Redelegate — VulnLab | ForceChangePassword, GenericAll, and Constrained Delegation

The command and control (C2) server used by the threat actor, along with its corresponding public IP address, has been reported publicly and is being scanned and probed by other threat actors.
The actor has used a variety of tools to exploit the Server Message Blocks SMB protocol and remote management tools.
The actor has also used a variety of techniques to maintain a presence on the compromised servers, including using privileged commands and installing malicious binary files.
The actor appears to have used a variety of techniques to maintain a presence on the compromised servers, including using privileged commands and installing malicious binaries that can be executed directly from the C2 server.
Some of the binaries are compiled with options that make them more resistant to analysis.
The actor has used several common and simple techniques to attempt to exploit vulnerable servers, including using a variety of tools to scan for vulnerable servers and using a variety of techniques to attempt to authenticate to the compromised servers.
The actor appears to have used a variety of techniques to attempt to exploit vulnerable servers, including using a variety of tools to scan for vulnerable servers and using a variety of techniques to attempt to authenticate to the compromised servers, including using default and common credentials.

Fast Feed