{
	"id": "dfb87088-88fb-4fee-a8d5-cd87496d2b4a",
	"created_at": "2026-04-06T00:06:41.159043Z",
	"updated_at": "2026-04-10T13:12:08.387894Z",
	"deleted_at": null,
	"sha1_hash": "b454dce5e95ce2aabd0f02a180a6a85e5470f8d2",
	"title": "From Zero to Domain Admin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1583849,
	"plain_text": "From Zero to Domain Admin\r\nBy editor\r\nPublished: 2021-11-01 · Archived: 2026-04-05 17:52:36 UTC\r\nIntro\r\nThis report will go through an intrusion from July that began with an email, which included a link to Google’s\r\nFeed Proxy service that was used to download a malicious Word document. Upon the user enabling macros, a\r\nHancitor dll was executed, which called the usual suspect, Cobalt Strike.\r\nVarious different enumeration and lateral movement tactics were observed on the network, along with the\r\nexploitation of Zerologon to elevate to domain administrator and gain full control over the domain. The threat\r\nactor was able to go from zero access to domain admin, in just under one hour.\r\nCase Summary\r\nLike with many infections today, the threat actors gained initial access on a system through a malicious document\r\nemail campaign, which made use of the Hancitor downloader. The document, upon opening and enabling of\r\nmacros, would write and then execute a dll file from the users appdata folder.\r\nThe Hancitor dll downloaded and executed multiple payloads including a Cobalt Strike stager and Ficker Stealer.\r\nThe threat actors then began port scanning for SMB and a few backup systems such as Synology, Veeam and\r\nBackup Exec.\r\nAfter that, a battery of Windows utilities were run to check the windows domain trusts, domain administrators,\r\ndomain controllers, and test connectivity. They then checked access to remote systems by connecting to the C$\r\nshare.\r\nThe threat actors proceeded to move laterally to multiple other servers on the network by making use of existing\r\nlocal administrative rights of a compromised user. Cobalt Strike beacons were deployed to each server to facilitate\r\nremote access. Furthermore, the threat actors dropped an obfuscated PowerShell script on one of the machines to\r\nfurther their access. The PowerShell script loaded the malicious code into memory and started beaconing out to\r\nthe remote command and control server.\r\nNext, the threat actors used a custom implementation of the Zerologon (CVE-2020-1472) exploit (zero.exe)\r\nagainst one of the domain controllers. The domain controllers were vulnerable, and as a result, the operators\r\nmanaged to dump the domain administrator’s NTLM hash. The threat actors then pivoted to the two domain\r\ncontrollers and deployed Cobalt Strike beacons.\r\nThe threat actors continued pivoting to key systems including additional domain controllers, backup servers, and\r\nfile shares, using Cobalt Strike. Once on these systems, additional scanning occurred using a binary called\r\ncheck.exe that ran ICMP sweeps across the network.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 1 of 28\n\nWithin two hours of the initial malicious document execution, the threat actors had a foothold on all key systems\r\nin the environment. Similar to a previous case, the threat actors were evicted before completing their mission and\r\nas a result their final actions could not be observed.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Cobalt Strike, Metasploit, Empire, PoshC2, BazarLoader, etc. More information on this service and others can\r\nbe found here.\r\nThe Cobalt Strike servers in this case were added to the Threat Feed on 5/16 and 7/15 .\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs\r\nincluding Sysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 2 of 28\n\nAnalysis and reporting completed by @iiamaleks \u0026 @samaritan_o\r\nReviewed by @pigerlin \u0026 @kostastsale\r\nMITRE ATT\u0026CK\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 3 of 28\n\nInitial Access\r\nInitial access was gained through a malicious document email campaign that aimed to trick the user into enabling\r\nMacros.