#domaincontroller — Public Fediverse posts

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...

Pulse ID: 69ea72434c655fab0cee36d8
Pulse Link: https://otx.alienvault.com/pulse/69ea72434c655fab0cee36d8
Pulse Author: AlienVault
Created: 2026-04-23 19:25:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CyberSecurity #DomainController #Email #Google #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Spam #Troll #bot #AlienVault

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...

Pulse ID: 69ea72434c655fab0cee36d8
Pulse Link: https://otx.alienvault.com/pulse/69ea72434c655fab0cee36d8
Pulse Author: AlienVault
Created: 2026-04-23 19:25:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CyberSecurity #DomainController #Email #Google #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Spam #Troll #bot #AlienVault

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...

Pulse ID: 69ea72434c655fab0cee36d8
Pulse Link: https://otx.alienvault.com/pulse/69ea72434c655fab0cee36d8
Pulse Author: AlienVault
Created: 2026-04-23 19:25:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CyberSecurity #DomainController #Email #Google #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Spam #Troll #bot #AlienVault

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...

Pulse ID: 69ea72434c655fab0cee36d8
Pulse Link: https://otx.alienvault.com/pulse/69ea72434c655fab0cee36d8
Pulse Author: AlienVault
Created: 2026-04-23 19:25:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CyberSecurity #DomainController #Email #Google #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Spam #Troll #bot #AlienVault

Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite

Google Threat Intelligence Group identified a sophisticated intrusion campaign by UNC6692 that combined persistent social engineering with custom malware. The attackers impersonated IT helpdesk personnel via Microsoft Teams, leveraging initial email spam campaigns to create urgency. Victims were tricked into downloading AutoHotKey scripts that installed SNOWBELT, a malicious browser extension establishing persistence through scheduled tasks. The modular SNOW ecosystem enabled deep network penetration: SNOWBELT provided initial access, SNOWGLAZE created encrypted WebSocket tunnels masking traffic as legitimate cloud communications, and SNOWBASIN functioned as a local backdoor for command execution. UNC6692 performed internal reconnaissance, escalated privileges by extracting LSASS memory, and used Pass-The-Hash techniques to access domain controllers. The operation culminated in exfiltration of Active Directory databases and credentials via LimeWire, demonstrating advanced tradecraft abusing legitimate clou...

Pulse ID: 69ea72434c655fab0cee36d8
Pulse Link: https://otx.alienvault.com/pulse/69ea72434c655fab0cee36d8
Pulse Author: AlienVault
Created: 2026-04-23 19:25:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CyberSecurity #DomainController #Email #Google #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SocialEngineering #Spam #Troll #bot #AlienVault

The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy

The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...

Pulse ID: 69e63f93a0ddbd53fcab3f51
Pulse Link: https://otx.alienvault.com/pulse/69e63f93a0ddbd53fcab3f51
Pulse Author: AlienVault
Created: 2026-04-20 15:00:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CobaltStrike #CyberSecurity #DomainController #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Proxy #RAT #RansomWare #RansomwareAsAService #Troll #Windows #bot #botnet #AlienVault

Limiting Domain Controller Attack Surface: Why Less Services, Less Software, Less Agents = Less Exposure: https://trustedsec.com/blog/limiting-domain-controller-attack-surface-why-less-services-less-software-less-agents-less-exposure

#domaincontroller #activedirectory

Limiting Domain Controller Attack Surface: Why Less Services, Less Software, Less Agents = Less Exposure: https://trustedsec.com/blog/limiting-domain-controller-attack-surface-why-less-services-less-software-less-agents-less-exposure

#domaincontroller #activedirectory

Limiting Domain Controller Attack Surface: Why Less Services, Less Software, Less Agents = Less Exposure: https://trustedsec.com/blog/limiting-domain-controller-attack-surface-why-less-services-less-software-less-agents-less-exposure

#domaincontroller #activedirectory

Limiting Domain Controller Attack Surface: Why Less Services, Less Software, Less Agents = Less Exposure: https://trustedsec.com/blog/limiting-domain-controller-attack-surface-why-less-services-less-software-less-agents-less-exposure

#domaincontroller #activedirectory

Limiting Domain Controller Attack Surface: Why Less Services, Less Software, Less Agents = Less Exposure: https://trustedsec.com/blog/limiting-domain-controller-attack-surface-why-less-services-less-software-less-agents-less-exposure

#domaincontroller #activedirectory

A premium fashion domain ready for sale. #domain #domainnames #panda-fog #domaincontroller

Windows Server 2025: #DomainController sind nach Neustart nicht mehr erreichbar

"Windows Server 2025 leidet offenbar unter einem #Konnektivitätsproblem. Laut Microsoft wird bei Domain-Controllern das falsche #Firewall-Profil geladen."
https://www.golem.de/news/windows-server-2025-domain-controller-sind-nach-neustart-nicht-mehr-erreichbar-2504-195369.html

