Description: On the night of May 21 our SOC received a high-severity alert indicating unusual lateral movement in the Active Directory environment. Internal logs showed the Domain Controller (DC) was accessed by a suspicious account. A few hours later a critical application server became inaccessible. Booting from a recovery image revealed the local Administrator password had been changed without authorization.
File: Download Write-up