\r\nThe document was delivered via an email that included a link to Google’s Feed Proxy service which was hosting a\r\nmalicious document as shared by @James_inthe_box. Thanks for sharing James!\r\nReviewing the document we can see the expected malicious macro and identify the location of a dll to be dropped\r\nin the:\r\nOptions.DefaultFilePath\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 4 of 28\n\nWe can see that this relates to the path:\r\n%APPDATA%\\Microsoft\\templates\\\r\nAnd once the dll “ier” is written there, the macro proceeds to execute it.\r\nExecution\r\nThree files were downloaded by Hancitor from 4a5ikol[.]ru (8.211.241.0) including two Cobalt Strike stagers and\r\nFicker Stealer.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 5 of 28\n\nHancitor then launched multiple instances of svchost.exe and process injected them with Cobalt Strike.\r\nThe following diagram shows the initial execution process from the WINWORD.exe to the Cobalt Strike Beacons\r\nthat were injected into memory by Hancitor.\r\nLastly, a Cobalt Strike command and control server was pinged before they copied the Cobalt Strike DLL and\r\nbatch file, which were used to facilitate lateral movement.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 6 of 28\n\nThe batch file (cor.bat) is a 3-line script that will execute the Cobalt Strike DLL using rundll32.exe with a specific\r\nparameter.\r\nThe Cobalt Strike DLL used in this case resembles the same Cobalt Strike DLL seen in case 4301 based on the\r\nYARA rule associated to that case, indicating likely links between the actors in the two cases.\r\nyara -s ~/report-yara/includes/case-4301.yar cor.dll\r\nsig_95_dll_cobalt_strike cor.dll\r\n0x8a28:$s1: TstDll.dll\r\n0x4d:$s2: !This is a Windows NT windowed dynamic link library\r\n0x8a48:$s3: AserSec\r\n0x1a7:$s4: `.idata\r\n0x1725:$s5: vEYd!W\r\n0x3a93:$s6: [KpjrRdX\u0026b\r\n0x8572:$s7: XXXXXXHHHHHHHHHHHHHHHHHHHH\r\n0x2736:$s8: %$N8 2\r\n0x7579:$s9: %{~=vP\r\n0x822c:$s10: it~?KVT\r\n0x1ea9:$s11: UwaG+A\r\n0x2b7d:$s12: mj_.%/2\r\n0x80a0:$s13: BnP#lyp\r\n0x2c82:$s14: (N\"-%IB\r\n0x7cde:$s15: KkL{xK\r\n0x5068:$s16: )[IyU,\r\n0x3d2e:$s17: |+uo6\\\r\n0x705b:$s18: @s?.N^\r\n0x6e97:$s19: R%jdzV\r\n0x5d9d:$s20: R!-q$Fl\r\nPrivilege Escalation\r\nThe threat actor made use of a custom developed implementation of Zerologon (CVE-2020-1472) executed from a\r\nfile named “zero.exe”.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 7 of 28\n\nzero.exe 10.10.10.10 DomainControllerHostName domain.name administrator -c \"powershell.exe\"\r\nOnce “zero.exe” is run it will provide the threat actor with the NTLM hash of the specified username, a Domain\r\nAdministrator account in this case.\r\nOn the Domain Controller a service (Event ID 7045) will be created that will run the Reset-ComputerMachinePassword PowerShell Cmdlet.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 8 of 28\n\nThe service will then be executed and the machine account password will be reset.\r\nZerologon will create an Event ID 4624 for the domain controller computer account attempting to authenticate.\r\nThe main red flag is the source network address IP differing from the IP of the domain controller, which in this\r\ncase is set to the beachhead workstation on which zero.exe was executed.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 9 of 28\n\nLastly, Event ID 4648 will be logged on the beachhead machine indicating the zero.exe process was used to\r\nconnect to a domain controller.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 10 of 28\n\nA blog post by Blackberry can be referenced to learn more about this custom developed Zerologon file used:\r\nhttps://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware.\r\nFor more information on detecting Zerologon check out Kroll’s Zerologon Exploit Detect Cheat Sheet.\r\nDefense Evasion\r\nUpon Hancitor launching on the system, it process injected into multiple instances of svchost.exe and\r\nrundll32.exe. Memory segments can be seen allocated with Execute, Read, and Write permissions, indicating that\r\nexecutable code is stored.