Windows Server 2025: #DomainController sind nach Neustart nicht mehr erreichbar

"Windows Server 2025 leidet offenbar unter einem #Konnektivitätsproblem. Laut Microsoft wird bei Domain-Controllern das falsche #Firewall-Profil geladen."
https://www.golem.de/news/windows-server-2025-domain-controller-sind-nach-neustart-nicht-mehr-erreichbar-2504-195369.html

Windows Server 2025: #DomainController sind nach Neustart nicht mehr erreichbar

"Windows Server 2025 leidet offenbar unter einem #Konnektivitätsproblem. Laut Microsoft wird bei Domain-Controllern das falsche #Firewall-Profil geladen."
https://www.golem.de/news/windows-server-2025-domain-controller-sind-nach-neustart-nicht-mehr-erreichbar-2504-195369.html

Windows Server 2025: #DomainController sind nach Neustart nicht mehr erreichbar

"Windows Server 2025 leidet offenbar unter einem #Konnektivitätsproblem. Laut Microsoft wird bei Domain-Controllern das falsche #Firewall-Profil geladen."
https://www.golem.de/news/windows-server-2025-domain-controller-sind-nach-neustart-nicht-mehr-erreichbar-2504-195369.html

Windows Server 2025: #DomainController sind nach Neustart nicht mehr erreichbar

"Windows Server 2025 leidet offenbar unter einem #Konnektivitätsproblem. Laut Microsoft wird bei Domain-Controllern das falsche #Firewall-Profil geladen."
https://www.golem.de/news/windows-server-2025-domain-controller-sind-nach-neustart-nicht-mehr-erreichbar-2504-195369.html

From today's ADMIN Update newsletter, Thomas Joos shows you how to configure your domain controller security settings correctly with Policy Analyzer and current Microsoft baselines for a leak-tight Active Directory
https://www.admin-magazine.com/Archive/2024/83/Optimizing-domain-controller-security
#security #configuration #ActiveDirectory #PolicyAnalyzer #DCs #Microsoft #DomainController

From today's ADMIN Update newsletter, Thomas Joos shows you how to configure your domain controller security settings correctly with Policy Analyzer and current Microsoft baselines for a leak-tight Active Directory
https://www.admin-magazine.com/Archive/2024/83/Optimizing-domain-controller-security
#security #configuration #ActiveDirectory #PolicyAnalyzer #DCs #Microsoft #DomainController

From today's ADMIN Update newsletter, Thomas Joos shows you how to configure your domain controller security settings correctly with Policy Analyzer and current Microsoft baselines for a leak-tight Active Directory
https://www.admin-magazine.com/Archive/2024/83/Optimizing-domain-controller-security
#security #configuration #ActiveDirectory #PolicyAnalyzer #DCs #Microsoft #DomainController

From today's ADMIN Update newsletter, Thomas Joos shows you how to configure your domain controller security settings correctly with Policy Analyzer and current Microsoft baselines for a leak-tight Active Directory
https://www.admin-magazine.com/Archive/2024/83/Optimizing-domain-controller-security
#security #configuration #ActiveDirectory #PolicyAnalyzer #DCs #Microsoft #DomainController

From today's ADMIN Update newsletter, Thomas Joos shows you how to configure your domain controller security settings correctly with Policy Analyzer and current Microsoft baselines for a leak-tight Active Directory
https://www.admin-magazine.com/Archive/2024/83/Optimizing-domain-controller-security
#security #configuration #ActiveDirectory #PolicyAnalyzer #DCs #Microsoft #DomainController

1. No it the fuck cannot.
2. No one asked you, literally.
3. I know this because I DIDN'T ASK YOU.
4. I really hate that Google is doing this stupid shit. It's so goddamn unnecessary and wasteful.

When we can't breathe because there's no more oxygen, at least we'll die knowing that 30% of the AI answers contained at least 60% accurate information.

#windows #google #microsoft #alphabet #waste #ai #windowsdomain #rodc #domaincontroller

1. No it the fuck cannot.
2. No one asked you, literally.
3. I know this because I DIDN'T ASK YOU.
4. I really hate that Google is doing this stupid shit. It's so goddamn unnecessary and wasteful.

When we can't breathe because there's no more oxygen, at least we'll die knowing that 30% of the AI answers contained at least 60% accurate information.

#windows #google #microsoft #alphabet #waste #ai #windowsdomain #rodc #domaincontroller

1. No it the fuck cannot.
2. No one asked you, literally.
3. I know this because I DIDN'T ASK YOU.
4. I really hate that Google is doing this stupid shit. It's so goddamn unnecessary and wasteful.

