ARC Labs Blog

SERVICES:

Threat Hunting Symbol (overlapping squares with red and black outlines) Threat Hunting Managed Detection Symbol (overlapping squares with red and black outlines) Managed Detection And Response

Remote Support to Ransomware Foothold: Stopping a Pre-Ransomware Intrusion

  • John Dwyer Photo

John Dwyer and Eric Gonzalez

The Difference Between an Alert and a Detection

Most of what this attacker did looked completely normal.

They authenticated with valid credentials. They accessed systems through a trusted remote support platform. They ran tools that IT administrators use every day. Individually, none of it would have raised a flag worth acting on. That's the point.

This is the story of an intrusion that moved from initial access to credential harvesting in a single session, and how Binary Defense stopped it before ransomware was ever deployed. Not because any single alert was alarming, but because the sequence of behavior told a story that couldn't be ignored.

An alert tells you something happened. A detection tells you what the attacker is trying to do. In March 2026, Binary Defense identified and disrupted a hands-on-keyboard intrusion stemming from a compromised remote support account. What began as a routine endpoint alert escalated into a multi-host compromise involving unauthorized remote access, privilege escalation attempts, and credential harvesting activity. The attacker leveraged a legitimate remote support platform to blend into normal operations, deployed secondary access tooling, and attempted to stage credential dumping utilities, including NetExec (nxc) with LSASS-focused capabilities.

While no ransomware was ultimately deployed, the observed behavior strongly aligned with pre-ransomware tradecraft, including:

  • Establishment of persistent remote access
  • Internal reconnaissance and security tool enumeration
  • Local administrator creation attempts
  • Credential access preparation via LSASS tooling
Binary Defense identified the activity early, escalated within minutes, and coordinated containment actions that prevented privilege escalation and potential ransomware deployment.

Initial Access: Why Break In When You Have a Key to the Front Door?

Financially motivated adversaries, supported by a growing infostealer ecosystem, continue to leverage Valid Accounts for initial access. In this case, the intrusion originated from the compromise of an internet-facing SimpleHelp technician account, providing the attacker with authenticated access to a legitimate remote support platform.

The adoption of Valid Accounts and Remote Access Tools has introduced significant complexity in threat detection, particularly when those tools serve legitimate purposes within the environment.

Instead of exploiting a vulnerability or deploying an implant to establish a command-and-control channel, the attacker was able to:

  • Authenticate successfully using valid credentials
  • Access internal systems through a trusted RMM channel
  • Operate using legitimate tooling already permitted in the environment

This type of access is particularly dangerous because it:

  • Bypasses traditional perimeter defenses
  • Blends with normal IT activity
  • Limits the effectiveness of exploit- and C2-framework-based detections

That framing matters for everything that follows. When the credentials are valid and the tools are legitimate, detection shifts away from "what is this?" and toward "why is this happening now, in this sequence?"

One Tool, One Question: Is This Worth It?

Initially, the attacker executed Advanced IP Scanner, a common network reconnaissance tool used by both attackers and system administrators for network discovery tasks. Typically, it appears as part of a broader Discovery phase, but in this case, the scan output appears to have been used to answer a more fundamental question first: is this environment worth the effort?

The scope of the network, the number of reachable hosts, the presence of high-value targets, all of it becomes visible with a single scan. The attacker appears to have used that information to decide to proceed, because shortly after, the operation shifted from observation to action.

Redundancy Before Ransomware

With a decision made to move forward, the attacker quickly established persistence. Binary Defense immediately identified the behaviors and escalated for response.

Two mechanisms were attempted:

1. Secondary Remote Access via MeshCentral

  • Installed via mac.exe --fullinstall
  • Deployed MeshAgent.exe
  • Created scheduled task (MeshUserTask)
  • Established outbound communication to attacker-controlled infrastructure

This provided a redundant access channel, or better put, insurance against losing the compromised SimpleHelp account if it was discovered and revoked.

2. Local Administrative Account Creation

The attacker attempted to create a local account (support) and add it to the Administrators group:

  • net user support /add
  • net localgroup administrators support /add

Two independent footholds, both established before any significant movement. It also points to something important about where to focus detection efforts: persistence has to work. It has to survive reboots and credential rotations and reliably call home. That reliability is exactly what makes it a more stable detection surface than initial access, which shifts constantly.

Mapping the Environment Before Moving Through It

With persistence in place, the attacker shifted into structured discovery, notably still operating through SimpleHelp's interactive shell rather than the newly deployed Mesh agent. That choice suggests deliberate compartmentalization: keep the newer foothold quiet while using the established channel for noisier enumeration activity.

Binary Defense observed the attacker execute the following commands:

Command

Purpose

wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName,productState

Identification of endpoint defenses

nltest /dclist

Enumerate list of domain controllers

net session

Enumerate active sessions on host

reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64

Query the current state of the Software Inventory Logging feature in the Windows registry

Each command answers a specific operational question: What security tools are present? Where are the domain controllers? Who else is active on this machine? Is software inventory logging enabled? This isn’t a threat actor exploring; it's them following a checklist. And checklists point toward an operator who has done this before.