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 11 of 28\n\nAnomalous parent and child process relationships can be seen on the system that Hancitor was executed on,\r\nincluding rundll32.exe spawning svchost.exe and svchost.exe spawning cmd.exe.\r\nMoreover, the Cobalt Strike DLL stager was executed with a specific command line parameter which is used as a\r\nsandbox evasion feature. In this case it is the number 11985756.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 12 of 28\n\nLastly, a PowerShell loader named agent1.ps1 used heavy obfuscation to conceal the execution flow and hide the\r\nfinal shellcode. After many iterations, the script would deobfuscate and run-in memory. The shellcode is\r\nresponsible for loading a PE file into memory and calling out to 64.235.39[.]32 for further instructions.\r\nCredential Access\r\nThe only credential access observed was through Zerologon, which was used to retrieve the domain\r\nadministrator’s NTLM hash.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 13 of 28\n\nDiscovery\r\nDiscovery started with a port scan initiated by the Hancitor dll.\r\nAfter SMB was scanned we saw scans of 5000/tcp, 9392/tcp, 6106/tcp. The threat actors were scanning for\r\nbackup products such as Synology, Backup Exec and Veeam.\r\nThis was followed by a battery of discovery command using the built in Microsoft utilities to discover domain\r\ncontrollers, administrators, connectivity checks and other items.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 14 of 28\n\nC:\\Windows\\system32\\cmd.exe /C net time\r\nC:\\Windows\\system32\\cmd.exe /C ping [Domain Controller]\r\nC:\\Windows\\system32\\cmd.exe /C nltest /dclist:[Domain Name]\r\nC:\\Windows\\system32\\cmd.exe /C Net group \"Domain Admins\" /domain \\\r\nC:\\Windows\\system32\\cmd.exe /C nslookup\r\nC:\\Windows\\system32\\cmd.exe /C ping 190.114.254.116\r\nC:\\Windows\\system32\\cmd.exe /C net group /domain\r\nNotice above, the threat actors pinged 190.114.254[.]116 which is one of the Cobalt Strike servers they later used.\r\nThe threat actors enumerated local administrative access on remote systems by checking access to the C$ share for\r\nhosts discovered after the port scan.\r\nWe observed a PowerShell script named comp2.ps1 that was executed on every Domain Controller in the\r\nenvironment. This script used the Active Directory RSAT module to get a list of computers and place them in a\r\nfile named ‘comps.txt.’\r\nA program named check.exe was observed using the comps.txt text file. This program will take a list of IP\r\naddresses and hostnames from comps.txt and check if they are online using ICMP. The online hosts will then be\r\ndirected to the check.txt text file.\r\nThe check.exe file contains three parameters that can be used one at a time:\r\ncheck.exe comps.txt check.txt -ip (Check which hosts in comps.txt are alive, and write the IP to check.txt)\r\ncheck.exe comps.txt check.txt -name (Check which hosts in comps.txt are alive, and write the hostname to check.t\r\ncheck.exe comps.txt check.txt -full (Check which hosts in comps.txt are alive, and write the IP and hostname to\r\nLateral Movement\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 15 of 28\n\nThe threat actors pivoted towards multiple hosts on the domain from the beachhead. The main actions involved\r\ncopying a Cobalt Strike DLL beacon and a batch script to run the DLL (cor.dll, cor.bat, GAS.dll, GAS.bat).\r\nOperators executed the batch script through a remotely created service on the target system.\r\nThe following shows one of the batch scripts used to run a Cobalt Strike payload.\r\nAn obfuscated PowerShell script named ‘agent1.ps1’ was dropped on a machine through a Cobalt Strike Beacon.\r\nThe PowerShell script had instructions to deobfuscate shellcode and run it in memory as a thread in the same\r\nPowerShell process.\r\nThe shellcode itself also has a PE file embedded inside of itself. Once the shellcode is running this PE file will be\r\nloaded into memory and executed. You can see this from the memory dump MZ header denoting the PE binary\r\nloaded into the PowerShell process.