Operation Sentinel

On May 5, 2025, Atlas Telecom discovers a Domain Admin account was used to access the CEO's email at 3 AM from an unauthorized workstation. Investigation reveals the compromise is 6 months old - since November 2024. The adversary has had Domain Admin access the entire time. 8 million subscriber records at risk. Mimikatz artifacts found. The Identity Security Division leads the forensic investigation. 18 missions through AD tiers - from User-Base to Tier-0. Map attack paths with BloodHound, detect DCSync, analyze Golden Tickets, and plan remediation.