{ "id": "19fd6504-fd5e-4ade-9cc9-feda40503b1a", "created_at": "2026-04-06T00:15:06.524017Z", "updated_at": "2026-04-10T13:12:21.354382Z", "deleted_at": null, "sha1_hash": "118fef37270dd28d2db8f6c2b8a84bf95d638772", "title": "Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1287890, "plain_text": "Inside Cybercrime Groups Harvesting Active Directory for Fun\r\nand Profit - Vitali Kremez\r\nArchived: 2026-04-05 22:49:25 UTC\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 1 of 15\n\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 2 of 15\n\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 3 of 15\n\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 4 of 15\n\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 5 of 15\n\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 6 of 15\n\nMore Related Content\r\nPDF\r\nBSides IR in Heterogeneous Environment\r\nPDF\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 7 of 15\n\n[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx\r\nPDF\r\n[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...\r\nPDF\r\nMITRE ATTACKCon Power Hour - December\r\nPDF\r\nMITRE ATT\u0026CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...\r\nPDF\r\nATT\u0026CKING Containers in The Cloud\r\nPDF\r\nMITRE ATT\u0026CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...\r\nPDF\r\nDavid Bianco - Enterprise Security Monitoring\r\nWhat's hot\r\nPPTX\r\nBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz\r\nPDF\r\n\"Is your browser secure? Breaking cryptography in PKI based systems, opening ...\r\nPPTX\r\nCorporate Espionage without the Hassle of Committing Felonies\r\nPDF\r\nHelping Small Companies Leverage CTI with an Open Source Threat Mapping\r\nPDF\r\n\"Giving the bad guys no sleep\"\r\nPDF\r\nOffensive malware usage and defense\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 8 of 15\n\nPDF\r\nWhen Insiders ATT\u0026CK!\r\nPPTX\r\nMalware Static Analysis\r\nPPTX\r\n\"There's a pot of Bitcoins behind the ransomware rainbow\"\r\nPDF\r\nMITRE ATT\u0026CKcon 2.0: Ready to ATT\u0026CK? Bring Your Own Data (BYOD) and Validate...\r\nPDF\r\nShamoon\r\nPDF\r\nCatching the Golden Snitch- Leveraging Threat Intelligence Platforms to Defen...\r\nPDF\r\nMITRE ATT\u0026CKcon 2018: Detection Philosophy, Evolution \u0026 ATT\u0026CK, Fred Stankows...\r\nPDF\r\nThe 4horsemen of ics secapocalypse\r\nPPTX\r\nConclusions from Tracking Server Attacks at Scale\r\nPDF\r\nInsider Threat Visualization - HITB 2007, Kuala Lumpur\r\nPDF\r\nWannacry | Technical Insight and Lessons Learned\r\nPPTX\r\nUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams\r\nPDF\r\nSharpening your Threat-Hunting Program with ATTACK Framework\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 9 of 15\n\nPDF\r\nPHDays 2018 Threat Hunting Hands-On Lab\r\nSimilar to Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali\r\nKremez\r\nPDF\r\ntheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf\r\nPPTX\r\nCatch Me If You Can - Finding APTs in your network\r\nPPTX\r\nImplementing Active Directory and Information Security Audit also VAPT in Fin...\r\nPPTX\r\nBridging the Gap\r\nPPTX\r\nGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers\r\nPDF\r\nADRecon - Detection CHCON 2018\r\nPPTX\r\nBSides SG Practical Red Teaming Workshop\r\nPPTX\r\nBSIDES-PR Keynote Hunting for Bad Guys\r\nPDF\r\nWindows Threat Hunting\r\nPPTX\r\nHybrid Active Directory Cyber Resiliency\r\nPPTX\r\nAdversarial Post-Ex: Lessons From The Pros\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 10 of 15\n\nPPTX\r\nAdversarial Post Ex - Lessons from the Pros\r\nPPTX\r\nScrapping for Pennies: How to implement security without a budget\r\nPDF\r\nI Have the Power(View)\r\nPDF\r\nDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory\r\nPPTX\r\nWindows advanced\r\nPPTX\r\nKyle Taylor – increasing your security posture using mc afee epo\r\nPPTX\r\nI hunt sys admins 2.0\r\nPPTX\r\nDefending Your \"Gold\"\r\nPDF\r\nHacking our chairmans inbox - Charl van der Walt - SensePost\r\nRecently uploaded\r\nPDF\r\nSecure Java Applications against Quantum Threats\r\nPDF\r\nĐộng cơ hơi nước đôi bản vẽ chi tiết và bản vẽ lắp\r\nPDF\r\nHow a Gated Community Operates on Ground?