A masqueraded AdobeUpdater.exe binary established persistence via a registry Run key, injected into cmd.exe, performed AS-REP Roasting with Rubeus against four AD accounts, laterally moved to FileServer using cracked tcooper credentials, enabled RDP, and staged share data for exfiltration.
An attacker from 77.91.78.115 brute-forced mwilliams credentials, connected via RDP, dropped OfficeUpdater.exe with registry persistence, staged Backup_Tools including mimikatz, dumped lsass to obtain jsmith credentials, laterally moved to ST-DC01 and ST-FS01, established scheduled task persistence on the DC, and archived client data for exfiltration.
An attacker from 192.168.1.60 (Kali) conducted a 5-minute RDP password spraying attack against dev.cyberdefenders.org, generating 4302 failed logon attempts across multiple usernames, and successfully authenticated as administrator and five other accounts via RDP.