SMB Intel

Threat intel,
translated.

Cyber news that actually matters to your IT team — no jargon, no vendor fluff. Just what's happening and what to do about it.

Active DirectoryMarch 10, 20266 min read

Why attackers love your ADCS server (and what to do about it)

Certificate Services misconfigurations are one of the fastest paths to domain admin in SMB environments. Here's what ESC1 and ESC8 mean for your org — and why your current AV won't catch it.

Active Directory Certificate Services (ADCS) has been a staple of Windows environments for decades. For most IT teams, it quietly issues certificates and stays out of the way. For attackers, it's a skeleton key.

What's the actual problem?

ADCS misconfigurations — categorized as ESC1 through ESC15 — let attackers request certificates that impersonate privileged accounts. ESC1, the most common, allows any domain user to enroll in a certificate template and request a cert as a domain admin. No exploit. No special tool. Just a misconfigured template that's been sitting there since the server was stood up.

"We've run assessments where ESC1 was exploitable within 8 minutes of getting an unprivileged user account. The org had no idea the template existed."

ESC8 is worse

ESC8 combines NTLM relay with ADCS. An attacker coerces a domain controller into authenticating to them, relays that auth to the ADCS HTTP enrollment endpoint, and gets a certificate for the DC's machine account. From there, it's a straight line to DCSync and full domain takeover.

What to check right now

  • Run Certify or Certipy against your ADCS environment and look for ESC1–ESC8 findings
  • Audit certificate templates — anything with "Enrollee Supplies Subject" enabled is a red flag
  • Disable HTTP enrollment on ADCS if you don't need it (kills ESC8 relay path)
  • Enable EPA (Extended Protection for Authentication) on IIS
01
Credential SecurityFebruary 22, 20265 min read

NTLM relay attacks are still wrecking credit unions in 2026

NTLM is old. The attacks that abuse it are older. And yet most community financial institutions are still wide open. Here's the plain-English breakdown of what's happening and how to stop it.

NTLM is a Windows authentication protocol from the early 90s. Microsoft has been trying to deprecate it for years. And yet in most SMB Active Directory environments, it's still running — and still being exploited.

How relay attacks work

When a Windows machine tries to authenticate to a network resource, it sends an NTLM authentication challenge. An attacker can intercept that challenge and relay it to a different service — impersonating the victim machine without ever cracking a password.

Coercion techniques like PetitPotam and PrinterBug let attackers force machines to initiate NTLM auth to an attacker-controlled listener. No user interaction required.

Why credit unions are exposed

  • Legacy line-of-business software often requires NTLM — disabling it breaks things
  • Flat network architectures mean an attacker on any VLAN can relay freely
  • SMB signing is frequently disabled on file servers for "performance reasons"
  • LDAP signing and channel binding are often not enforced on domain controllers

The three-step fix

Enable SMB signing across all domain-joined machines, enforce LDAP signing and channel binding on your DCs, and block outbound NTLM to external hosts at the firewall. That alone removes most relay paths without breaking legacy apps.

02
RansomwareJanuary 15, 20267 min read

The ransomware playbook attackers run on SMBs — step by step

Most ransomware groups follow the same internal AD attack chain. Knowing the steps lets you break the chain. This is what it looks like from the inside.

Ransomware operators are not running zero-days against SMBs. They're running the same repeatable playbook, over and over, because it works. Here's the chain — and where you can break it.

Step 1: Initial access

Phishing is still the most common entry point. One credential, one VPN account without MFA, one RDP endpoint exposed to the internet. That's all it takes to get a foothold as a low-privileged domain user.

Step 2: Internal recon

Once inside, attackers run BloodHound to map the domain. They're looking for Kerberoastable service accounts with weak passwords, users with unconstrained delegation, and paths to privileged groups.

Step 3 → Domain admin

They crack the Kerberoasted hash offline. Or they find an ESC1 misconfiguration. Or they relay NTLM to a DC. There are a dozen paths — they only need one.

The average time from initial access to domain admin in SMB environments is under 4 hours. Most orgs don't detect it for weeks.

Where to break the chain

  • MFA on VPN and remote access kills most initial access vectors
  • Tiered admin model limits blast radius if a low-priv account is compromised
  • Offline, air-gapped backups survive domain-wide encryption
  • Regular AD assessments catch the escalation paths before attackers do
03
ComplianceJanuary 3, 20264 min read

What NCUA examiners are actually looking for in 2026

NCUA cyber exam focus has shifted. Here's what credit union IT teams are getting flagged on — and how a penetration test helps you get ahead of it.

NCUA's cybersecurity examination program has matured significantly. Examiners aren't just checking if you have a firewall and an incident response plan anymore. They want evidence that your controls actually work.

What's getting flagged

  • Lack of documented penetration testing — and no evidence of remediation
  • No privileged access management strategy (shared admin accounts are still everywhere)
  • Weak MFA implementation — SMS-based MFA no longer satisfies many field offices
  • Inability to demonstrate network segmentation in practice, not just on paper

How a pentest helps

A scoped penetration test — especially one that maps findings to NCUA's cybersecurity maturity framework — gives you a documented artifact that shows examiners you're proactively testing your controls. Our reports are structured to be examiner-friendly by design.

We've had clients use ThreatForged assessment reports directly in NCUA exam responses. The finding-plus-remediation format maps cleanly to examiner expectations.
04