Incident ResponseMay 27, 2026
On the Domain Controller, the actor used dsa.msc to create three persistence accounts — including...
Ransomware actor created three persistence accounts on domain controller using dsa.msc, including 'administratr' mimic
Summary
In a recent ransomware incident, threat actors gained access to a domain controller and used the Active Directory Users and Computers tool (dsa.msc) to establish persistence by creating three fake accounts designed to blend in with legitimate users. One account, named 'administratr,' mimicked a real administrator account to evade detection. This technique demonstrates how attackers leverage legitimate Windows administration tools post-compromise to maintain long-term access.
Indicators of Compromise
- mitre_attack — T1098.001
- mitre_attack — T1021.001
Entities
Active Directory Users and Computers (dsa.msc) (technology)Domain Controller (technology)Unnamed Ransomware Campaign (campaign)