惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
Project Zero
Project Zero
K
Kaspersky official blog
G
Google Developers Blog
T
Threat Research - Cisco Blogs
T
The Blog of Author Tim Ferriss
Cyberwarzone
Cyberwarzone
Y
Y Combinator Blog
Recorded Future
Recorded Future
Blog — PlanetScale
Blog — PlanetScale
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cisco Talos Blog
Cisco Talos Blog
Latest news
Latest news
Microsoft Security Blog
Microsoft Security Blog
H
Help Net Security
S
Schneier on Security
P
Palo Alto Networks Blog
H
Hacker News: Front Page
N
News and Events Feed by Topic
N
Netflix TechBlog - Medium
博客园 - Franky
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
SecWiki News
SecWiki News
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The Hacker News
The Hacker News
C
Check Point Blog
L
LangChain Blog
腾讯CDC
小众软件
小众软件
T
Tenable Blog
Google DeepMind News
Google DeepMind News
GbyAI
GbyAI
L
LINUX DO - 最新话题
A
About on SuperTechFans
Google Online Security Blog
Google Online Security Blog
C
Cisco Blogs
Recent Announcements
Recent Announcements
Hacker News: Ask HN
Hacker News: Ask HN
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Vercel News
Vercel News
雷峰网
雷峰网
美团技术团队
D
DataBreaches.Net
Martin Fowler
Martin Fowler
Help Net Security
Help Net Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
F
Full Disclosure
博客园_首页

Heimdal Security Blog

Top 6 Managed Detection and Response Providers Cyber-Aware Customers Are Raising the Bar for MSPs and Other Vendors Cyber-Aware Customers Are Raising the Bar for MSPs and Other Vendors How to scale your patches without scaling your team (the patch wave) AI didn't break patching. It showed us patching was already broken. Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes How Dynamic Defense shuts an attacker out without shutting down the business Static security has run out of road. The case for Dynamic Defense Breaking the MSP Echo Chamber: The Power of Community How attackers built a RAT on a Windows machine using its own .NET compiler Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It Your Next Insider Threat May Be an AI Coworker The OSI Model and Its Two Missing Layers Heimdal® Marks Six Years of Consecutive ISAE 3000 SOC 2 Type II Certification The State of AI Risk Management in 2026 AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift Top 10 Cybersecurity Companies in Europe Heimdal Expands AI Strategy with AI Wingman and Third-Party AI Containment You Only Know What You’ve Got When Its Gone Nordic MSPs Can Now Access Heimdal’s Unified Security and Compliance Platform Through Elovade OpenClaw Incidents Show Why AI Adoption Pressure Puts Companies at Risk Heimdal Claims Industry First With a Cyber Essentials Control Mapping for PEDM to Help Organisations Prove Least Privilege Five Predictions for Cyber Security Trends in 2026 Heimdal Achieves OPSWAT Gold Certification for Anti-Malware How to Avoid Holiday Shopping Scams (From a Former Cyber Detective) ITDR Best Practices: How to Detect, Prevent, and Contain Critical Identity Threats When Buyers Discount MSPs With One Big Customer You’re Not Technical? That Excuse Just Expired! Tool Sprawl Taxes Your Business More Than You Think Heimdal 5.1.0 RC Dashboard: Smarter Automation, Stronger Compliance, and Smoother Control Can Generative AI Be Weaponized for Cyberattacks? Digital Warfare and the New Geopolitical Frontline Nearly 40% of 2024 Ransomware Payouts May Have Gone to Russia, China & North Korea
Attacker enables RDP, creates admin, erases evidence in ten seconds
Danny Mitchell · 2026-06-22 · via Heimdal Security Blog

At 06:34am on 2 June 2026, an attacker logged on to a customer’s network.

In a single automated burst, they switched on remote desktop and created a rogue administrator account. And deleted the evidence behind them. 

The intrusion reached 34 endpoints and was over in under ten seconds. 

Heimdal Extended Threat Protection (XTP) and Ransomware Encryption Protection (REP) flagged it as it ran, and our MXDR team reconstructed the sequence to the second afterwards.

If your defence still depends on a human who spots an alert and reacts in time, it’s built for a fight that’s already over.

What actually happened, second by second

The attacker authenticated over NTLMv2 as a Type 3 (network) logon with an elevated token. It’s the kind of session that needs direct communication on ports like 445 or 135.

No interactive login, no malware, and no dropper.

The Windows Task Scheduler service, svchost.exe, then wrote a scheduled task to disk named CdeNZMuc. It ran immediately through cmd.exe as NT AUTHORITY\SYSTEM and carried out five actions in sequence.

  1. Switched on Restricted Admin mode for RDP in the registry, the setting that lets a stolen hash stand in for a password at the RDP prompt. 
  2. Enabled RDP by clearing the Terminal Server deny flag.
  3. Opened firewall port 3389 using netsh advfirewall.
  4. Created a new local user account.
  5. Added that account to the local Administrators group.

