is finally discovered.

In this blog we’ll take a deeper look into the attack timeline, focusing on the essential task of protecting the endpoint – a doorway that attackers often use to gain access to the entire IT network.

The Attacker Decision Cycle

During his presentation, Raymond discusses the hacker decision cycle, likening the process to the physical robbing of a bank.

Before any physical infiltration, there comes an attacker decision cycle or attack plan; one does not simply rob a bank on a whim (well, the successful bank robbers don’t anyway).

Cyber security infiltrations are no different.

The following five stages comprise the attack cycle:
  1. Observe – Hackers watch you. They observe what you do in your network.
  2. Orient – They tailor and adapt to the circumstances within your network, aligning themselves to the environment.
  3. Decide – They decide on the attack path.
  4. Act – They use this path to act and bring the entire organisation down.

The Attack Timeline

The attacker decision cycle described above occurs during the Research and Preparation section of the Attack Timeline below:

According to the timeline, once the Act stage ensues and the first host is compromised, a company has 24 to 48 hours to detect an attack.

After this time, hackers statistically have escalated to domain admin and the company is… [insert expletive of choice here].

Once domain admin has been compromised and attackers are inside your network, statistically they can resist detection there for up to 200 days before you find them or find out that you’ve been hacked.

Halt Hackers makes a note of the following:
  • Attacks are becoming increasingly sophisticated. Attack operators are targeting information on any device or service, exploiting any weaknesses they can find.
  • Attackers often target Active Directory (AD). Gaining access to AD means attackers can cause damage on a much larger scale.

o Active Directory (AD) is a set of processes and services created by Microsoft for use on Windows operating systems; with one of these services being Domain Services (AD DS). A server running AD DS is also known as a domain controller. It is the centre for domain management, essentially used to govern over devices on a network: allowing network admins to create and manage users and domains, access network resources and manage permissions.

  • Current detection tools often miss attacks, meaning many go undetected until the damage has been done. Hackers enlist many techniques to help them stay hidden; one of these is clearing the Security LogWindows Security Event ID 1102. Seeing this error can often mean a hacker has done this in an attempt to cover their tracks and the event needs to be investigated.

o The Security Log tracks security-related activity on an IT system, such as log ins or log outs and other security events specific to the system it is logging on.

  • Response and recovery from a data breach once an attack is discovered is often costly and challenging, requiring advanced expertise and tools.

The Power of Protecting the Endpoint

Rather than spending large amounts of money on recovery after suffering from a breach, you ideally need to stop the breach from occurring in the first place – or at least detect it within the critical 24 to 48 hours that it takes for an attacker to gain domain admin access.

We discussed attackers exploiting any vulnerability or weakness they can find: one of these is the end user.

That’s why there is power in protecting the end point, and in particular: the local administrator.

Managing the local administrator gives you this power in the form of Admin By Request’s Privileged Access Management (PAM) solution.

Privileged Access Management: Admin By Request

PAM allows you to manage, monitor and secure access to your companies’ network and everything on it.

A good PAM solution should protect the endpoint: by managing local administrators, reporting changes in the local administrator’s group, monitoring client event logs and sending alerts to keep you in the know.

All of these mechanisms help to ensure that an attacker can’t escalate to domain admin and then roam undetected on your network for up to 200 days before being discovered.

Admin By Request’s PAM solution covers all bases.

  • Admin By Request manages local administrators by smoothly and efficiently revoking administrator rights. Limiting the number of privileged accounts in your network lessens the attack surface, making it much harder for hackers to compromise a domain admin – particularly within 24 to 48 hours.
  • Admin By Request reports changes in local administrator groups and displays the data within the software’s user portal, using graphics such as the following to illustrate the current status of admins:

Changes to local admins or within local admin groups can indicate privilege escalation, which is the goal for many hackers attempting to infiltrate entire networks. Reporting tools such as the one above make it much harder for an attacker to successfully escalate from their first host – most likely a regular user – to a privileged account without being detected.

  • The Admin By Request auditlog monitors what your users are doing when they run applications as administrator or have a timed session as administrator – two of the self-initiated methods provided by Admin By Request so that regular users can do what they need to do unhindered. The auditlog reports on user activity that could indicate attempts at privilege escalation. Requests for escalated privileges – and the logging that goes along with them – is available via the Admin By Request user portal and the IOS and Android compatible app.
  • Admin By Request’s alerting keeps you a step ahead of hackers on the attack timeline. As well as sending you email alerts when malware is detected by Opswat’s MetaDefender Cloud – integrated into Admin By Request – this PAM solution also alerts you to the activities it's monitored throughout the week in the form of a weekly digest. One of these is administrator groups (see the image above). The weekly digest also covers the following:
o User Elevations

o Elevated Applications

o User Installs

o User Requests

Amongst other activity.

Constantly keeping you updated with a weekly breakdown leaves little wiggle room for hackers to move about freely without triggering investigation.


With Admin By Request’s managing, reporting, logging and alerting, the attack timeline is halted – and the attack thwarted – before domain admin can be compromised.

You can rest assured knowing the ability for an attacker to escalate up the ranks of privilege and remain undetected on your network for 200 days is practically impossible.

Many thanks to Raymond Comvalius and Erdal Ozkaya for their work on Halt Hackers, which inspired this blog.

Interested in Admin By Request?

Feel free to reach out to us for a discussion on how we can help you.