When we can't breathe because there's no more oxygen, at least we'll die knowing that 30% of the AI answers contained at least 60% accurate information.

#windows #google #microsoft #alphabet #waste #ai #windowsdomain #rodc #domaincontroller

1. No it the fuck cannot.
2. No one asked you, literally.
3. I know this because I DIDN'T ASK YOU.
4. I really hate that Google is doing this stupid shit. It's so goddamn unnecessary and wasteful.

When we can't breathe because there's no more oxygen, at least we'll die knowing that 30% of the AI answers contained at least 60% accurate information.

#windows #google #microsoft #alphabet #waste #ai #windowsdomain #rodc #domaincontroller

1. No it the fuck cannot.
2. No one asked you, literally.
3. I know this because I DIDN'T ASK YOU.
4. I really hate that Google is doing this stupid shit. It's so goddamn unnecessary and wasteful.

When we can't breathe because there's no more oxygen, at least we'll die knowing that 30% of the AI answers contained at least 60% accurate information.

#windows #google #microsoft #alphabet #waste #ai #windowsdomain #rodc #domaincontroller

Intel and Karma partner to develop software-defined car architecture - Enlarge / Karma was started in 2014 when the Wanxiang Group purchased t... - https://arstechnica.com/?p=2043501 #softwaredefinedvehicle #software-definedcar #domaincontroller #intel #karma #cars

Intel and Karma partner to develop software-defined car architecture - Enlarge / Karma was started in 2014 when the Wanxiang Group purchased t... - https://arstechnica.com/?p=2043501 #softwaredefinedvehicle #software-definedcar #domaincontroller #intel #karma #cars

Intel and Karma partner to develop software-defined car architecture - Enlarge / Karma was started in 2014 when the Wanxiang Group purchased t... - https://arstechnica.com/?p=2043501 #softwaredefinedvehicle #software-definedcar #domaincontroller #intel #karma #cars

Intel and Karma partner to develop software-defined car architecture - Enlarge / Karma was started in 2014 when the Wanxiang Group purchased t... - https://arstechnica.com/?p=2043501 #softwaredefinedvehicle #software-definedcar #domaincontroller #intel #karma #cars

Intel and Karma partner to develop software-defined car architecture - Enlarge / Karma was started in 2014 when the Wanxiang Group purchased t... - https://arstechnica.com/?p=2043501 #softwaredefinedvehicle #software-definedcar #domaincontroller #intel #karma #cars

How to add a new Domain Controller to an Existing Domain

https://techdirectarchive.com/2024/07/19/how-to-add-a-new-domain-controller-to-existing-domain/

#AddDomainControllerToExistingDomain, #DC, #DomainController, #DomainControllerSetup, #MicrosoftWindows, #MultiDomainActiveDirectory, #PromoteDC, #RootDomainController, #SecondaryDomainController, #SetUpANewDomainControllerForReplication, #Windows, #WindowsServer, #WindowsServer2012, #WindowsServer2022, #WindowsServer2025

How to add a new Domain Controller to an Existing Domain

https://techdirectarchive.com/2024/07/19/how-to-add-a-new-domain-controller-to-existing-domain/

#AddDomainControllerToExistingDomain, #DC, #DomainController, #DomainControllerSetup, #MicrosoftWindows, #MultiDomainActiveDirectory, #PromoteDC, #RootDomainController, #SecondaryDomainController, #SetUpANewDomainControllerForReplication, #Windows, #WindowsServer, #WindowsServer2012, #WindowsServer2022, #WindowsServer2025

How to Disable Print Spooler on Domain Controller: https://www.alitajran.com/disable-print-spooler-domain-controller/

#printspooler #windows #domaincontroller

How to Disable Print Spooler on Domain Controller: https://www.alitajran.com/disable-print-spooler-domain-controller/

#printspooler #windows #domaincontroller

How to Disable Print Spooler on Domain Controller: https://www.alitajran.com/disable-print-spooler-domain-controller/

#printspooler #windows #domaincontroller

Akamai researchers discovered a new privilege escalation technique affecting Active Directory (AD) environments that leverages the DHCP administrators group. In cases where the DHCP server role is installed on a Domain Controller (DC), this could enable them to gain domain admin privileges. The technique is based on abuse of legitimate features and doesn’t rely on any vulnerability. Therefore, a fix for it doesn’t exist. No CVE ID. This EoP technique could also be used to create a stealthy domain persistence mechanism. 🔗 https://www.akamai.com/blog/security-research/2024/feb/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains

#privilegeescalation #activedirectory #vulnerability #domaincontroller #EoP #persistence

