Executive Summary

On 2025-11-04, the KCD environment experienced a critical multi-stage compromise resulting in unauthorized access to domain resources, credential theft, lateral movement, privilege escalation, data staging, and final exfiltration of sensitive information to an external Discord webhook.

The incident began with the attacker abusing PowerShell to download a disguised malware GoogleUpdateCore.exe, which established encrypted outbound communication to a remote C2 server. Over the next several hours, the attacker executed a full attack chain:

• Initial execution & discovery
• Credential harvesting (Mimikatz)
• SMB-based lateral movement using stolen domain credentials
• Deployment of persistence via malicious services and scheduled tasks
• Creation of a hidden staging directory & copying sensitive PatientData and HR records
• Data exfiltration via curl.exe to Discord
• Attempts to compromise the domain via DCSync and Pass-the-Hash
• Establishment of a new Domain Admin backdoor account
• Download of advanced post-exploitation tools (Rubeus, GetUserSPNs, secretsdump, psexec)
• Log tampering/anti-forensics using wevtutil.exe

This incident reflects a highly skilled adversary leveraging LOLBINs, mimicked tools, and Kerberos abuse techniques to maintain foothold, escalate privileges, and extract high-value data.

Immediate remediation is required, including revocation of compromised credentials, KRBTGT double reset, system reimaging, and eradication of persistence mechanisms to prevent further unauthorized access.

Findings

• Initial Execution of Malware via certutil.exeGoogleUpdateCore.exe was downloaded from an external C2 server and executed under a misleading name to evade detection.