Subscribe to get the latest updates and resources
This is part of our ongoing blog series breaking down the use cases in the 2025 2H CyOps ECHO report. Download the complete report here.
There’s a seductive assumption in cybersecurity: that sophisticated attackers require sophisticated defenses, and that simple, well-known techniques belong to amateurs. The FortiGate use case from 2025 dismantles that assumption cleanly.
A retail organization experienced what Cynet’s CyOps team assessed as a pre-ransomware intrusion. The attackers didn’t deploy novel zero-days or custom implants. They used a publicly known vulnerability in an unpatched perimeter device — and then relied almost entirely on tools already present in the environment.
The initial access came through an unpatched FortiGate firewall. In the months preceding this incident, FortiGate devices had become a primary target across the industry — mass credential leaks and exploit campaigns had turned them into a well-documented entry point. This organization had not yet applied the relevant patches. That single gap was all it took.
Attack Timeline
Living off the Land (LotL) is one of the oldest evasion strategies in the attacker playbook. In 2025, it remained one of the most effective. Rather than dropping detectable malware, the attacker uses legitimate tools and features already present on the target system. Their traffic blends with normal administrative activity. Alerts that might trigger on known malicious signatures simply don’t fire.
In this case, the attacker used net group to enumerate Domain Admins, reg add to modify RDP authentication settings via the registry, and wmic to attempt adding a rogue administrator account. None of these commands require external tooling — they are built into every Windows installation and used by legitimate administrators every day.
The challenge for defenders isn’t recognizing the tool — it’s recognizing the context in which it’s being used.
This case carries a message that experienced security professionals sometimes resist: technical sophistication is not required for success. The barriers to entry for cybercrime have collapsed dramatically, and attackers have learned to maximize the effectiveness of basic techniques.
The retail attacker’s approach was methodical rather than brilliant. Gain entry through a known, unpatched vulnerability. Enumerate the environment using built-in tools. Attempt to modify just enough to get persistent, privileged access. Avoid introducing any file that would trigger signature-based detection.
In environments with robust MDR monitoring, these techniques get caught — as they were here. In environments where monitoring coverage is thin, or where alerts are handled reactively rather than in real time, the story ends differently.
Attackers don’t need to be clever when their targets are unpatched. A single vulnerable perimeter device, combined with LotL techniques and Windows native tooling, is sufficient to reach Domain Admin territory. Effective detection depends not on recognizing malicious tools, but on recognizing malicious behavior patterns in the use of legitimate ones. Behavior-based detection — not just signature-based — is the key differentiator.
Search results for:
