NetSupport Intrusion Results in Domain Compromise

This DFIR report analyzes a January 2023 intrusion where threat actors used a malicious ZIP containing JavaScript to drop an obfuscated PowerShell installer that deployed NetSupport RAT, achieved persistence (registry Run key, scheduled tasks), installed OpenSSH and a reverse SSH tunnel, and used Impacket tools, SMB/WMI/RDP and additional tooling to move laterally, dump NTDS.dit and LSASS, stage data for exfiltration, and ultimately cause a full domain compromise; the report includes network and file IOCs (domains, IPs, filenames, hashes), tactics, techniques, and recommended detection artifacts.