{ "Event": { "analysis": "1", "date": "2026-03-10", "extends_uuid": "", "info": "[Threat Intel] Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise", "protected": false, "publish_timestamp": "1774048946", "published": true, "threat_level_id": "2", "timestamp": "1774048945", "uuid": "b998ca22-2f17-4f12-8328-4c9d4428df5c", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#75e21e", "local": false, "name": "misp-galaxy:producer=\"SentinelOne\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3eb869", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Data Staging - T1074.001\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#a6d5f3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Account - T1136.002\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#b596f0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Lateral Tool Transfer - T1570\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#b9e5c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"NTDS - T1003.003\"", "relationship_type": "" }, { "colour": "#fae37b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658845", "to_ids": false, "type": "link", "uuid": "10e01816-7ecd-4023-9ff1-78b42aeb9f7d", "value": "https://www.sentinelone.com/blog/fortigate-edge-intrusions/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773658845", "to_ids": false, "type": "text", "uuid": "43d368a0-58a5-45e2-83dc-7b66fe8b22e6", "value": "SentinelOne's DFIR team has responded to multiple incidents involving compromised FortiGate NGFW appliances used to establish footholds in targeted environments. Attackers exploited vulnerabilities or weak credentials to access FortiGate devices, extract configuration files containing service account credentials, and use those to join rogue workstations to Active Directory. In one case, the attacker used the access to deploy remote management tools and steal the NTDS.dit file. The incidents highlight the need for strong access controls, patching, and improved logging on edge devices. Organizations are advised to implement SIEM solutions to detect anomalous activity and automate responses." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773658845", "to_ids": false, "type": "text", "uuid": "0ab04769-efb4-4bef-8993-1f865b9fc0b9", "value": "Name: Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise\nAuthor: AlienVault\nAdversary: \nTags: [\"fortigate\", \"ngfw\", \"credential theft\", \"cve-2025-59719\", \"cve-2025-59718\", \"rmm tools\", \"cve-2026-24858\", \"lateral movement\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1074.001\", \"T1543.003\", \"T1055\", \"T1505.003\", \"T1136.002\", \"T1059.001\", \"T1078\", \"T1570\", \"T1105\", \"T1021.001\", \"T1003.003\", \"T1569.002\"]\nIndustries: []" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658845", "to_ids": false, "type": "vulnerability", "uuid": "3d60b0ad-cd4a-4050-88ea-efbc75a421e0", "value": "CVE-2025-59718" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658845", "to_ids": false, "type": "vulnerability", "uuid": "a3f82bb8-956c-472e-a81c-473f77eb966b", "value": "CVE-2025-59719" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658845", "to_ids": false, "type": "vulnerability", "uuid": "732a8402-8264-4cd8-b291-bb2201c63040", "value": "CVE-2026-24858" }, { "category": "Network activity", "comment": "Incident 1, failed login source IP", "deleted": false, "disable_correlation": false, "timestamp": "1774033522", "to_ids": true, "type": "ip-dst", "uuid": "2bcba01a-6e55-44d9-bbe4-ea1dea185902", "value": "185.242.246.127", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Incident 1 threat actor connection via \u2018support\u2019 account", "deleted": false, "disable_correlation": false, "timestamp": "1774033544", "to_ids": true, "type": "ip-dst", "uuid": "dd114b06-258d-449a-8f67-438e3370611e", "value": "193.24.211.61", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Incident 2, Java-sideloaded payload C2 domain", "deleted": false, "disable_correlation": false, "timestamp": "1774033567", "to_ids": true, "type": "domain", "uuid": "47b0d646-ddca-49e4-9a8b-57c5eadaf299", "value": "ndibstersoft.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Incident 2, Java-sideloaded payload C2 domain", "deleted": false, "disable_correlation": false, "timestamp": "1774033588", "to_ids": true, "type": "domain", "uuid": "8d870ed7-3503-4377-a231-25e0ac9a89cf", "value": "neremedysoft.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Incident 2, S3 subdomain hosting weaponized Java payloads", "deleted": false, "disable_correlation": false, "timestamp": "1774033610", "to_ids": true, "type": "hostname", "uuid": "2c244361-0fb4-4ed8-b5bf-1654f46876e5", "value": "fastdlvrss.s3.us-east-1.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Incident 1, failed login source IP", "deleted": false, "disable_correlation": false, "timestamp": "1774033632", "to_ids": true, "type": "ip-dst", "uuid": "f941b3fb-7232-41d4-974b-8565183d33bd", "value": "185.156.73.62", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Incident 2, URL hosting weaponized Java application & payloads", "deleted": false, "disable_correlation": false, "timestamp": "1774033653", "to_ids": true, "type": "url", "uuid": "6e3ae6b3-4b7f-4acf-806d-e800d6e913ba", "value": "https://fastdlvrss.s3.us-east-1.amazonaws.com/paswr.zip", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Incident 2, URL hosting Pulseway RMM", "deleted": false, "disable_correlation": false, "timestamp": "1774033675", "to_ids": true, "type": "url", "uuid": "8dd9ec54-994e-4eb0-8881-fe6ac4a80298", "value": "https://storage.googleapis.com/apply-main/windows_agent_x64.msi", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Targeting data", "comment": "Incident 1, Windows hostname of RDP service hosted on attacker IP 193.24.211[.]61", "deleted": false, "disable_correlation": false, "timestamp": "1774010847", "to_ids": false, "type": "target-machine", "uuid": "ac22b44a-98fe-4565-9526-ff88941d71fe", "value": "WIN-1J7L3SQSTMS" }, { "category": "Targeting data", "comment": "Incident 1, rogue workstation ID", "deleted": false, "disable_correlation": false, "timestamp": "1774010838", "to_ids": false, "type": "target-machine", "uuid": "d617df1b-0e8e-4f6f-8658-2ab720748130", "value": "WIN-X8WRBOSK0OF" }, { "category": "Targeting data", "comment": "Incident 1, rogue workstation ID", "deleted": false, "disable_correlation": false, "timestamp": "1774010838", "to_ids": false, "type": "target-machine", "uuid": "e0d6c6ad-43eb-4267-8d4f-40de4c193f4d", "value": "WIN-YRSXLEONJY2" } ] } }