\r\nPDF\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 11 of 15\n\nEmpowering BFSI with ThousandEyes Real-Time Digital Performance Intelligence\r\nPDF\r\n2025 Infrastructure Resilience Blueprint\r\nPDF\r\nEnergy Aware Combinatorial Optimization.pdf\r\nPPTX\r\nCollaborating with UX to Embed Accessibility in Design Workflows\r\nPPTX\r\nHyper-Aether: AI-Native Computing with Dynamic VM Fabric Architecture\r\nPDF\r\nData-Driven-Security-in-Gated-Communities.pptx.pdf\r\nPDF\r\nInformation Retrieval systems-(RAG).2026.Sec-(4)-(6)\r\nPDF\r\nAgent Orchestration using GitHub Copilot\r\nPPTX\r\nAutomating Form Validation and Verification with Multi-Modal LLMs\r\nPDF\r\nJos-BwAI26_Umar_Faruq_Zubairu_Build and Deploy a Multi-Agent Guide on Cloud R...\r\nPDF\r\nComprehensive Guide to Matplotlib for Python Data Visualization\r\nPPTX\r\nComprehensive Guide to Access Control and Security Vulnerabilities\r\nPDF\r\nThe Automated Factory A Strategic Blueprint for Modern Production Workflows\r\nPDF\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 12 of 15\n\nDefending Against Generative Malware \u0026 Deepfakes in Cognitive Security Era\r\nPPTX\r\nComprehensive Introduction to Blockchain Technology for Maritime Sector Appli...\r\nPDF\r\nIs Your Society Ready for 2026: A quick checklist for modern gated communities\r\nPDF\r\nHCL Notes 2026: New User Experience Deep Dive\r\nInside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali\r\nKremez\r\n1.\r\n2.\r\nIntroducing Cybercrime Groups Talk Outline 1 3 TrickBotin the Cloud: CloudJumper MSP Intrusion\r\nActive Directory Enumeration Methodologies 2 4 Life Cycle of High- Profile Event: Typical Exploitation\r\n\u0026 TTPs 5 Detections \u0026 Mitigations 5 Key Takeaways \u0026 Outlook\r\n3.\r\nCybercrime Enterprise Dealwith Big Data • Sophisticated criminal enterprises such as TrickBot \u0026 QakBot\r\n- focused on parsing and identifying high-value targets (HVT) • Need reliable install loaders -\r\nintermittently rely on Emotet Loader for installs • Big botnet data collectors necessitate scalable solutions\r\nto identify high-value targets (corporate networks with local domains) versus “useless” infections • Simple\r\nidea: Squeeze as £ / € / $ value from your bots as possible • Banking Malware • Credential Stealer • Miner\r\n• Ransomware! Reference: “Charting the Next Cybercrime Frontier, or Evolution of Criminal Intent\r\nhttps://www.youtube.com/watch?v=ptL0aTYzRfM\r\n4.\r\nCybercrime Enterprise Dealwith Big Data Reference: “Charting the Next Cybercrime Frontier, or\r\nEvolution of Criminal Intent https://www.youtube.com/watch?v=ptL0aTYzRfM\r\n5.\r\nEmotet (Loader forInstalls) -\u003e TrickBot -\u003e Ryuk Ransomware (via PowerShell Empire/Cobalt Strike)\r\nReference: “Charting the Next Cybercrime Frontier, or Evolution of Criminal Intent\r\nhttps://www.youtube.com/watch?v=ptL0aTYzRfM Credit: Ryuk image\r\n(https://nogiartshop.com/products/ryuk) …Network \u0026 Active Directory Parsing!…. Automated Malware +\r\nInteractive Human Exploitation Operator\r\n6.\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 13 of 15\n\n7.\r\n8.\r\nTrickBot in theCloud: CloudJumper MSP Intrusion: $5 Billion Extortion Amount in Total (!) Reference:\r\nhttps://twitter.com/barton_paul/status/1127088679132987394\r\n9.\r\nTrickBot Makes Headlineswith Ryuk Install via Active Directory: CloudJumper MSP Breached MSP\r\nVictim —\u003e Gateway to Other Organization Cloud Infrastructure\r\n10.\r\n11.\r\n12.\r\n• \"domainDll32,\" compiledvia 'GCC: (Rev1, Built by MSYS2 project) 7.2.0,' allows TrickBot operators to\r\ncollect domain controller information once they are already on the compromised machine. • This module is\r\ninternally called \"DomainGrabber\" and accepts command \"getdata\" in order to start harvest domain\r\ninformation. • domainDll appears to be aimed at exploiting networks with unsecured domain controllers.