--- type: "attack-path" title: "AD-DOMAIN-ADMIN-CASCADE-2025" description: "Canonical reference path for the Active Directory Domain-Admin → ransomware cascade — a composite/pattern analysis grounded in three 2025 incidents: Lynx (DFIR Report, March 2025), Storm-2603 / ToolShell (Cisco Talos, August 2025), and Storm-0300 / Akira (Microsoft Security Blog, April 2025)." resource: "tlctc:attack-path:ad-domain-admin-cascade-2025" tags: - "attack-path" - "cluster-4" - "cluster-1" - "cluster-7" - "confidence-high" timestamp: "2026-04-19T00:00:00Z" tlctc_version: "2.1" --- # AD-DOMAIN-ADMIN-CASCADE-2025 ## Attack path ``` … →[Δt=?] ||[prod][@Attacker→@Org]|| #4 →[Δt=~10m] #1 →[Δt=~15m] #4 →[Δt=~5m] #1 →[Δt=~10m] #1 →[Δt=~5m] #1 →[Δt=~1h] #1 + [DRE: C] →[Δt=~5m] #4 →[Δt=~10m] #1 + [DRE: C] →[Δt=~5m] #7 (FEC) + [DRE: C] →[Δt=~24h] #1 →[Δt=~5m] #1 + [DRE: A] →[Δt=~5m] #1 + [DRE: A] →[Δt=~5m] #1 →[Δt=~15m] #7 (FEC) + [DRE: Ac] →[Δt=~30m] #1 + [DRE: A] ``` # Schema | Step | Cluster | Boundary | Δt→next | DRE | |---|---|---|---|---| | s0-acquisition-prefix | … (unresolved) | | ? | | | s1-rdp-foothold | [#4](/clusters/cluster-4.md) | \|\|[prod][@Attacker→@Org]\|\| | ~10m | | | s2-initial-recon | [#1](/clusters/cluster-1.md) | | ~15m | | | s3-da-lateral-to-dc | [#4](/clusters/cluster-4.md) | | ~5m | | | s4-dc-recon | [#1](/clusters/cluster-1.md) | | ~10m | | | s5-create-lookalike-accounts | [#1](/clusters/cluster-1.md) | | ~5m | | | s6-elevate-accounts | [#1](/clusters/cluster-1.md) | | ~1h | | | s6b-credential-harvest | [#1](/clusters/cluster-1.md) | | ~5m | C | | s6c-harvested-cred-application | [#4](/clusters/cluster-4.md) | | ~10m | | | s7-collect-and-stage | [#1](/clusters/cluster-1.md) | | ~5m | C | | s8-exfil-tool-exec | [#7](/clusters/cluster-7.md) (FEC) | | ~24h | C | | s9-lateral-to-backup | [#1](/clusters/cluster-1.md) | | ~5m | | | s10-backup-destruction | [#1](/clusters/cluster-1.md) | | ~5m | A | | s11-shadow-copy-destruction | [#1](/clusters/cluster-1.md) | | ~5m | A | | s12-stage-payload-push | [#1](/clusters/cluster-1.md) | | ~15m | | | s13-encrypt-per-host | [#7](/clusters/cluster-7.md) (FEC) | | ~30m | Ac | | s14-log-clearing | [#1](/clusters/cluster-1.md) | | | A | ## Step notes - **s0-acquisition-prefix:** Acquisition prefix. In Lynx (Variant A) the credentials were stolen elsewhere — stealer malware (#7 + #1 harvest + #4 use), an infostealer-log marketplace purchase, or an initial-access broker handoff — and no acquisition telemetry survived on the target estate. Five documented 2025 variants for the pre-SRE prefix: (A) pre-acquired valid credentials, no target-side artifact — Lynx; (B) VPN initial access then internal Kerberoasting/LSASS — Storm-0300, Akira; (C) server exploit chain: #2 (ToolShell SharePoint CVE) → #7 (webshell) → #1 (create admin in AD) → auth-boundary cross to Entra → #4 — Storm-2603; (D) Kerberoasting from a low-privilege foothold: #1 (TGS request, legitimate Kerberos function) + [DRE: C on TGS blobs] → offline crack → #4 — evidence: Event 4769 with TicketEncryptionType=0x17 on unusual service principals, no preceding 4768 anomaly; (E) ZeroLogon (CVE-2020-1472): #2 (AES-CFB8 IV cryptographic flaw in MS-NRPC) + [DRE: C on machine account then DCSync-harvested hashes] → #4. R-UNRES-8: this is modeled as an unresolved gap because the single document represents the cascade pattern — defenders replace this gap with a classified prefix from their own incident. R-UNRES-6: the boundary on the subsequent step (||[prod][@Attacker→@Org]||) is independently observable and belongs to s1, not here. - **s1-rdp-foothold:** Successful RDP logon to an internet-exposed production host using valid credentials acquired in s0. No brute-force noise, no stuffing failures — a clean authentication. R-CRED: credential application is ALWAYS #4 regardless