I would presume that the attacker was able to obtain Domain Admin / Enterprise Admin rights before they deployed the payload, then they just steamrolled over everything.
The one of these that I got called-in to clean up after literally had a batch file on Domain Controllers w/ a text file of computer names for a FOR loop launching the malware on computer-after-computer with "psexec". It was decidedly non-sophisticated. The attacker compromised a Domain Admin account and then they were set.
The one of these that I got called-in to clean up after literally had a batch file on Domain Controllers w/ a text file of computer names for a FOR loop launching the malware on computer-after-computer with "psexec". It was decidedly non-sophisticated. The attacker compromised a Domain Admin account and then they were set.