[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fA--GDhequWQKsqgLkFy6HWLNe4X1GBJi3uwCa3swHdo":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":30},"0b0bae7e-5b5c-46ee-a629-ae0fe2f2389e","On the Domain Controller, the actor used dsa.msc to create three persistence accounts — including...","on-the-domain-controller-the-actor-used-dsa-msc-to-create-three-persistence-acco-211a2c","On the Domain Controller, the actor used dsa.msc to create three persistence accounts — including “administratr” — designed to mimic legitimate users already in the environment.\n\nFull report 👇\nhttps:\u002F\u002Ft.co\u002FIOlOAj2ClY\n\n#DFIR #ActiveDirectory #Ransomware #ThreatHunting #BlueTeam https:\u002F\u002Ft.co\u002FvflBEx0Lsn","In a recent ransomware incident, threat actors gained access to a domain controller and used the Active Directory Users and Computers tool (dsa.msc) to establish persistence by creating three fake accounts designed to blend in with legitimate users. One account, named 'administratr,' mimicked a real administrator account to evade detection. This technique demonstrates how attackers leverage legitimate Windows administration tools post-compromise to maintain long-term access.","Ransomware actor created three persistence accounts on domain controller using dsa.msc, including 'administratr' mimic",null,"https:\u002F\u002Fx.com\u002FTheDFIRReport\u002Fstatus\u002F2059586683062874163","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHJUfLFWWgAQ5dDw.jpg","2026-05-27T10:45:05+00:00","2026-05-27T11:00:06.185102+00:00",8,[18,21,23],{"name":19,"type":20},"Active Directory Users and Computers (dsa.msc)","technology",{"name":22,"type":20},"Domain Controller",{"name":24,"type":25},"Unnamed Ransomware Campaign","campaign","c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73",{"id":26,"icon":11,"name":28,"slug":29},"Incident Response","incident-response",[31,36,41],{"category":32},{"id":33,"icon":11,"name":34,"slug":35},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":37},{"id":38,"icon":11,"name":39,"slug":40},"7d8b5ab8-ea0b-4ced-ae97-ec251b86993a","Ransomware","ransomware",{"category":42},{"id":43,"icon":11,"name":44,"slug":45},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[47,51],{"type":48,"value":49,"context":50},"mitre_attack","T1098.001","Create Account — persistence via fake administrative accounts on domain controller",{"type":48,"value":52,"context":53},"T1021.001","Remote Services: Remote Desktop Protocol — likely initial access vector"]