"In this case the attacker was able to get a certificate and sign a fake DLL helper which was then used to get a backdoor running in the SolarWinds application and then use that to monitor the network and move laterally. It looks like Kerberoasting was the lateral movement," ...