@trekkie1701c
Do you remember the SolarWinds incidents? Not exactly the same as it's primarily network monitoring rather than security.
However that means it often has access to at least enumerate a bunch of internal infrastructure and potentially run batches of commands on managed switches.
Windows+SQLServer and their own update mechanism delivered executables that were already infected.