So a customer has been breachified, we got to watch it through CrowdStrike in real-time. They just closed out all our notes and investigations as false positives, but yo something is taking screenshots on all your hosts and has access to your domain controller. Maaaaaybe take a looksie.
@dr_zooks cool post.
Kinda sounds like an exercise they're not telling us about. They're pretty passive about it.