\r\nThe PE file is of a small size and has the capability to beacon out at regular intervals to a command-and-control\r\nserver on 64.235.39[.]32 to retrieve instructions.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 16 of 28\n\nThe Visual C# Command Line Compiler was observed being invoked by the PowerShell script where the\r\nshellcode was executed. This is most likely instructions that the previously discussed PE file retrieved from the\r\nremote command and control server.\r\nCommand and Control\r\nHancitor contacted its servers over HTTP and advertised details about the compromised machine, user, and\r\ndomain while also retrieving instructions from the command and control server (1). From another dedicated\r\nlocation, 4a5ikol[.]ru, two Cobalt Strike beacons and Ficker Stealer malware were downloaded through HTTP (2).\r\nA successful connection from Ficker Stealer was not observed. A domain was queried; however, the response\r\nreturned an error.\r\nCobalt Strike was also observed to be making use of HTTP.\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 17 of 28\n\nLastly, the shellcode executed by the agent1.ps1 PowerShell loader, was observed loading a PE file into memory\r\nthat would beacon out at consistent intervals to 64.235.39[.]32. Further encrypted network activity was also\r\nobserved to this IP address. Unfortunately, the tool sending these connections could not be definitively\r\ndetermined.\r\nThe user agent for this was curl/7.55.1\r\nHancitor\r\nhttp://wortlybeentax[.]com/8/forum.php\r\n4a5ikol[.]ru\r\nCobalt Strike 190.114.254.116:80  – This Cobalt Strike server was added to our Threat Feed on 2021-05-16 and\r\nis still alive as of 2021-10-31\r\n{\r\n \"x64\": {\r\n \"md5\": \"e83bf9665d05d873f6d7cf9bd86e2302\",\r\n \"time\": 1621200623970,\r\n \"sha256\": \"a2607cea755fd71a666c4f20ccf07a84bb8a077afad22e5f1d9123682fae1b20\",\r\n \"config\": {\r\n \"Method 2\": \"POST\",\r\n \"Method 1\": \"GET\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 18 of 28\n\n\"Polling\": 60000,\r\n \"HTTP Method Path 2\": \"/submit.php\",\r\n \"C2 Server\": \"190.114.254.116,/push\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"Port\": 80,\r\n \"Jitter\": 0\r\n },\r\n \"sha1\": \"c953d489eebca96dba59052760001661fb08b85c\"\r\n },\r\n \"x86\": {\r\n \"md5\": \"f9277e30bda73a0ed6c58b8e538fa3da\",\r\n \"time\": 1621200609482.8,\r\n \"sha256\": \"3435b4131ee89599f5b39eca75f137c73d967299633df6e1bd2c5d6073605d4a\",\r\n \"config\": {\r\n \"Method 2\": \"POST\",\r\n \"Method 1\": \"GET\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Polling\": 60000,\r\n \"HTTP Method Path 2\": \"/submit.php\",\r\n \"C2 Server\": \"190.114.254.116,/cm\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"Port\": 80,\r\n \"Jitter\": 0\r\n },\r\n \"sha1\": \"66b71b0a1709c38a360bc720b7a36ba0885c2a5e\"\r\n }\r\n}\r\n{\r\n \"x64\": {\r\n \"md5\": \"f3035c2421239be8711178b6058fa75a\",\r\n \"time\": 1621200635468.3,\r\n \"sha256\": \"04e91a73952cd26cdc754a2009c9a34cd289721f6957e0a0be33727dca64c531\",\r\n \"config\": {\r\n \"Method 2\": \"POST\",\r\n \"Method 1\": \"GET\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Polling\": 60000,\r\n \"HTTP Method Path 2\": \"/submit.php\",\r\n \"C2 Server\": \"190.114.254.116,/__utm.gif\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"Port\": 443,\r\n \"Jitter\": 0\r\n },\r\n \"sha1\": \"feb36888151759fbf21033fc59dd66ed9e05ee70\"\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 19 of 28\n\n},\r\n \"x86\": {\r\n \"md5\": \"c3c84f0af2f039103085dc346d4ec192\",\r\n \"time\": 1621200611730.5,\r\n \"sha256\": \"c160e149b9f5ee7917885c3becaf913ba5f2679740cbb9b33eac16bb08f3cdfe\",\r\n \"config\": {\r\n \"Method 2\": \"POST\",\r\n \"Method 1\": \"GET\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Polling\": 60000,\r\n \"HTTP Method Path 2\": \"/submit.php\",\r\n \"C2 Server\": \"190.114.254.116,/pixel\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"Port\": 443,\r\n \"Jitter\": 0\r\n },\r\n \"sha1\": \"33975cf2e2682a4126959e15802b8c1c78333f00\"\r\n }\r\n}\r\n207.148.23.64:443  – This Cobalt Strike server was added to our Threat Feed on 2021-07-15. This IP stopped\r\nhosting Cobalt Strike on or around 2021-08-22.