This is a potential active compromise. Treat it as an incident.
- DO NOT alert the attacker by blocking the IPs yet
- Capture a full packet capture of the traffic
- Image the domain controller’s memory using tools like WinPmem
- Check for scheduled tasks, services, and startup items that shouldn’t be there
- Look for Kerberoasting or Golden Ticket indicators
- Engage your IR team or an external firm immediately
A compromised domain controller is a worst-case scenario. The attacker likely has full domain admin access.