of how the credential was acquired (Axiom X, Credential Duality). Evidence: Event ID 4624 logon type 10 on the edge host; often zero failed 4625s preceding it, which is the forensic signature of pre-acquired credentials vs. guessed credentials. - **s2-initial-recon:** Directory and host enumeration from the foothold host using legitimate built-in utilities: net, nltest, NetScan, NetExec, BloodHound collectors. Every command is a designed, advertised capability — Precedence-2 test: 'would this attack work against a perfect implementation of the same functionality?' — yes, therefore #1 Abuse of Functions. No implementation flaw required. Evidence: Event 4688 (process creation) for net/nltest; 4662 with directory-service property access patterns; LDAP query logs from domain controllers. - **s3-da-lateral-to-dc:** Lateral movement from the foothold host to a domain controller using a SEPARATE compromised domain-admin account (distinct from s1). R-CRED: credential application is always #4. The fact that this DA credential was harvested elsewhere in the environment (rather than re-using s1's account) is forensically significant — Microsoft's April 2025 reporting finds the DC is breached in >78% of human-operated intrusions, and the attacker rarely relies on the initial foothold account for Tier-0 work. This step IS the SRE (Significant Risk Event) — the Bow-Tie central event when a Tier-0 principal comes under attacker control. - **s4-dc-recon:** Domain-controller-local reconnaissance: enumerate trusts, schema, existing Tier-0 groups, GPO inventory, Protected Users membership. Same tools as s2 but now executed on the DC with DA privileges — the authority scope is maximal. Still #1: every query uses a designed Active Directory function. - **s5-create-lookalike-accounts:** Create persistence accounts using native AD admin functionality (net user /add, New-ADUser). Lynx observed three lookalikes including 'administratr' (one-character omission from 'administrator'). No flaw exploited — account creation is a designed privileged function. Evidence: Event 4720 (user account created), 4738 (user account changed). The typosquat naming is a tell but not a classification input — Axiom IV, actor identity / tradecraft never determines cluster. - **s6-elevate-accounts:** Add the persistence accounts to Domain Admins, Enterprise Admins, Group Policy Creator Owners (GPCO). net group, Add-ADGroupMember, or via GPMC. Every Add-ADGroupMember call is a designed function of the privileged role already held — classic #1. Evidence: Event 4728 (member added to security-enabled global group), 4732 (local), 4756 (universal). - **s6b-credential-harvest:** Post-DA credential harvest — in the canonical Lynx-style cascade this is DCSync via MS-DRSR GetNCChanges (DS-Replication-Get-Changes-All), which replicates NTDS.dit contents and yields every domain account NT hash plus the krbtgt hash (enabling Golden Ticket persistence). Pure #1 Abuse of Functions: directory replication is a designed AD capability invokable by any principal holding replication rights, and s6 just granted those rights via DA / Enterprise Admin membership. No implementation flaw is exploited — Precedence-2 test confirms the attack works against a perfect implementation. DRE:C attaches HERE on credential material, which is a forensically distinct data subject from the later s7/s8 DRE:C on business file data — different control surface, different recovery semantics, different breach-notification obligations. R-CRED: acquisition event, so DRE:C attaches at this step and NEVER at downstream #4 reuse (pass-the-hash, overpass-the-hash, Golden Ticket) — the paired application is recorded explicitly as s6c. Common variants at this position: LSASS dump via ProcDump / comsvcs.dll on a reached host is still #1 + [DRE: C] (LOLBIN