\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c ]\r\nNot Before: 2015/05/20 18:26:24 UTC\r\nNot After: 2025/05/17 18:26:24 UTC\r\nIssuer Org:\r\nSubject Common:\r\nSubject Org:\r\nPublic Algorithm: rsaEncryption\r\n{\r\n \"x86\": {\r\n \"sha256\": \"1d56e857650b9cae0a28d39ab1808c32e703ce38809ae2bf3c2c3d8f933f9cb9\",\r\n \"config\": {\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"C2 Server\": \"207.148.23.64,/ptj\",\r\n \"Method 2\": \"POST\",\r\n \"Jitter\": 0,\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 20 of 28\n\n\"HTTP Method Path 2\": \"/submit.php\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Polling\": 60000,\r\n \"Port\": 80\r\n },\r\n \"md5\": \"2ce9fd855d3fd4316c7d46d28d183c16\",\r\n \"time\": 1626347218460.2,\r\n \"sha1\": \"12cdc6cd8af542f252c51d3e010b00f529b00f08\"\r\n },\r\n \"x64\": {\r\n \"sha256\": \"e7bd2a34e133586d7cfc3c38aab191d8d93c5029058fdc59c0868ad79ac5c3b7\",\r\n \"config\": {\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"C2 Server\": \"207.148.23.64,/fwlink\",\r\n \"Method 2\": \"POST\",\r\n \"Jitter\": 0,\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"HTTP Method Path 2\": \"/submit.php\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Polling\": 60000,\r\n \"Port\": 80\r\n },\r\n \"md5\": \"cc37829b6bfd8b4f4f0aa7f1b2632831\",\r\n \"time\": 1626347231021.8,\r\n \"sha1\": \"7a5dd6d163f2d864593e8441a26ed16c610ded52\"\r\n }\r\n}\r\nImpact\r\nSimilar to a previous case, the threat actors were evicted before completing their mission and as a result their final\r\nactions could not be observed.\r\nIOCs\r\nNetwork\r\nHancitor\r\n194.147.78.155:80 | http://wortlybeentax[.]com/8/forum.php\r\n8.211.241.0:80 | 4a5ikol[.]ru (Used to download Cobalt Strike stagers and FickerStealer)\r\nCobalt Strike\r\n190.114.254.116:80\r\nMozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 21 of 28\n\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MANM; MANM)\r\n207.148.23.64:443\r\n207.148.23.64:80\r\nOther – Agent1.ps1\r\n64.235.39.32:80\r\nCurl/7.55.1\r\nFile\r\nagent1.ps1\r\n9345151bd8c977c4c9b066533e3eae3d\r\n183959133bd80291d9304268fcf5f1db35992617\r\n94dcca901155119edfcee23a50eca557a0c6cbe12056d726e9f67e3a0cd13d51\r\ncheck.exe\r\nc47372b368c0039a9085e2ed437ec720\r\n4f6ee84f59984ff11147bfff67ab6e40cd7c8525\r\nc443df1ddf8fd8a47af6fbfd0b597c4eb30d82efd1941692ba9bb9c4d6874e14\r\ncomp2.ps1\r\n72801f33f0b796b8c08db67c74bce1b0\r\n81ecbf9b90d2b6bf4ed27702fe1c7f5a5fdcc580\r\n0282776d5dd6e1b3dd709d5dea521a59ce3e02eecb2f03e4541122be38ae4fe9\r\ncor.bat\r\nc9d041e6b2f435588b8fb50e7c9494ec\r\n4a3631e563b3c2f664deedc43c0ae324cd91891b\r\n9aa6f19399468d6fec59de6e3b7e590fe5ab44a81a752dbc51c54c14cad02080\r\ncor.dll\r\n41b2a0e15c3f0ac07e727a9ef9cd3850\r\n29c7286ef030de9f2b4fb272de2bff478cab16d3\r\n2a892e0af16ba5cdbacc1c6ee2a71d107c1da1cb295236c1eb6acbe17cd93b1b\r\nGAS.bat\r\n8f077efd70793bfbfd6eb645117cb793\r\n2c0365b36be580f7d4ea8901daed62040fd867f3\r\n3655a934e6da8774d74fce815f9648c0d81f0bb609435d1017dcea01dc5e5529\r\nGAS.exe\r\neb272d2218d7cea004008b6d95baae95\r\nff9f7def24f5a8f8aa2c9c9e23c4c31cc9f75a57\r\nbe13b8457e7d7b3838788098a8c2b05f78506aa985e0319b588f01c39ca91844\r\nzero.exe\r\n25a089f2082a5fcb0f4c1a12724a5521\r\n8a06c836c05537fcd8c600141073132d28e1172d\r\n3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0\r\n0714_5835152731.doc\r\n52a97348ac3116ab31c189702d7dd38e\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 22 of 28\n\nc9e932e3ad0faadea6cd3e8f48d2dbc98b2ac23d\r\nfbf1586ebb9a028aef6c2fac79f7ef1bd20bee3e839b23e825c9265e8d2fd24f\r\nDetections\r\nNetwork\r\nET MALWARE Cobalt Strike Beacon Observed\r\nET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1\r\nET POLICY External IP Lookup api.ipify.org\r\nET INFO Packed Executable Download\r\nET POLICY curl User-Agent