This is part of our ongoing blog series breaking down the use cases in the 2025 2H CyOps ECHO report. Download the complete report here.
There’s a seductive assumption in cybersecurity: that sophisticated attackers require sophisticated defenses, and that simple, well-known techniques belong to amateurs. The FortiGate use case from 2025 dismantles that assumption cleanly.
A retail organization experienced what Cynet’s CyOps team assessed as a pre-ransomware intrusion. The attackers didn’t deploy novel zero-days or custom implants. They used a publicly known vulnerability in an unpatched perimeter device — and then relied almost entirely on tools already present in the environment.
Entry: The Unpatched Perimeter
The initial access came through an unpatched FortiGate firewall. In the months preceding this incident, FortiGate devices had become a primary target across the industry — mass credential leaks and exploit campaigns had turned them into a well-documented entry point. This organization had not yet applied the relevant patches. That single gap was all it took.
Attack Timeline
- Step 1 — Initial Access: Threat actor exploits unpatched FortiGate firewall vulnerability to gain a foothold inside the network perimeter.
- Step 2 — Privilege Enumeration (Blocked by Cynet): Attempt to enumerate the ‘Domain Admins’ group via RDP to identify high-value accounts for lateral movement. Blocked.
- Step 3 — RDP Pre-Auth Manipulation (Blocked by Cynet): Registry modification attempted, setting UserAuthentication to 0 to allow RDP interaction with the Windows login screen before authentication.
- Step 4 — Persistence and Privilege Escalation (Blocked by Cynet): File drop for persistence fails; WMI commands attempted to add a rogue ‘admin$’ user and enable Restricted Admin mode.
The Living-Off-the-Land Playbook
Living off the Land (LotL) is one of the oldest evasion strategies in the attacker playbook. In 2025, it remained one of the most effective. Rather than dropping detectable malware, the attacker uses legitimate tools and features already present on the target system. Their traffic blends with normal administrative activity. Alerts that might trigger on known malicious signatures simply don’t fire.
In this case, the attacker used net group to enumerate Domain Admins, reg add to modify RDP authentication settings via the registry, and wmic to attempt adding a rogue administrator account. None of these commands require external tooling — they are built into every Windows installation and used by legitimate administrators every day.
The challenge for defenders isn’t recognizing the tool — it’s recognizing the context in which it’s being used.
Most Commonly Abused RMM Tools in 2025
- MeshAgent and DWAgent
- AnyDesk and TeamViewer
- ScreenConnect and RustDesk
- Atera
Why Simple Still Works
This case carries a message that experienced security professionals sometimes resist: technical sophistication is not required for success. The barriers to entry for cybercrime have collapsed dramatically, and attackers have learned to maximize the effectiveness of basic techniques.
The retail attacker’s approach was methodical rather than brilliant. Gain entry through a known, unpatched vulnerability. Enumerate the environment using built-in tools. Attempt to modify just enough to get persistent, privileged access. Avoid introducing any file that would trigger signature-based detection.
In environments with robust MDR monitoring, these techniques get caught — as they were here. In environments where monitoring coverage is thin, or where alerts are handled reactively rather than in real time, the story ends differently.
Key Takeaway
Attackers don’t need to be clever when their targets are unpatched. A single vulnerable perimeter device, combined with LotL techniques and Windows native tooling, is sufficient to reach Domain Admin territory. Effective detection depends not on recognizing malicious tools, but on recognizing malicious behavior patterns in the use of legitimate ones. Behavior-based detection — not just signature-based — is the key differentiator.