abuse at DA authority); Mimikatz or other attacker-supplied credential stealer is #7 + [DRE: C] because FEC executes (R-EXEC). Persistence rationale: even if s5's lookalike accounts are disabled during response, harvested hashes permit re-entry via any domain principal; undoing DCSync requires a full krbtgt double-rotation, which most organizations cannot execute under incident pressure. Evidence: Event 4662 with ObjectType GUIDs 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes) and 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All) sourced from an unexpected principal or host; Sysmon EID 10 with TargetImage=lsass.exe for LSASS-dump variants; 4688 for ProcDump/comsvcs.dll invocation. - **s6c-harvested-cred-application:** First application of a credential harvested at s6b — in the canonical Lynx-style cascade this is either (a) pass-the-hash authentication to a target using an NT hash from the NTDS dump, or (b) Golden Ticket presentation using the krbtgt hash (forging is an offline computation with no on-wire event; the observable step is the authentication request, which is this step). Per Axiom X (Credential Duality) and R-CRED: credential acquisition (s6b) and credential application (s6c) are DISTINCT steps with DISTINCT cluster classifications. Acquisition maps to the enabling cluster (#1 Abuse of Functions for DCSync); application is ALWAYS #4 regardless of how the credential was obtained. Conflating s6b and s6c is the most common classification error in post-DA AD incident analysis, and it destroys the #1/#4 control-surface distinction: defences against harvest (DS-Replication auditing, LSASS protection, Credential Guard, Protected Users, tier-0 segmentation) are structurally different from defences against application (authentication-anomaly detection, tiered logon restrictions, Kerberos Armoring / FAST, krbtgt rotation cadence, AS-REQ/TGS-REQ monitoring). This is the pivot point where the attacker switches from the externally-acquired DA credential used at s3 to a domain-internal harvested persona — a routine operator move to (i) break correlation with the s3 foothold account in case it gets flagged during the ~24h pause before s9, (ii) reach scopes the s3 account does not cover (backup-operator service accounts, tier-specific admins surfaced by DCSync), or (iii) establish Kerberos-level persistence via krbtgt that survives account disablement and DA group removal. R-CRED reminder: NO DRE is recorded at this step — DRE:C on the credential material was attached at acquisition (s6b) and does NOT re-attach on each use. Evidence depends on the variant: Golden Ticket presentation — Event 4769 (TGS request) with no preceding Event 4768 (TGT issuance) from the KDC (the KDC never saw the TGT because the attacker forged it offline), anomalous ticket lifetime (Mimikatz default 10 years vs domain policy), PAC validation failures at target services, SID-history artifacts on the ticket; pass-the-hash — Event 4624 logon type 3 with NtlmSsp authentication package from an unexpected source host, using a principal whose NT hash appeared in the s6b NTDS dump; overpass-the-hash — Event 4768 TGT issuance using a hash directly (not an interactive logon password), often preceded by no 4624 type 2 on the source host. Classification boundary is crisp and defensible under review: the offline hash computation / ticket forging is NOT a cluster step (no on-system event, nothing 'happens' on any target); the network authentication event IS the cluster and IS #4. - **s7-collect-and-stage:** Share enumeration and file collection across the domain using SMB reads, 7-Zip staging to an internal drop folder. Standard file I/O and compression — designed, legitimate, not flawed — abused at DA scope. DRE:C attaches at acquisition (R-CRED principle generalized to data). The 