\r\ndomainDll (32|64) Reference: https://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html\r\nActive Directory Enumeration Methodologies\r\n13.\r\n14.\r\n15.\r\nActive Directory EnumerationMethodologies • “networkDll” module is a single harvester of all possible\r\nnetwork victim information from running commands such as \"ipconfig /all\" and \"nltest /domain_trusts\r\n/all_trusts\" to WMI Query Language (WQL) queries such as \"SELECT * FROM\r\nWin32_OperatingSystem\" to lightweight directory access protocol (LDAP) queries. • Notably, the group\r\nleverages \"nltest\" commands to establish trust relationship between between a compromised workstation\r\nand its possible domain before querying LDAP. networkDll (32|64) Reference:\r\nhttps://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html\r\n16.\r\n17.\r\n18.\r\n• “psfin32” isa point-of-sale finder reconnaissance module hunts for point of sale related services, software,\r\nand machines in Lightweight Directory Access Protocol (LDAP) • The module itself does not steal any\r\npoint-of-sale data but rather used to profile corporate machines of interest with possible point-of-sale\r\ndevices. • This module arrived just in time for the holiday shopping season highlighting the group interest\r\nin exploring possible point-of-sale breaches. psfinDll (32|64) Reference:\r\nhttps://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html Active Directory\r\nEnumeration Methodologies\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 14 of 15\n\n19.\r\npsfinDll (32|64): TypicalPoint-of-Sale Network Layout Credit: https://www.smart-acc.com/?page=size-options/multiple-outlets/retail Active Directory Enumeration Methodologies\r\n20.\r\n21.\r\n22.\r\nLife Cycle ofHigh-Profile Event: Typical Exploitation Chain \u0026 Tactics, Techniques \u0026 Procedures Credit:\r\nBrad Duncan (https://www.malware-traffic-analysis.net/2018/10/08/index.html)\r\n23.\r\nLife Cycle ofHigh-Profile Event: Victim Domain Parser\r\n24.\r\n25.\r\nDetections \u0026 Mitigations •Identify who has AD admin rights (domain/forest) • Identify who can logon to\r\nDomain Controllers (\u0026 admin rights to virtual environment hosting virtual DCs) • XML Permissions •\r\nPlace a new xml file in SYSVOL \u0026 set Everyone:Deny • Audit Access Denied errors. • Scan Active\r\nDirectory Domains, OUs, AdminSDHolder, \u0026 GPOs for inappropriate custom permissions Credit: Rahmat\r\nNurfauzi (https://github.com/infosecn1nja/AD-Attack-Defense/blob/master/ README.md#defense-evasion)\r\n Sean Metcalf (https://adsecurity.org/?p=2288)\r\n26.\r\nKey Takeaways \u0026Outlook • Automated Malware + Interactive Human Exploitation Operator -\u003e New\r\nCybercrime Frontier • Active Directory \u0026 Network Enumeration are the key to identify high-value\r\ncorporate and multi-tenancy targets for additional monetization (e.g., Ryuk ransomware) • Cloud MSP are\r\nthe desired targets as they are gateways to their customer environments (e.g., CloudJumper) Credit:\r\nCloudJumper image (https://www.drawingtutorials101.com/how-to-draw-cloudjumper-from-how-to-train-your-dragon-2)\r\n27.\r\n28.\r\nLa Fin Thank youfor attending! Please feel free to reach out. @VK_Intel\r\nSource: https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nhttps://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez" ], "report_names": [ "inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez" ], "threat_actors": [ { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434506, "ts_updated_at": 1775826741, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/118fef37270dd28d2db8f6c2b8a84bf95d638772.pdf", "text": "https://archive.orkl.eu/118fef37270dd28d2db8f6c2b8a84bf95d638772.txt", "img": "https://archive.orkl.eu/118fef37270dd28d2db8f6c2b8a84bf95d638772.jpg" } }