Akamai researchers discovered a new privilege escalation technique affecting Active Directory (AD) environments that leverages the DHCP administrators group. In cases where the DHCP server role is installed on a Domain Controller (DC), this could enable them to gain domain admin privileges. The technique is based on abuse of legitimate features and doesn’t rely on any vulnerability. Therefore, a fix for it doesn’t exist. No CVE ID. This EoP technique could also be used to create a stealthy domain persistence mechanism. 🔗 https://www.akamai.com/blog/security-research/2024/feb/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains

#privilegeescalation #activedirectory #vulnerability #domaincontroller #EoP #persistence

Akamai researchers discovered a new privilege escalation technique affecting Active Directory (AD) environments that leverages the DHCP administrators group. In cases where the DHCP server role is installed on a Domain Controller (DC), this could enable them to gain domain admin privileges. The technique is based on abuse of legitimate features and doesn’t rely on any vulnerability. Therefore, a fix for it doesn’t exist. No CVE ID. This EoP technique could also be used to create a stealthy domain persistence mechanism. 🔗 https://www.akamai.com/blog/security-research/2024/feb/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains

#privilegeescalation #activedirectory #vulnerability #domaincontroller #EoP #persistence

Akamai researchers discovered a new privilege escalation technique affecting Active Directory (AD) environments that leverages the DHCP administrators group. In cases where the DHCP server role is installed on a Domain Controller (DC), this could enable them to gain domain admin privileges. The technique is based on abuse of legitimate features and doesn’t rely on any vulnerability. Therefore, a fix for it doesn’t exist. No CVE ID. This EoP technique could also be used to create a stealthy domain persistence mechanism. 🔗 https://www.akamai.com/blog/security-research/2024/feb/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains

#privilegeescalation #activedirectory #vulnerability #domaincontroller #EoP #persistence

Akamai researchers discovered a new privilege escalation technique affecting Active Directory (AD) environments that leverages the DHCP administrators group. In cases where the DHCP server role is installed on a Domain Controller (DC), this could enable them to gain domain admin privileges. The technique is based on abuse of legitimate features and doesn’t rely on any vulnerability. Therefore, a fix for it doesn’t exist. No CVE ID. This EoP technique could also be used to create a stealthy domain persistence mechanism. 🔗 https://www.akamai.com/blog/security-research/2024/feb/abusing-dhcp-administrators-group-for-privilege-escalation-in-windows-domains

#privilegeescalation #activedirectory #vulnerability #domaincontroller #EoP #persistence

SEO Poisoning to Domain Control: The Gootloader Saga Continues

In February 2023, a user downloaded and executed a file from a SEO-poisoned search result, leading to a Gootloader infection. Around nine hours later, Gootloader facilitated Cobalt Strike deployment into the registry and memory. The threat actor used SystemBC to tunnel RDP access, compromising domain controllers, backup servers, and other key servers. The threat actor interactively reviewed sensitive files via RDP, but no data exfiltration was confirmed.

Pulse ID: 65dc5f0cd3b2b09478de2ba2
Pulse Link: https://otx.alienvault.com/pulse/65dc5f0cd3b2b09478de2ba2
Pulse Author: AlienVault
Created: 2024-02-26 09:51:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#OTX #OpenThreatExchange #InfoSec #bot #CyberSecurity #RDP #RAT #CobaltStrike #SeoPoisoning #GootLoader #DomainController #Troll #AlienVault

Finally, no more Active Directory Domain Controllers running Windows Server 2012 in our environment. Legacy support is just one of the pitfalls of "inheriting" poorly managed domains.
Next, I will shore up the encryption protocols. #ActiveDirectory #DomainController

𝗦𝗶𝗺𝗽𝗹𝗶𝗳𝗶𝗲𝗱 𝗱𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁 𝘄𝗶𝘁𝗵 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗳𝗼𝗿 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆

"Microsoft Defender for Identity is an essential part of a modern security practice, helping your organization protect against, and respond to, identity-based threats. In this blog we will show you the simple steps for deploying Microsoft Defender for Identity within your environment."

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/simplified-deployment-with-defender-for-identity/ba-p/3966035

#defenderforidentity #mdi #microsoft #microsoftsecurity #defender #adfs #domaincontroller #activedirectory #itdr #azure #adfs #adcs #deployment

𝗦𝗶𝗺𝗽𝗹𝗶𝗳𝗶𝗲𝗱 𝗱𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁 𝘄𝗶𝘁𝗵 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗳𝗼𝗿 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆

"Microsoft Defender for Identity is an essential part of a modern security practice, helping your organization protect against, and respond to, identity-based threats. In this blog we will show you the simple steps for deploying Microsoft Defender for Identity within your environment."

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/simplified-deployment-with-defender-for-identity/ba-p/3966035

#defenderforidentity #mdi #microsoft #microsoftsecurity #defender #adfs #domaincontroller #activedirectory #itdr #azure #adfs #adcs #deployment