The attacker used your own tools. No malware required.

The scenario:

The security stack didn’t fire a single alert. No malicious binary. No suspicious download. No known signature. 

The attacker used PowerShell, WMI, and Remote Desktop. Tools your own engineers use every day. The endpoint detection saw legitimate admin tools running legitimate commands. It didn’t flag it because there was nothing to flag. 

The attack:

STAGE 1: INITIAL ACCESS

Attacker compromises a user account via phishing (credential harvest).

Uses the valid credentials to connect via Remote Desktop Gateway.

Lands on a workstation with local admin rights.

-

STAGE 2: DISCOVERY (NO MALWARE)

Runs ‘nltest /dclist:’ to identify domain controllers.

Uses ‘net group "domain admins" /domain’ to enumerate privileged accounts.

Runs PowerShell’s Get-ADComputer to map the entire network.

All commands are built-in Windows tools. No downloads.

-

STAGE 3: LATERAL MOVEMENT

Uses WMI to execute commands on remote machines.

Leverages PsExec (a legitimate SysInternals tool) to move between servers.

Dumps credentials using comsvcs.dll (a built-in Windows DLL).

Accesses the domain controller using harvested domain admin credentials.

-

STAGE 4: OBJECTIVE

Exfiltrates Active Directory database (ntds.dit) using ntdsutil.

Copies backup archives from the file server using robocopy.

Stages data in a compressed archive and exfiltrates via HTTPS (port 443).

Total dwell time: 23 days. Zero malware alerts.

What stopped it:

A threat hunter reviewing authentication logs noticed a single account accessing 47 machines in one week. Normal behaviour for that account was 3 machines. The anomaly triggered the investigation that uncovered the full attack chain.