Outbound\r\nBinary Defense - alert tcp any any -\u003e any $HTTP_PORTS (msg:\"Possible Hancitor Checkin\"; flow:establis\r\nSigma\r\nRecon Activity with NLTEST\r\nRundll32 Internet Connection\r\nReconnaissance Activity with Net Command\r\nSuspicious Reconnaissance Activity\r\nsysmon_suspicious_remote_thread\r\nsysmon_cobaltstrike_service_installs\r\nwin_shell_spawn_susp_program\r\nwin_remote_service\r\nwin_vul_cve_2020_1472\r\nwin_possible_zerologon_exploitation_using_wellknown_tools\r\nYara\r\n/*\r\n YARA Rule Set\r\n Author: The DFIR Report\r\n Date: 2021-10-31\r\n Identifier: 5295 Hancitor\r\n Reference: https://thedfirreport.com/\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 23 of 28\n\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nrule __case_5295_1407 {\r\n meta:\r\n description = \"5295 - file 1407.bin\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-08-12\"\r\n hash1 = \"45910874dfe1a9c3c2306dd30ce922c46985f3b37a44cb14064a963e1244a726\"\r\n strings:\r\n $s1 = \"zG\u003c\u003c\u0026Sa\" fullword ascii\r\n $s2 = \"r@TOAa\" fullword ascii\r\n $s3 = \"DTjt{R\" fullword ascii\r\n condition:\r\n uint16(0) == 0xa880 and filesize \u003c 2KB and\r\n all of them\r\n}\r\nrule _case_5295_sig_7jkio8943wk {\r\n meta:\r\n description = \"5295 - file 7jkio8943wk.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-08-12\"\r\n hash1 = \"dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019\"\r\n strings:\r\n $s1 = \" (os error other os erroroperation interruptedwrite zerotimed outinvalid datainvalid input paramete\r\n $s2 = \"already existsbroken pipeaddress not availableaddress in usenot connectedconnection abortedconnecti\r\n $s3 = \" VirtualQuery failed for %d bytes at address %p\" fullword ascii\r\n $s4 = \"UnexpectedEofNotFoundPermissionDeniedConnectionRefusedConnectionResetConnectionAbortedNotConnectedA\r\n $s5 = \"nPipeAlreadyExistsWouldBlockInvalidInputInvalidDataTimedOutWriteZeroInterruptedOtherN\" fullword asc\r\n $s6 = \"failed to fill whole buffercould not resolve to any addresses\" fullword ascii\r\n $s7 = \" (os error other os erroroperation interruptedwrite zerotimed outinvalid datainvalid input paramete\r\n $s8 = \"mission deniedentity not foundunexpected end of fileGetSystemTimePreciseAsFileTime\" fullword ascii\r\n $s9 = \"invalid socket addressinvalid port valuestrings passed to WinAPI cannot contain NULsinvalid utf-8:\r\n $s10 = \"invalid socket addressinvalid port valuestrings passed to WinAPI cannot contain NULsinvalid utf-8:\r\n $s11 = \"\\\\data provided contains a nul byteSleepConditionVariableSRWkernel32ReleaseSRWLockExclusiveAcquire\r\n $s12 = \"fatal runtime error: \" fullword ascii\r\n $s13 = \"assertion failed: key != 0WakeConditionVariable\" fullword ascii\r\n $s14 = \"kindmessage\" fullword ascii\r\n $s15 = \"0x000102030405060708091011121314151617181920212223242526272829303132333435363738394041424344454647\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 24 of 28\n\n$s16 = \"..\\\\\\\\?\\\\.\\\\UNC\\\\Windows stdio in console mode does not support writing non-UTF-8 byte sequences\"\n $s17 = \"OS Error (FormatMessageW() returned invalid UTF-16) (FormatMessageW() returned error )formatter e\n $s18 = \"FromUtf8Errorbytes\" fullword ascii\n $s19 = \" VirtualProtect failed with code 0x%x\" fullword ascii\n $s20 = \"invalid utf-8 sequence of bytes from index incomplete utf-8 byte sequence from index \" fullword a\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 800KB and\n 8 of them\n}\nrule __case_5295_check {\n meta:\n description = \"5295 - file check.exe\"\n author = \"The DFIR Report\"\n reference = \"https://thedfirreport.com/\"\n date = \"2021-08-12\"\n hash1 = \"c443df1ddf8fd8a47af6fbfd0b597c4eb30d82efd1941692ba9bb9c4d6874e14\"\n strings:\n $s1 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\n $s2 = \"F:\\\\Source\\\\WorkNew18\\\\CheckOnline\\\\Release\\\\CheckOnline.pdb\" fullword ascii\n $s3 = \" \" fullword ascii\n $s4 = \" Type Descriptor'\" fullword ascii\n $s5 = \"operator co_await\" fullword ascii\n $s6 = \"operator\u003c=\u003e\" fullword