Same Playbook, New Hosts

While Binary Defense was coordinating with the client on response, the attacker used their access via the compromised SimpleHelp account to reach additional systems. On each new host, the same sequence played out:

  • Installed Mesh Agent
  • Created local accounts
  • Performed system discovery commands

The playbook didn't change. The attacker was scaling, not improvising. That consistency is actually useful from a detection standpoint, behavioral patterns that repeat across hosts within a short time window are significantly easier to correlate and act on than isolated, one-off events.

The Inflection Point

Following persistence and discovery, the attacker attempted to transition into credential access by deploying nxc.exe, identified as NetExec with LSASS-focused capabilities.

This is where intent becomes unambiguous. Everything up to this point carried some plausible legitimate explanation, remote access, network scanning, user enumeration. LSASS credential dumping does not. Deploying NetExec is a declaration of direction: the attacker was preparing to harvest credentials and use them to move deeper and broader across the environment. 

Execution of NetExec was blocked before it could complete, effectively cutting off that path forward. At this stage, Binary Defense had observed the intrusion progress through access, persistence, and discovery and was confident the full attack path was understood, enabling targeted containment actions that removed the attacker's access entirely.

Analyst Notes: The Full Picture

Looking back at the activity timeline, the individual behaviors are almost unremarkable. Advanced IP Scanner, SimpleHelp sessions, wmic queries, nltest... any one of these appears in normal administrative workflows. Individually, these are alerts at best, not detections.

What made this different was velocity and sequence. Remote access turned into persistence within minutes. Persistence turned into structured discovery. Discovery moved directly toward credential access. That progression, the shape of the behavior, is what transformed a series of low-signal events into a high-confidence detection.

There's also a balance to strike in how you respond. The instinct is always to shut things down immediately, but without a clear understanding of what the attacker is doing, you risk containing symptoms instead of the actual access path. In this case, allowing a short window of observation made it clear how access was established, how persistence was being maintained, and where the attack was headed. That clarity is what made containment effective.

One other thing worth calling out: initial access is getting harder to reason. Between compromised identities, RMM abuse, and constantly shifting exploit techniques, building reliable detections at that layer is difficult. Persistence isn't like that. It has to work. It has to be reliable. And because of that, it doesn't change nearly as much, making it a far more stable place to anchor detection efforts.

At the end of the day, this wasn't a ransomware incident, but it was very clearly heading in that direction. The attacker had access, persistence, and a solid understanding of the environment. The only thing they didn't have yet was time.

Detection Opportunities

The behavioral sequence in this intrusion maps to several high-confidence detection opportunities. Rather than trying to catch every possible initial access vector, defenders are better served by anchoring visibility on the behaviors that have to happen regardless of how the attacker got in.

Phase

Behavior

Detection Opportunity

Initial Access

Authenticated RMM access from unusual source or off-hours

Baseline normal authentication patterns; alert on anomalous source geography or login time

Persistence

MeshCentral installation via command line (mac.exe --fullinstall)

Alert on installation of unapproved RMM tooling; monitor for MeshAgent.exe process creation

Persistence

Scheduled task creation for MeshUserTask

Monitor scheduled task creation (Event ID 4698) for non-standard task names

Persistence

New local account creation followed immediately by admin group addition

Alert on net user /add and net localgroup administrators executed in close sequence

Discovery

wmic AntiVirusProduct query

Flag AV enumeration queries, particularly when preceded by a remote session

Discovery

nltest /dclist outside of known admin tooling

Alert on domain controller enumeration from non-standard processes or user accounts

Lateral Movement

Repeated persistence sequence across multiple hosts in a single session window

Correlate MeshAgent installations and local account creation events across hosts

Privilege Escalation

nxc.exe / NetExec execution targeting LSASS

Block or alert on LSASS-targeting credential dumping tools; monitor for NetExec process patterns

Broader recommendation: Invest in behavioral correlation across the persistence phase. The initial access vector shifts constantly; the persistence layer doesn't. Footholds that have to survive reboots and credential changes carry structural constraints that make them far more detectable than whatever technique delivered them.

MITRE ATT&CK Mapping

Technique ID

Technique Name

Observed Behavior

T1078

Valid Accounts

Compromised SimpleHelp technician credentials used for initial access

T1219

Remote Access Software

SimpleHelp and MeshCentral (MeshAgent) used for persistent remote access

T1053.005

Scheduled Task/Job: Scheduled Task

MeshUserTask created to maintain MeshCentral persistence across reboots

T1136.001

Create Account: Local Account

net user support /add executed on compromised hosts

T1098

Account Manipulation

net localgroup administrators support /add used to escalate newly created local account

T1518.001

Software Discovery: Security Software Discovery

wmic AntiVirusProduct query to enumerate endpoint defenses

T1018

Remote System Discovery

Advanced IP Scanner and nltest /dclist used to enumerate hosts and domain controllers

T1049

System Network Connections Discovery

net session used to enumerate active sessions on host

T1012

Query Registry

reg.exe query used to check Software Inventory Logging state

T1003.001

OS Credential Dumping: LSASS Memory

NetExec (nxc.exe) deployed with LSASS-focused credential dumping capabilities