I guess that explains it
3 months ago, a customers fully patched domain controller was compromised by system account creating an domain admin account named “Quickbooks User” then crypto locked by the bad guys.
I was wondering how they compromised across the network, using the system account that Microsoft says can’t be accessed via a network connection.
Love to hear what you guys have seen.