Threat Research

Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA

CISA

CISA and MS-ISAC found an unknown threat actor used a former employee’s active domain admin account to authenticate via the organization’s VPN from an external VM, execute LDAP queries to enumerate users, hosts, and trusts, and post the resulting files to a dark web brokerage. Investigation used Azure and MDE logs exported with the Untitled Goose Tool and determined the actor did not move laterally into the organization’s Azure tenant. #CISA #MSISAC #AzureAD #ActiveDirectory #UntitledGooseTool #AdFind

Keypoints

  • Initial access was via a former employee domain admin account (USER1) that had not been disabled after offboarding.
  • Credentials for USER1 likely originated from a prior data breach where account information was publicly available.
  • The actor connected from an external VM through the organization’s VPN to blend with legitimate traffic and evade detection.
  • LDAP queries (likely run with AdFind.exe) harvested user, host, and trust information and generated files named ad_users.txt, ad_computers.txt, and trustdmp.txt posted to the dark web.
  • The actor accessed additional administrative credentials (USER2) stored locally on a virtualized SharePoint server, enabling access to both on‑prem AD and Azure AD accounts.
  • Service authentication to CIFS/SMB shares was used for automated file and directory discovery across endpoints.
  • Responders exported Azure, AAD, M365 UAL, and MDE logs using CISA’s Untitled Goose Tool and found no evidence of lateral movement into the Azure environment.

MITRE Techniques

  • [T1133] External Remote Services – The actor “connected to the VM through the victim’s VPN” to blend with legitimate traffic and evade detection.
  • [T1078.002] Valid Accounts: Domain Accounts – The actor gained initial access “through the compromised account of a former employee with administrative privileges (USER1).”
  • [T1589.001] Gather Victim Identity Information: Credentials – The actor likely obtained USER1 credentials “in a separate data breach due to the credentials appearing in publicly available channels.”
  • [T1213.002] Data from Information Repositories: SharePoint – The actor likely obtained USER2 credentials “from the virtualized SharePoint server managed by USER1.”
  • [T1552.001] Unsecured Credentials: Credentials in Files – The victim confirmed administrator credentials for USER2 “were stored locally on this server.”
  • [T1087.002] Account Discovery: Domain Account – The actor executed LDAP queries of the AD to collect user information (“Collects names and metadata of users in the domain.”).
  • [T1018] Remote System Discovery – LDAP queries were used to collect host information (“Collects names and metadata of hosts in the domain.”).
  • [T1482] Domain Trust Discovery – LDAP queries collected trust relationship information (“Collects trust information in the domain.”).
  • [T1021.002] Remote Services: SMB/Windows Admin Shares – The actor authenticated to CIFS/SMB on endpoints for file, folder, and directory discovery (“authenticated to the Common Internet File Service (CIFS) on various endpoints”).
  • [T1083] File and Directory Discovery – CIFS authentications were likely used for automated file and directory discovery across the network (“likely used for file, folder, and directory discovery”).
  • [T1021.007] Remote Services: Cloud Services – Use of USER2 provided access “to both the on-premises AD and Azure AD,” enabling administrative privileges across environments.

Indicators of Compromise

  • [File Names] Data exfiltration artifacts – ad_users.txt, ad_computers.txt, trustdmp.txt (files the actor posted for sale on a dark web brokerage site).
  • [User Accounts] Compromised/abused accounts – USER1 (former employee domain admin), USER2 (global domain administrator synced to Azure AD).
  • [Tools] Suspected tooling used during reconnaissance/log collection – AdFind.exe (LDAP-style output indicated), Untitled Goose Tool (used by responders to export Azure/AAD/M365/MDE logs).
  • [Services/Protocols] Access patterns – CIFS/SMB authentication to network shares (used for file and directory discovery), VPN access from an external VM (internal VPN-range IPs observed).

The threat actor obtained and used a former employee’s domain administrator credentials (USER1), likely sourced from a prior credential leak, to authenticate from an external virtual machine through the victim’s VPN. From that VM the actor authenticated to multiple services—including CIFS/SMB shares—for automated file and directory discovery and used a second administrative account (USER2), whose credentials were stored locally on a virtualized SharePoint server, to gain broader administrative access including Azure AD linkage.

Using the compromised accounts, the actor executed a rapid sequence of LDAP queries (likely via AdFind.exe) to enumerate domain users, computers, domain administrators/service principals, and trust relationships; these queries produced text outputs (ad_users.txt, ad_computers.txt, trustdmp.txt) that were later posted on a dark web brokerage. Responders collected Azure/AAD/M365 unified audit logs and Microsoft Defender for Endpoint data with CISA’s Untitled Goose Tool to analyze sign-ins, activity logs, and endpoint telemetry, and found no evidence of lateral movement from the on‑premises environment into the Azure tenant.

Key technical remediation steps taken and observed: disabling the compromised USER1 account, taking associated virtualized servers offline, changing USER2’s password and removing administrator privileges, and resetting all user passwords; responders recommend enabling phishing-resistant MFA, removing unnecessary accounts, securing stored credentials, and monitoring LDAP/SMB authentication patterns. These actions reduced immediate access and supported forensic log collection and analysis.

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-046a