A malicious actor has performed a Nessus scan and an Nmap scan on two machines in a domain and has enumerated file and directory information for these machines as well as performed a GoBuster scan and an FFUF scan.
Many different files and information have been found and recorded by the actor such as usernames, group names, computer names, Windows event logs, and file hashed.
The actor has also executed PowerShell on a domain controller and has retrieved a plain text file and a base64 encoded file containing data and commands.
The files were executed using the mimikatz application to gain Access Control Lists and list all users in the domain. The actor also used RunAsCs.exe to attempt to escalate unprivileged credentials through a pass-the-hash attack.
Additional logging and monitoring of remote access, especially over WinRM, is recommended. Limits should be set on who can access the system, and passwords should be monitored and rotated regularly.