This and last week, the Certego Incident Response team handled a powershell based Active Directory compromise on multiple of our customer networks. Although the actors seemed to be intent on spreading a Cryptominer malware, due to some technical aspects the campaign could hide a second goal. Considering that more and more attacks are aimed to making lateral movements to compromise enterprise domains, today we decided to share with you some details of detection and response actions performed by Certego IRT to handle these threats.
Note: to prevent antivirus from blocking this site we are forced to share the code via screenshots, the main samples have been uploaded to virustotal.