When undead servers attack!

Oct 31, 2017

It’s a dark and stormy afternoon. Your feeling like a group of teenagers at a log cabin in the woods because it’s day two of your penetration test and they haven’t found anything actionable.

Everything is going well, but you start to feel a little something in the pit of your stomach. It was probably last night’s sushi. That place was a little sketchy.

But wait, one of the pentesters is smiling. That’s not a good sign. You check to logs, but don’t see anything. Then alerts start to fire.

Protected service access…

New accounts created…

Special privileges assigned to new login…

data is POURING out of the Domain Controller…


You ask them what happened. They tell you.


It was a zombie server.


That Windows 2000 Domain controller that you KNOW you demoted and decommissioned back in 2010, but left in the rack because it might be useful..

That vendor trial database that you used that one time last year to try out a new fancy keycard system…

That SIEM you installed but haven’t had time to finish configuring…

They’ve risen from the dead to steal your data; no longer under their own control.

How did this happen?

Most likely not a technical failure, but one of process. A penetration tester will generally know more about your network than you because I.T. is largely a maintenance function. (“If it ain’t broke, don’t fix it.”) and pentesters are paid to think like attackers, reverse-engineer networks, take nothing for granted, be patient and methodical.

There are circumstances and automation controls that can turn your network against you. Wake on LAN, post-power-failure restart, etc. Don’t be alarmed, stay in your homes. Your infrastructure is doing what it was told.


Happy Halloween from your friendly hacker!

Written by
Cory Johnson

Management Consultant, Cybersecurity Services

Our team of experts look forward to bringing their knowledge and experience to you.

Get in touch with us