7-Zip binary is typically a Microsoft-signed or portable build used as a LOLBIN; its execution is not FEC (the binary is legitimate tooling). Evidence: 5140/5145 (SMB share access), 4688 (7z.exe process creation with archive paths in cmdline). - **s8-exfil-tool-exec:** Attacker-supplied exfiltration tooling executes on the staging host — commonly a custom client uploading staged archives to temp.sh, anonfiles, rclone to attacker-controlled cloud, or a bespoke binary. R-EXEC: foreign executable content runs, therefore a #7 step MUST be recorded at the execution moment (fec_executed: true). DRE:C attaches here as the egress event. Distinction from s7: s7 is abuse of designed functions with data movement internal; s8 is FEC crossing the egress boundary. Defenders often collapse s7+s8 into a single 'exfiltration' label and then have no control surface because 'exfiltration' is an outcome, not a cluster. - **s9-lateral-to-backup:** RDP or SMB/WMI access to the backup server using DA authority. Classified #1 at this strategic-notation level — continued operation inside already-held Tier-0 scope is abuse of the designed function. At a stricter R-CRED decomposition an embedded #4 credential-application step exists (Kerberos TGS present for the backup server SPN); this summary-level compression is intentional and acceptable when the Tier-0 principal has been continuously active. If distinct authentication events matter for control attribution, split into #4 → #1. - **s10-backup-destruction:** Delete backup jobs and snapshots via the backup application's own administrative console (Veeam, Commvault, Rubrik) — DA typically has direct or inherited access. The console function is designed; the authority scope is abused. DRE:A (Availability) — backup data is gone, not just inaccessible. This is the strategic move that makes ransomware economically viable: without backups, the recovery option collapses and the extortion leverage becomes binary. Distinct from s11 (VSS): backup system deletion destroys the primary recovery tier. - **s11-shadow-copy-destruction:** vssadmin delete shadows /all (or wmic shadowcopy delete) executed on each target host to eliminate the secondary recovery tier. VSS administration is a designed Windows function; attacker holds the authority. DRE:A on VSS shadow data specifically — separate control surface from s10 (backup system) and distinct recovery semantics. Keeping these separate matters: compressing them into one step hides the fact that two independent controls must both fail for the ransomware business model to succeed. Evidence: Event 4688 (vssadmin.exe with 'delete shadows' arguments), VSS event 8224. - **s12-stage-payload-push:** Push the encryption payload to target hosts via SMB copy to ADMIN$/C$, PsExec, WMI, or GPO software installation. Pure abuse of designed file-share and remote-administration functions. The payload itself is FEC but has not yet EXECUTED here — R-EXEC is not triggered until s13. Keeping the push (#1) and the run (#7) as separate steps is a classification discipline point: conflating them is the most common error in ransomware attack-path analysis and it destroys the distinction between network-level and host-level control surfaces. Evidence: Event 5140/5145 (SMB admin-share access), Event 4688 (remote service create / scheduled task). - **s13-encrypt-per-host:** The ransomware payload — PE binary, DLL side-loaded via a LOLBIN, or fileless PowerShell script carried in memory — executes on each target host. R-EXEC: foreign executable content runs, #7 recorded with fec_executed: true. DRE:Ac (Accessibility) — data is present on disk but unusable because it is encrypted; distinct from A (Availability) where data would be gone. Strategic notation compresses this step as (#1 → #7)×N where N is the number of encryption victims; at the forensic level each host instance is enumerable and carries its own DRE:Ac. 