ascii\n $s7 = \".data$rs\" fullword ascii\n $s8 = \"File opening error: \" fullword ascii\n $s9 = \" \" fullword ascii\n $s10 = \":0:8:L:\\\\:h:\" fullword ascii\n $s11 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\n $s12 = \" Base Class Descriptor at (\" fullword ascii\n $s13 = \" Class Hierarchy Descriptor'\" fullword ascii\n $s14 = \" Complete Object Locator'\" fullword ascii\n $s15 = \"network reset\" fullword ascii /* Goodware String - occured 567 times */\n $s16 = \"connection already in progress\" fullword ascii /* Goodware String - occured 567 times */\n $s17 = \"wrong protocol type\" fullword ascii /* Goodware String - occured 567 times */\n $s18 = \"network down\" fullword ascii /* Goodware String - occured 567 times */\n $s19 = \"owner dead\" fullword ascii /* Goodware String - occured 567 times */\n $s20 = \"protocol not supported\" fullword ascii /* Goodware String - occured 568 times */\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 500KB and\n all of them\n}\nrule __case_5295_zero {\n meta:\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\nPage 25 of 28\n\ndescription = \"5295 - file zero.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-08-12\"\r\n hash1 = \"3a8b7c1fe9bd9451c0a51e4122605efc98e7e4e13ed117139a13e4749e211ed0\"\r\n strings:\r\n $x1 = \"powershell.exe -c Reset-ComputerMachinePassword\" fullword wide\r\n $s2 = \"COMMAND - command that will be executed on domain controller. should be surrounded by quotes\" fullw\r\n $s3 = \"ZERO.EXE IP DC DOMAIN ADMIN_USERNAME [-c] COMMAND :\" fullword ascii\r\n $s4 = \"-c - optional, use it when command is not binary executable itself\" fullword ascii\r\n $s5 = \"curity\u003e\u003crequestedPrivileges\u003e\u003crequestedExecutionLevel level=\\\"asInvoker\\\" uiAccess=\\\"false\\\"\u003e\u003c/reque\r\n $s6 = \"C:\\\\p\\\\Release\\\\zero.pdb\" fullword ascii\r\n $s7 = \"+command executed\" fullword ascii\r\n $s8 = \"COMMAND - %ws\" fullword ascii\r\n $s9 = \"rpc_drsr_ProcessGetNCChangesReply\" fullword wide\r\n $s10 = \"ZERO.EXE -test IP DC\" fullword ascii\r\n $s11 = \"to test if the target is vulnurable only\" fullword ascii\r\n $s12 = \"IP - ip address of domain controller\" fullword ascii\r\n $s13 = \"ADMIN_USERNAME - %ws\" fullword ascii\r\n $s14 = \"error while parsing commandline. no command is found\" fullword ascii\r\n $s15 = \"rpcbindingsetauthinfo fail\" fullword ascii\r\n $s16 = \"x** SAM ACCOUNT **\" fullword wide\r\n $s17 = \"%COMSPEC% /C \" fullword wide\r\n $s18 = \"EXECUTED SUCCESSFULLY\" fullword ascii\r\n $s19 = \"TARGET IS VULNURABLE\" fullword ascii\r\n $s20 = \"have no admin rights on target, exiting\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 500KB and\r\n 1 of ($x*) and 4 of them\r\n}\r\nrule __case_5295_GAS {\r\n meta:\r\n description = \"5295 - file GAS.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-08-12\"\r\n hash1 = \"be13b8457e7d7b3838788098a8c2b05f78506aa985e0319b588f01c39ca91844\"\r\n strings:\r\n $s1 = \"A privileged instruction was executed at address 0x00000000.\" fullword ascii\r\n $s2 = \"Stack dump (SS:ESP)\" fullword ascii\r\n $s3 = \"!This is a Windows NT windowed executable\" fullword ascii\r\n $s4 = \"An illegal instruction was executed at address 0x00000000.\" fullword ascii\r\n $s5 = \"ff.exe\" fullword wide\r\n $s6 = \"Open Watcom C/C++32 Run-Time system. Portions Copyright (C) Sybase, Inc. 1988-2002.\" fullword ascii\r\n $s7 = \"openwatcom.org\" fullword wide\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 26 of 28\n\n$s8 = \"Open Watcom Dialog Editor\" fullword wide\r\n $s9 = \"A stack overflow was encountered at address 0x00000000.\" fullword ascii\r\n $s10 = \"A fatal error is occured\" fullword ascii\r\n $s11 = \"An integer divide by zero was encountered at address 0x00000000.\" fullword ascii\r\n $s12 = \"address 0x00000000 and\" fullword ascii\r\n $s13 = \"Open Watcom\" fullword wide\r\n $s14 = \"The instruction at 0x00000000 caused an invalid operation floating point\" fullword ascii\r\n $s15 = \"The instruction at 0x00000000 caused a denormal operand floating point\" fullword ascii\r\n $s16 = \"`.idata\" fullword ascii /* Goodware String - occured 1 times */\r\n $s17 = \"xsJr~.