Incident ResponseMar 17, 2026
"On the Exchange email server, the threat actor used a legitimate Windows executable, SystemSetti...
A threat actor compromised an Exchange email server using SystemSettingsAdminFlows.exe, a legitimate Windows executable, as a living-off-the-land binary (LOLBIN) to disable Windows security features. This technique demonstrates hands-on-keyboard post-exploitation activity aimed at establishing persistence and evading detection on a compromised mail server.
Summary
A threat actor compromised an Exchange email server using SystemSettingsAdminFlows.exe, a legitimate Windows executable, as a living-off-the-land binary (LOLBIN) to disable Windows security features. This technique demonstrates hands-on-keyboard post-exploitation activity aimed at establishing persistence and evading detection on a compromised mail server.
Indicators of Compromise
- malware — SystemSettingsAdminFlows.exe