'Fileless' PowerShell ransomware (observed in Storm-2603 Velociraptor-abuse variant) still counts as #7: the host process (powershell.exe) is #1, the attacker's script running inside it is #7. Axiom III: 'ransomware' is the outcome label — the cluster is FEC execution, the impact is [DRE: Ac], the business event is extortion leverage. Mapping a single 'anti-ransomware' control to this one step is the category error that makes such products underperform. - **s14-log-clearing:** Anti-forensics sweep: wevtutil cl, Clear-EventLog, or direct deletion of ETL files. Still #1 — event log administration is a designed function, authority scope is abused. DRE:A on log data specifically — audit trail is gone. Where post-incident gaps were created by this step, subsequent reconstruction uses the '…' (unresolved gap) operator in the path between surviving observations. Evidence: Event 1102 (audit log cleared), Event 104 (system log cleared) — the very act of clearing leaves these markers, which is why the most sophisticated operators avoid wevtutil and instead corrupt log files directly. # Citations Canonical reference path for the Active Directory Domain-Admin → ransomware cascade — a composite/pattern analysis grounded in three 2025 incidents: Lynx (DFIR Report, March 2025), Storm-2603 / ToolShell (Cisco Talos, August 2025), and Storm-0300 / Akira (Microsoft Security Blog, April 2025). The cascade has an invariant Bow-Tie shape: a variable pre-SRE prefix (how the attacker reaches Domain Admin), the SRE itself (Tier-0 principal under attacker control), and a nearly-invariant post-SRE tail that is structurally #1 Abuse of Functions with #7 appearing only at FEC execution moments. Pre-SRE variants documented in the source: (A) valid-credential RDP (Lynx) — acquisition prefix unresolved, use step #4; (B) VPN foothold then escalation (Storm-0300, Akira) — #4 then Kerberoasting or LSASS; (C) server exploit chain (Storm-2603, ToolShell) — #2 → #7 webshell → #1 create admin || auth [@Org→@Entra] → #4; (D) Kerberoasting — #1 + [DRE: C on TGS blobs] → #4 → #1; (E) ZeroLogon — #2 + [DRE: C] → #4. This file models Variant A (Lynx) as the canonical reference path; the acquisition prefix is left as an unresolved gap so the same file serves as a template across all five variants. Compact notation: … → #4 ||[prod][@Attacker→@Org]|| →[Δt=10m] #1 →[Δt=15m] #4 →[Δt=mins] #1 →[Δt=mins] #1 →[Δt=mins] #1 →[Δt=hours] #1 + [DRE: C] →[Δt=mins] #4 →[Δt=mins] #1 + [DRE: C] → #7 + [DRE: C] →[Δt=~24h] #1 →[Δt=mins] #1 + [DRE: Av] →[Δt=mins] #1 + [DRE: Av] →[Δt=mins] #1 → #7 + [DRE: Ac] → #1 + [DRE: Av]. Axiom X (Credential Duality) is reflected as a visible acquisition/application pair at s6b→s6c: s6b is the #1 DCSync that harvests NTDS (DRE:C on credential material); s6c is the paired #4 application (Golden Ticket presentation or pass-the-hash) without DRE — per R-CRED the DRE attaches ONLY at acquisition. Two distinct DRE:C subjects appear in the tail: credential material (s6b — all domain NT hashes plus krbtgt) and business file data (s7 collection + s8 egress). The structural acquisition/application pairs in the path are s0→s1 (external acquisition → RDP use) and s6b→s6c (DCSync → Golden Ticket / PtH use). TTR observed in Lynx: ~178 hours across nine calendar days (velocity class VC-3); extortion-speed outliers compress this to VC-2 without altering the step sequence. Sources: DFIR Report Lynx case (March 2025); Microsoft Security Blog — 'Active Directory under siege' and Storm-0300 reporting (April 2025); Cisco Talos — Storm-2603 ToolShell analysis (August 2025); Verizon 2025 DBIR; Secureworks IR telemetry. Companion analysis: documentation/articles ad-ransomware-tlctc-cascade.html (The #1-Cascade).