Every command sent its output to temporary files under C:\Windows\Temp, so nothing showed on screen.

The attacker deleted the task about two seconds in. The network session logged off shortly after.

That’s initial access and full persistence in under ten seconds, from start to finish.

One detail deserves a second look.

The new account read almost exactly the vendor’s name. The kind a tired admin scrolls past.

The report doesn’t name the impersonation but to our analysts, it looks chosen.

This was the setup, not the attack

What we caught was the staging phase. The groundwork an attacker lays before they deploy ransomware.

XTP and REP raised alerts on three signals in this window.

An RDP port opened programmatically, a new administrator account, and ransomware-associated file activity.

That’s textbook pre-ransomware staging. 

The report concludes the speed and techniques are consistent with exactly that.

We’ll be precise about the limits.

We redacted our report to not name the customer, threat actor, or root cause. We won’t fill those gaps with guesses.

What it shows is an intrusion caught early by behaviour-based detection rather than after the fact, a documented pattern.

The joint CISA, FBI, and European partner advisory on Akira ransomware – updated in November 2025 – describes the same playbook.

Affiliates abuse RDP and create administrator accounts for persistence before encryption.

Sadly, for most lean teams, the first sign of trouble would be the ransom note.

Ten seconds is not an outlier, it’s the trend

Mandiant’s M-Trends 2026 report is drawn from more than 500,000 hours of incident response in 2025.

It found that the median time for one criminal group to hand access to another collapsed to 22 seconds.

In 2022 it was over eight hours.

Mandiant is careful that this marks the point where the second group gains access, not when hands hit the keyboard.

CrowdStrike’s 2026 Global Threat Report puts a number on the next stage.

The average eCrime breakout time (the gap between initial access and lateral movement), fell to 29 minutes in 2025.

That’s 65% faster than the year before.

The fastest breakout they observed was 27 seconds. In the same report, malware-free activity – the kind that leaves nothing for a scanner to catch – was the majority of what CrowdStrike detected in 2025, at 82%.

There’s a distinction that matters here.

Mandiant’s global median dwell time actually rose in 2025, to 14 days from 11.

That doesn’t mean attackers got slower. Long-running espionage and state-linked operations that sit quiet for months pull the average up.

Dwell time measures how long an intruder goes undetected. Execution time measures how fast they act once in.

The first can lengthen while the second shrinks to seconds.

And financially motivated ransomware moves far faster than that headline median suggests. The metric that used to define the game is no longer the one that decides it.

Why your tools never saw a thing

Have you noticed something missing from that timeline… there’s no malicious file in it.

Everything the attacker used was already on the machine.

  • Svchost.exe
  • Cmd.exe
  • Netsh
  • the scheduled task engine
  • the registry
  • Native, signed Windows components that do exactly what they’re designed to do

A signature-based antivirus has nothing to match and a reputation engine has nothing to flag.

This is living off the land. It’s why so much modern intrusion slips past tools built to find bad files.

The evasion sits on top. Each step strips something a responder would look for, like the self-deleting task, the suppressed console output, the clean logoff, the backup-product account name.

On a casual inspection this is completely normal.

If your detection looks for the malicious artefact, this attack never created one.

The real way in was a door left open years ago

This is the less comfortable part because the entry point wasn’t clever, it was old. The attacker got in over NTLMv2, which is a protocol Microsoft has tried to retire for years.

Our analysts weighed that elevated-token logon against the number of endpoints it reached.

In rough order of likelihood, the way in was pass-the-hash – an NTLM relay against a server that isn’t enforcing SMB signing – or valid credentials that were simply stolen.

Here’s the bit that catches people out.

Multi-factor authentication does not stop a relayed or replayed hash. MFA protects the front-door login. It does nothing about a hash captured and reused on the network behind it.

If your model is “we have MFA, so we’re covered,” it’s worth revisiting.

What let this land in one shot was a set of standing conditions.

  • Legacy NTLM still accepted.
  • SMB signing not enforced, which is what makes relay possible. Standing local administrator rights for the token to abuse.
  • RDP ready to be switched on.

None of those is a zero-day. They’re configuration debt.

And before anyone points to Microsoft’s NTLM deprecation as the fix, read the timeline.

Microsoft formally deprecated NTLM in 2024 and plans to disable network NTLM by default in a future Windows Server release, with no fixed date.

The change landing soonest is targeted for October 2026, and flips a registry default that blocks NTLM version 1.

This incident used NTLMv2, which relay attacks still rely on. The coming change doesn’t touch this.

The platform is moving in the right direction but it won’t harden your clients’ networks for you on a timeline that helps this year.

No human clicks that fast

If breakout is measured in seconds and your alert-to-analyst-to-action loop runs in minutes on a good day, the loop loses.

The event is finished before a human gets to it.

A lot of well-run MSPs assume a competent SOC, solid EDR, and tested backups add up to enough.

