This article applies to BHCE and BHE


This edge indicates that the computer is a domain controller for the domain. This edge is not created
for read-only domain controllers.



Abuse Info

Domain Controllers store all Active Directory credentials and configurations for all principals in the domain. If an adversary gains administrative access to a Domain Controller, there are several options at their disposal for compromising domain identities and domain-managed systems. Please see the references section for more information.


Opsec Considerations

Domain Controllers are universally among the most sensitive systems in Active Directory, and are often closely monitored by defenders. Attacks that rely on administrative access to a domain controller may produce artifacts that defenders will see as reliable and urgent indicators of compromise.



Abuse and Opsec references