~\" fullword ascii\r\n $s18 = \"iJJW3We\" fullword ascii\r\n $s19 = \"Rmih_O|\" fullword ascii\r\n $s20 = \"The instruction at 0x00000000 referenced memory \" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 200KB and\r\n 8 of them\r\n}\r\nrule __case_5295_agent1 {\r\n meta:\r\n description = \"5295 - file agent1.ps1\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-08-12\"\r\n hash1 = \"94dcca901155119edfcee23a50eca557a0c6cbe12056d726e9f67e3a0cd13d51\"\r\n strings:\r\n $s1 = \"[Byte[]]$oBUEFlUjsZVVaEBHhsKWa = [System.Convert]::FromBase64String((-join($gDAgdPFzzxgYnLNNHSSMR,'\r\n $s2 = \"ap0cqOwB7hW5z/yOlqICYNrdwqfvCvWSqWbfs/NWgxfvurRRLs7xIQrzXCCgwqMnhB154e8iubTSzAhliQfIRC1djlZTGXO4nBU\r\n $s3 = \"[Runtime.InteropServices.Marshal]::Copy($oBUEFlUjsZVVaEBHhsKWa,(2372 - 2372),$CjHxQlvEzGUrZUarFZbrz\r\n $s4 = \"[Runtime.InteropServices.Marshal]::Copy($oBUEFlUjsZVVaEBHhsKWa,(2372 - 2372),$CjHxQlvEzGUrZUarFZbrz\r\n $s5 = \"zSEEdr8FnfXshvasO1lodzp/T9fIQLBuz5baYtW7iK9lRAYZYDdQrnvpxmxJOxjuabTg5nBEWzTQSZaXmNRB2nSSK9/yfGeYecX\r\n $s6 = \"eQvmMAIAnreX2We51OWxYt5ykA3Z9w9FN3hFaSuBjn2u6kwODP+r2Wv2ruryjIa0nyZxgwUCBotpX5U/k9jDsDgC9YyR1gvyD6r\r\n $s7 = \"3H2+O+/8sPyM9FWRrXUO/9a4LwBKmuv8Qsh/50l6VnyQGICZ8PuITwgJxzV37f/NZJqTrvQa70A0mf6hKrjuUSfulv/uUgYZmSd\r\n $s8 = \"sQroZ/z//wNF8BNV9IlF8IlV9ItF8ItV9LEG6G78//8zRfAzVfSJRfCJVfTpdP///4tF8ItV9LED6DD8//8DRfATVfSJRfCJVfS\r\n $s9 = \"a2cxwtfBqoUe4/erpeTB7XIYMFFtX23EEnTdPQbUXCd5O9j5mAeVZpRNWF9tvvy2+qlNieD1WlTj2fUZaiYPrpkKd7DllqHRkAb\r\n $s10 = \"j+XqDEzWEbsdht2FdZc1j2/fJoIugVtps/bH7uP1dq8FA6+GVzpw0UN42KgXL9sMYAnJRJj6gpW7oZ1fGv4b+d2xjo8yQM798A\r\n $s11 = \"ZQ0NlAxyJeQHiqm9NZr4Xjh9V25TXa0vWwb/yXI+IL59EdsKDkehBeuasslnEdfgAq7j+mEp0C70K+oeKHZwHnV9/fa4H93lIn\r\n $s12 = \"T/vbRvTMv6ePKoOS5EUjzgqjY7QZsueNgGEt1KTiP5R9zOnabhD20lmwcjl6vSapoMgKyS57Oqv0rZHShi+XWdJtmFgsRJYHLQ\r\n $s13 = \"$vpFhaWLTcsrOHCQLzsEzN = 'mbFPGDtpJicxXcdFG/Ydmz4dHGi5llA0tRmH2WwVJpYbsfxCiAfFy0kckQnw6EeyeH40K0H6\r\n $s14 = \"$nkRLOujTuMsDDaMxkgFbp = [OkwgNsSnFFEmvLpdsdISG]::CreateThread(($ZCHhKqfmmzVFPUgdkjqZk),(-6012 + 6\r\n $s15 = \"guQh6vh+8CQHOjfK/YMdwFr1UGqkMdLfobM5WYeyHvTezZttJ+hfHIT795hhejCINf/0AzPrunDuwun7kZ2ueDpJxwEfcqtHkv\r\n $s16 = \"+SvFBrG7BgR5cmdbbRuoy7ewt2CJqeJXmYVV3b1tf+Rw1xb1P6vNtyobWpXNYfVu9TAVUcxKXQxoOTum5J4q6E7iTyIltAmiRn\r\n $s17 = \" [DllImport(\\\"kernel32.dll\\\")]\" fullword ascii\r\n $s18 = \"/v0KltMpb69/8jsWR23PkNuPrK3FXehCwqN1FYNCGR+tbLJ4oEzVw/sOoCrrK91sAjUs1yNKhJXRjJ4Td/AAB+51bVz1CMXtUz\r\n $s19 = \"$wLHiDWZiDeApQYLEVCjxX = (([regex]::Matches('qisBjSUmAFJ0IqAT3R+byDBdA3K6vHNI//aNbyh+ZYFOREbwR+QFl\r\n $s20 = \"M9KA4R/T6MMzwDPSw8xVi+yD7AiLRQiJRfiLTRCJTfyLVRCD6gGJVRCDffwAdB6LRQiLTQyKEYgQi0UIg8ABiUUIi00Mg8EBiU\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 27 of 28\n\ncondition:\r\n uint16(0) == 0x6441 and filesize \u003c 100KB and\r\n 8 of them\r\n}\r\nMITRE\r\nPhishing – T1566\r\nWeb Protocols – T1071.001\r\nUser Execution – T1204\r\nProcess Injection – T1055\r\nRemote System Discovery – T1018\r\nExploitation for Privilege Escalation – T1068\r\nService Execution – T1569.002\r\nNetwork Share Discovery – T1135\r\nObfuscated Files or Information – T1027\r\nDomain Trust Discovery – T1482\r\nDomain Groups – T1069.002\r\nSystem Time Discovery – T1124\r\nLateral Tool Transfer – T1570\r\nPowerShell – T1059.001\r\nWindows Command Shell – T1059.003\r\nMalicious File – T1204.002\r\nInternal case #5295\r\nSource: https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nhttps://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/\r\nPage 28 of 28",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/"
	],
	"report_names": [
		"from-zero-to-domain-admin"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434001,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b454dce5e95ce2aabd0f02a180a6a85e5470f8d2.pdf",
		"text": "https://archive.orkl.eu/b454dce5e95ce2aabd0f02a180a6a85e5470f8d2.txt",
		"img": "https://archive.orkl.eu/b454dce5e95ce2aabd0f02a180a6a85e5470f8d2.jpg"
	}
}