Against a ten-second, malware-free living-off-the-land intrusion, that stack reacts after the decisive moment, not during it.

Your backups help you recover but they don’t keep the attacker out. And, increasingly the data is stolen before it’s encrypted. A clean restore no longer guarantees you avoid the worst.

You fix by getting into the fight early, not a faster human. Remove the conditions that let the attack finish in one shot. Let automation act at machine speed when prevention is bypassed.

What would actually have stopped it, step by step

There’s no single control that beats this. And anyone who sells you one is overselling.

What works is defence in depth with each layer aimed at a step in the chain.

Here’s the honest mapping with our own tooling included – and where it stops.

When the attacker enabled RDP and opened port 3389, that’s the step Remote Access Protection (RAP) – part of Next-Gen Antivirus and Firewall, is built for.

It blocks external remote access by default and only permits allowlisted IPs and ports from the endpoint outward. The whole plan needed RDP to be reachable and default-deny removes that option.

The rogue account and the abused elevated token are a privilege problem.

Privilege Elevation and Delegation Management (PEDM) removes standing local administrator rights and de-escalates privileges when a threat appears. So, there’s far less for a rogue account or token to inherit.

Extended Threat Protection (XTP) is built to catch the correlated chain, the SYSTEM-level cmd execution, the registry changes, the scheduled task, and the RDP enablement.

The sequence reads as one attack rather than four unrelated events because it runs telemetry against more than 1,400 detection rules mapped to MITRE ATT&CK.

The encryption stage that was staged but never reached is where Ransomware Encryption Protection (REP) sits.

It watches for the behaviour of files under encryption rather than a known signature and isolates the device automatically. In this incident it flagged ransomware-associated file activity.

And for the speed gap, the reality that a small team can’t be in the loop at 06:34 on a Tuesday, A managed detection and response service with one-click isolation is the realistic answer to the speed gap.

Especially for as thin team that can’t be in the loop at 06:34am on a Tuesday.

Now the honest limit. None of those modules fixes the way in.

The NTLM logon is an environment-hardening problem and it stays your job.

  • Enforce SMB signing
  • Reduce NTLM where you can and audit where it’s still in use.
  • Tighten credential hygiene.
  • Use MFA where it genuinely helps, and know where it doesn’t.

Defence in depth buys you the layers. It doesn’t replace closing the door.

What it costs your client when you lose the ten seconds

Translate this into the language your clients and their insurers speak. That’s where it gets expensive.

IBM’s 2025 Cost of a Data Breach report put a ransomware or extortion breach at 5.08 million dollars when the attacker disclosed it, against a 4.44 million dollar average across all breach types.

Sophos’s 2025 State of Ransomware research put the average recovery cost, ransom aside, at 1.53 million dollars globally.

Recovery is the cost that lands whether or not anyone pays.

The sharper angle is insurance.

In Travelers v. International Control Services, the insurer moved to rescind a cyber policy because the company had attested to MFA it hadn’t fully deployed.

The policy was rescinded.

The breach didn’t have to be caused by the gap because the misrepresentation at underwriting was enough.

The City of Hamilton saw its claim denied in 2025 over MFA that wasn’t consistently in place. That left it with a multi-million dollar recovery bill. 

Exposed RDP and patchy MFA aren’t only a security risk. They can void the payout your client counted on.

Then there’s the regulatory clock.

The UK Cyber Security and Resilience Bill – introduced in November 2025 and now before the House of Lords – brings managed service providers into scope for the first time.

As drafted, it requires an initial report to the regulator within 24 hours of awareness of a significant incident and a full report within 72 hours. Plus, a duty to tell affected customers directly.

It isn’t law yet, but the direction is set.

The EU’s NIS2 already puts MSPs in scope with comparable timelines.

A ten-second intrusion you didn’t see still starts that clock, and as an MSP you may carry both the operational fallout and, through the supply chain, the reporting duty.

Redesign for the ten seconds

Stop optimising for how fast your team can react.

Start removing the conditions that let an attack finish in one move. And let automation stand in where prevention is beaten.

If you do one thing this week, audit standing local administrator rights and RDP exposure across your client base. Then, check where SMB signing and NTLM hardening actually stand.

That’s where this attack lived and it’s where the next one will too.

This is what our own telemetry showed us, plainly and without dressing it up.

We’d rather you fix the door than buy the alarm.

The ATT&CK techniques we observed

T1078 Valid Accounts (and, if relay or pass-the-hash, T1550.002 and T1557.001). T1053.005 Scheduled Task. T1059.003 Windows Command Shell. T1562.004 Disable or Modify System Firewall. T1070 Indicator Removal. T1112 Modify Registry. T1036 Masquerading. T1136.001 Create Account, Local. T1098 Account Manipulation. T1021.001 Remote Services, RDP. Staged but not observed, T1486 Data Encrypted for Impact.

Author Profile

Head of Content at Heimdal. A journalist by trade who cares about helping MSPs and security teams make better decisions, enjoy their work, and see real results.