Exploitation for Priv-Esc × Microsoft Active Directory

A publicly-reported instance of Exploitation for Priv-Esc bypassing Microsoft Active Directory, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Active Directory

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

Medium

Severity

Critical

Status

in the wild

Disclosed

2026-05-22

Config / version noted

Not stated

Provenance

Microsoft Threat Intel
disclosed 2026-05-22 · original source · via ir

Reported as

Confluence credentials were used for NTLM relay attacks against Active Directory, bypassing endpoint controls.

Mechanism

Initial access via compromised F5 BIG-IP (EOL version) allowed SSH to internal Linux host with privileged account. Reconnaissance identified unpatched Confluence server; attacker exploited vulnerabilities for remote code execution. Confluence credentials were used for NTLM relay attacks against Active Directory, bypassing endpoint controls.

Detection & mitigation

Monitor SSH connections from edge devices to internal hosts, especially using privileged accounts. Detect Nmap scans, gowitness usage, and NTLM relay tools (e.g., responder, ntlmrelayx) via endpoint and network telemetry. Enforce patch management for edge appliances and SaaS applications.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.