Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise

SentinelOne's DFIR team has responded to multiple incidents involving compromised FortiGate NGFW appliances used to establish footholds in targeted environments. Attackers exploited vulnerabilities or weak credentials to access FortiGate devices, extract configuration files containing service account credentials, and use those to join rogue workstations to Active Directory. In one case, the attacker used the access to deploy remote management tools and steal the NTDS.dit file. The incidents highlight the need for strong access controls, patching, and improved logging on edge devices. Organizations are advised to implement SIEM solutions to detect anomalous activity and automate responses.

Pulse ID: 69b14da61bf814f470228146
Pulse Link: https://otx.alienvault.com/pulse/69b14da61bf814f470228146
Pulse Author: AlienVault
Created: 2026-03-11 11:10:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Edge #InfoSec #OTX #OpenThreatExchange #RAT #SentinelOne #bot #AlienVault