Practitioners sometimes describe Active Directory ransomware attacks as a mass of overlapping techniques — "lateral movement," "defense evasion," "impact." These labels describe what the attacker is trying to accomplish. They do not tell you which generic vulnerability the attacker is exploiting at each step, and therefore they do not tell you which controls would have stopped it. TLCTC decomposition does. And when you run the decomposition against real 2025 incident data, a striking pattern appears: once the attacker holds Domain Admin, almost every remaining step is #1 — Abuse of Functions.
This is not an accident. It is the structural consequence of what a Tier-0 role is. The cascade below shows why, using the Lynx (March 2025), Storm-2603/ToolShell (August 2025), and Storm-0300/Akira incidents as forensic ground truth.
1. The invariant pattern
Microsoft's April 2025 threat-intel report found that adversaries breach a domain controller in more than 78% of human-operated intrusions, and in 35% of cases the DC itself becomes the spreader device. Mandiant's 2025 telemetry puts AD compromise in roughly 9 out of 10 investigated intrusions. Secureworks puts the median time from initial access to ransomware under 24 hours; 10% of cases encrypt within 5.
Against this variance in tooling, ransomware family, and initial vector, the Bow-Tie shape is stable:
pre-SRE prefix (variable) → SRE: DA under attacker control → post-SRE tail (invariant):
#1-cascade → (#1 → #7)×N + [DRE: Av, Ac]
The pre-SRE prefix is where clusters genuinely diverge — this is where initial access, foothold, and privilege escalation happen. The post-SRE tail, which is the part most defenders label "the ransomware attack," is nearly identical across families. It is almost entirely #1, with #7 appearing only at the terminal execution event on each victim host.
2. Pre-DA prefix — five forensic variants
The route from outside to DA-in-hand is the variable part. Five patterns dominate the 2025 IR corpus.
Variant A — Valid-credential RDP (Lynx, March 2025)
The DFIR Report's Lynx case is instructive because of what is absent: no brute-force noise, no stuffing failures. A single successful RDP logon to an internet-exposed host with valid credentials acquired elsewhere (stealer, breach corpus, or initial-access broker). Ten minutes later, lateral movement to the DC using a separate compromised domain admin account.
… → ||[prod][@Attacker→@Org]|| #4 →[Δt=10m] #1 →[Δt=15m] #4
Acquisition prefix unresolved (…), use step #4, discovery #1, second DA credential use #4. Per R-CRED, credential application is always #4.
Variant B — VPN foothold → DA escalation (Storm-0300, Akira)
Microsoft observed Storm-0300 gaining initial access through a VPN, then RDP-ing to the DC. The VPN access is #4. The escalation inside is typically a Kerberoasting pass or LSASS access on a Tier-1 host.
Variant C — Server exploit chain (Storm-2603, ToolShell, Aug 2025)
Storm-2603 chained the ToolShell SharePoint vulnerability, dropped a webshell, created admin accounts in AD, and synced them to Entra ID. The initial step is a server-side implementation flaw — #2 per R-ROLE.
#2 →[Δt=mins] #7 (webshell) →[Δt=hours] #1 (create admin) ||[auth][@Org→@Entra]|| →[Δt=mins] #4
Note the #7 step: a webshell is foreign executable content, and its execution is explicit per R-EXEC.
Variant D — Kerberoasting (the purely-#1 DA path)
This is the most elegant path to credentials from a TLCTC perspective. Requesting TGS tickets for service principals is a legitimate Kerberos function — no flaw required. The attacker cracks the encrypted ticket blobs offline, no new cluster needed, then uses the recovered credential.
#1 + [DRE: C (TGS blobs)] →[Δt=offline] #4 →[Δt=mins] #1
Forensic signature: Event ID 4769 with TicketEncryptionType = 0x17 (RC4-HMAC) on unusual service principals, no preceding 4768 anomaly. Per R-CRED, the DRE tag attaches at acquisition (the #1 step), never at the #4 use step.
Variant E — ZeroLogon (CVE-2020-1472)
A flaw in the AES-CFB8 IV handling inside MS-NRPC lets attackers reset the DC machine account password without authentication. An implementation defect in a server-side protocol — classic #2 per R-ROLE. Once the machine account is held, DCSync yields every NTLM hash in the domain.
