2 posts tagged with "active-directory"

By the time ransomware starts encrypting files, the attacker has already won. The encryption event that triggers your EDR alert, your SOC ticket, and your incident response retainer is not the attack it is the final step of an operation that began days or weeks earlier, during which the threat actor mapped your entire Active Directory, escalated to Domain Admin, exfiltrated your most sensitive data to a cloud storage bucket, killed your backups, and confirmed that every shadow copy on every server is gone. The encryption itself takes minutes. Everything that makes it devastating the leverage, the irreversibility, the breadth was assembled during the dwell period when your SIEM was generating zero alerts. The Conti playbook leaked in 2022, LockBit 3.0's affiliate documentation, and ALPHV/BlackCat's observed TTPs across hundreds of incidents all confirm the same operational tempo: reconnaissance, credential theft, lateral movement, exfiltration, and backup destruction are completed before a single file is touched.

You're staring at an EDR alert from 11:47 PM. A Word document spawned PowerShell. By the time your analyst acknowledges the ticket at 12:09 AM, the attacker already has a beacon calling home, has run BloodHound across your entire AD, dumped credentials from LSASS, and is authenticating to your domain controller with a Domain Admin hash. The "200-day dwell time" you quoted last quarter's board meeting is about to become a footnote. This intrusion will be over in four hours.

Category: Threat Intelligence · Reading time: 25 min · Audience: SOC Analysts, Detection Engineers, Incident Responders