It is common knowledge that any computer or device can be compromised no matter how much protection is bought.
Someone will eventually click on a link they shouldn’t, visit an infected web site, open an injected document, etc. Hackers have the time, resources, and skill to always hijack a computer. They will inevitably find their way past the perimeter defense and inside the environment.
Once they compromise a computer, hackers only have access to the information on that one computer.

It is a landing destination and will not usually have much value (unless the attacker gets lucky and lands on a Domain Admin’s computer).


The real objective is to get into the network and compromise more computers, such as financial databases or file servers. This is achieved through a process called reconnaissance.


The attacker wants to know who the user is, the computer’s presence in the network, what it’s connected to, and the permissions to move to other computers, applications, services and files. With this basic information, the hacker proceeds with his attack undetected.

There are three questions the attacker needs to answer after he compromises a computer:

Where am I?

Where can I go?

How can I get there undetected?

How does he get the answers to these questions?
Attackers perform reconnaissance from the compromised machine in only three ways:

Active Directory Query

Network Scan


Learn more

Active Directory
A Microsoft infrastructure component that is just a database. It houses every computer, user, credential, group policy, service, application, and mapped detail of an organization's IT topology. By design, for easier IT operations management, any computer connected to the Directory can query for these resources, making it the primary database attackers use to get ALL the information they need.


Active Directory
is a service that Microsoft created to control the entire organization and make IT management easier. As a result, every computer connected to the Domain has read-only access to openly and naturally query Active Directory for other users, computers, applications, services, policies, credentials, permissions, and passwords.

The native query capabilities provide everything an attacker needs to move beyond the single compromised machine and into the network. Simple, undetectable queries from a normal user account to Active Directory tell the attacker about all the database servers, file servers, and high privileged accounts, providing a detailed map of the organization.

Network Scanning
A procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment. Scanning procedures, such as ping sweeps and port scans, return information about which IP addresses map to live hosts that are active on the Internet and what services they offer. Another scanning method, inverse mapping, returns information about what IP addresses do not map to live hosts; this enables an attacker to make assumptions about viable addresses.

A method that attackers and IT administrators use to identify what computers are on a segment, it, too, is limited. Time consuming and ‘noisy’ to other monitoring/detection systems, this method only provides presence information. Other detail that helps the attacker know the vulnerabilities, apps, or credentials is not accessible.

Link-Local Multicast Name Resolution
A protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. It gives the attacker knowledge of the computer(s) it can access in the segment in which it resides.

The information that’s provided is limited. Just knowing the computers around them does not give attackers information about applications, services, users, and credentials. There is also no validation whether this computer is real or fake (honeypot).

Request a Demo