#2 + [DRE: C (machine acct pwd, then all hashes via DCSync)] →[Δt=s] #4
The cryptographic flaw is the initial generic vulnerability exploited. "Privilege escalation" is the effect, not the cluster (SG4, R-INTRA-9).
3. The post-DA tail — #1-cascade in detail
This is where the structural insight lives. Every step below exploits a designed, advertised capability of Windows, Active Directory, or the backup software. Apply the Precedence-2 test — "would this attack work against a perfect implementation of the same functionality?" — and the answer is yes for every row. That is the definition of #1.
| # | Operator action | Native mechanism | TLCTC | Evidence |
|---|---|---|---|---|
| 1 | Directory/host discovery | net, nltest, NetScan, NetExec, BloodHound |
#1 | 4688; 4662; LDAP query logs |
| 2 | Create lookalike accounts | net user /add, New-ADUser |
#1 | 4720; 4738 |
| 3 | Add to Domain Admins, GPCO | net group, Add-ADGroupMember |
#1 | 4728; 4732; 4756 |
| 4 | DCSync (NTDS.dit replication pull) | MS-DRSR GetNCChanges |
#1 + [DRE: C] | 4662 with DS-Replication-Get-Changes-All GUID |
| 5a | LSASS dump via legit tool | ProcDump, Task Manager, comsvcs.dll |
#1 + [DRE: C] | Sysmon EID 10; 4688 |
| 5b | LSASS dump via Mimikatz | FEC — attacker binary executes | #7 + [DRE: C] | 4688; AMSI; YARA |
| 6 | Create malicious GPO | New-GPO, GPMC |
#1 | 5136; 5137; SYSVOL writes |
| 7 | Disable Defender via GPO | DisableRealtimeMonitoring, DisableBehaviorMonitoring |
#1 | 5136; Defender 5001/5007 |
| 8 | Backup job deletion | Veeam/Commvault console with DA | #1 + [DRE: Av] | Backup app logs; 4624/4672 on backup srv |
| 9 | Shadow copy deletion | vssadmin delete shadows /all, wmic shadowcopy |
#1 + [DRE: Av] | 4688 (vssadmin); VSS 8224 |
| 10 | Payload stage push | SMB to ADMIN$/C$, PsExec, WMI, RDP copy | #1 | 5140; 5145; 4624 t=3 |
| 11 | Remote execution trigger | Scheduled task (GPO CSE), service create, wmic process call create |
#1 | 4698; 4702; 7045; 4104 |
| 12 | Encryption payload runs (per host) | FEC — PE binary or fileless PS script | #7 + [DRE: Ac] | 4688; 4104; rename storm; ransom note |
| 13 | Log clearing (anti-forensics) | wevtutil cl, Clear-EventLog |
#1 + [DRE: Av] | 1102; 104 |
R-EXEC reminder. Every new download-and-execute is its own #7 step. Each target host receives its own #1 → #7 pair. At strategic notation this compresses as (#1 → #7)×N; in a forensic timeline each instance is enumerable and carries its own DRE tag.
R-CRED reminder. Steps 4 and 5 are acquisition events — the DRE C attaches at acquisition. Subsequent use (pass-the-hash, pass-the-ticket, golden ticket application) is always #4 and never generates its own DRE. Collapsing acquisition into use, or vice versa, is the most common classification error in AD attack paths.
The Storm-2603 Velociraptor-abuse case illustrates the pattern on steroids: attackers modified GPOs to disable Defender's real-time protection, then delivered a fileless PowerShell encryption script. "Fileless" refers to disk persistence, not to classification. The powershell.exe invocation is #1 (LOLBAS host). The attacker's script running inside it is foreign executable content — #7. The execution must be recorded as its own step regardless of whether anything was ever written to disk.
4. Canonical reference path (Lynx-style)
Compressing the full incident into v2.1 notation — evidence-backed steps plus R-EXEC-required #7 markers:
… → ||[prod][@Attacker→@Org]|| #4 →[Δt=10m] #1 →[Δt=15m] #4 (DA to DC) →[Δt=mins] #1 (recon on DC) →[Δt=mins] #1 (create "administratr" + 2 lookalikes) →[Δt=mins] #1 (add to Domain Admins, GPCO) →[Δt=hours] #1 (collect shares, 7-Zip staging) →[Δt=mins] #1 → #7 + [DRE: C] (exfil to temp.sh) →[Δt=~24h] #1 (RDP to backup server) →[Δt=mins] #1 + [DRE: Av] (backup job deletion) →[Δt=mins] (#1 → #7)×N + [DRE: Ac] (encryption per host)
TTR for this incident: ~178 hours across nine calendar days. Velocity class VC-3 (hours-to-days). Extortion-speed outliers compress this into VC-2 (minutes-to-hours), but the step sequence is unchanged — only the Δt values shrink.
The gap notation is legitimate here: analysts can describe the structure of what happened without inventing steps they don't have evidence for. … for unknown prefix, ? for a single unresolved step, #1 → … → #1 when log coverage was destroyed by the attacker. Paths are living artifacts.
5. Why the post-DA phase is structurally #1
Domain Admin is, by definition, a role that certifies "these designed functions are yours to use." Every tool the attacker picks up after holding DA — GPMC, vssadmin, net, scheduled tasks, PsExec, WMI, ADMIN$, DCSync replication, backup consoles — is software operating within its advertised functional scope. No implementation flaw is required on any of it.
This is the analytical payoff of Axiom VII: classification by the initial generic vulnerability exploited. The generic vulnerability on every post-DA step is functional scope granted by design to a privileged role. The role is the vulnerability.
You cannot "prevent ransomware" by mapping a single control to the encryption outcome. That is the mistake regulators and outcome-labelled risk registers make. You have to map controls to each of the ten-plus #1 steps in the cascade — GPO change auditing, VSS tamper protection, Protected Users, Tier-0 isolation, backup-console MFA with out-of-band approval, ITDR on replication anomalies, canary SPNs, PAWs — plus the #7 execution step (EDR behavioral, ASR rules, application allowlisting) plus the pre-SRE #4 (stolen-credential detection, MFA at every edge).
Labels like "lateral movement" or "defense evasion" conflate four to six distinct #1 steps, each with its own control surface. That conflation is precisely why "anti-ransomware" as a product category underperforms: it collapses controls against distinct steps into a single undifferentiated blob.
6. Practical notation tips
- Domain Admin seizure is the SRE, not a cluster. The Bow-Tie central event is reached when #4 authenticates as a Tier-0 principal. Mark it explicitly in diagrams — students routinely confuse "DA compromise" with a cluster.
- Do not classify "privilege escalation" as a cluster. Per SG4 and R-INTRA-9, escalation is an effect. When DA is obtained by ZeroLogon, the cluster is #2; the escalation is the effect of that #2. When obtained via Kerberoasting, the path is #1 → #4.
- Backup destruction is dual-DRE territory. Deleting shadow copies is [DRE: Av] on VSS data. Encrypting primary data is [DRE: Ac]. Keep them separate — they have different recovery semantics and drive different controls.
-
Anti-forensics is not out of scope.
wevtutil clis #1 + [DRE: Av] on log data. Where post-incident gaps exist, the…notation earns its keep: #9 →[Δt=18h] #4 →[Δt=2m] #1 → … → #1. - "Fileless" does not mean uncategorized. A PowerShell script carried in memory from a GPO-scheduled task is still foreign executable content. The host process is #1; the attacker's script is #7. Record both.
Once you see the cascade, you can't unsee it. The industry's habit of labelling post-DA activity as a diffuse cloud of "TTPs" hides a remarkably crisp structural fact: Tier-0 role possession converts the rest of the attack into a sequence of legitimate function calls. The defender's job is to intercept the cascade before DA, or to detect and contain it fast enough after — because once it's running, every step is sanctioned by design.
References
Forensic references: DFIR Report (Lynx, Mar 2025); Microsoft Security Blog (Apr 2025); Cisco Talos (Storm-2603, Aug 2025); Verizon 2025 DBIR; Secureworks 2023 IR telemetry.
TLCTC Framework · v2.1 · CC BY 4.0