> [!success]- Purely Human Written > 1. Drafting, review and edits were conducted purely by humans. > 2. The final output reflects my understanding and intended meaning at the time of publication. > 3. Zero usage of AI ## Preamble Cyber security technical write-ups are frequently presented as neat, curated reports. When I first started in the industry, I found it rare to find a write-up targeted at those who were beginning their cyber security journey  In this blog series, we’ll explore incidents I’ve responded to - sharing how threads of disparate evidence turn into a working thesis and are finally assembled into a linear report. I hope that this will allow the readers to gain an insight into the complexities of the SOC MDR Analyst role whilst understanding how the theory is applied operationally. Our first incident occurred in June 2025, which involved what was most likely a financially motivated threat actor affiliate. ## The Beginning On June 14, 2025, at 06:59:51 UTC, a number of alerts fired on a domain controller. ![[Pasted image 20260304095631.png]] From these alerts, we can draw the following inferences. - The Administrator account was the user running these commands, which included:  - Network enumeration tools - ==‘C:\ProgramData\netscan_n.exe’== - ==‘C:\ProgramData\Advanced_Port_Scanner_2.5.3869.exe’== - Used notepad.exe to open the following .txt files - ==‘C:\Windows\system32\NOTEPAD.EXE’ C:\ProgramData\AdUsers.txt== - ==‘C:\Windows\system32\NOTEPAD.EXE’ C:\ProgramData\AdComp.txt== - Disabled the firewall via netsh - ==‘C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off’== - Enumerated the domain trust relationships - ==‘C:\Windows\system32\nltest.exe" /domain_trusts’== A seasoned analyst would make containment their next step - but why? Let's break this down point by point. ## Enumeration Let's dive first into what is occurring with our suspected network enumeration tools =="C:\ProgramData\netscan_n.exe"== and =="C:\ProgramData\Advanced_Port_Scanner_2.5.3869.exe"== ![[Pasted image 20260224204351.png]] By opening the process tree up, we are presented with two helpful tibits  - The user SID, which ends in a -500 - A SHA256 and a file signature from SOFTPERFECT PTY.LTD A user SID that ends in a -500 is part of a group of well-known SIDs that identify generic groups and generic users (Further information can be found [here](https://ldapwiki.com/wiki/Wiki.jsp?page=Well-known%20Security%20Identifiers)). A -500 is the SID for the local administrator account, which is the first account created during OS install. With this tibit, we can be assured that this is indeed an Administrator account in use, rather than relying solely on the username's naming convention. Lets examine our SHA256 hash next - [fc5f82f45745385d8c0dc82caf2ad5695b1addfbf556d1e72d792835876574ce](https://www.virustotal.com/gui/file/fc5f82f45745385d8c0dc82caf2ad5695b1addfbf556d1e72d792835876574ce.). Virustotal is my goto when it comes to intelligence in relation to file hashes ![[image-7.png]] ![[image-4.png ]] Virustotal corroborates what we initially observed: this is indeed a signed network scanner from SOFTPERFECT PTY.LTD.  - Note: Just because Virtustotal presents a file as being signed with a valid signature, it does not necessarily mean that the file is legitimate in nature. Further details about files masequerading with a legitimate signature can be found here - [T1036.001](https://attack.mitre.org/techniques/T1036/001/) Examination of the ==“C:\ProgramData\Advanced_Port_Scanner_2.5.3869.exe"== also provided us with similar information as above in relation to the user and the nature of the tool being used (network enumeration tool). Now, let's pause for a second. What is a network enumeration tool?  Enumeration, or discovery, is defined by [MITRE ATT&CK](https://attack.mitre.org/tactics/TA0007/) as: Techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective.  In the cybersecurity context, enumeration is the process of conducting reconnaissance of target(s) to identify information such as open ports, usernames, passwords, hostnames, user privileges, domain relationships, etc. Combining the three words, a network enumeration tool is an attacker's tool for conducting reconnaissance and gathering information about the network. To achieve enumeration and more, threat actors frequently abuse Free and open-source software (FOSS)  tools because they work reliably and, moreover, may fly under the radar of the blue team, as these tools are legitimate system administration tools leveraged by IT admins. Our suspicions, though, are heightened here due to the folder location from which these tools are running. C:\ProgramData is a notoriously common staging area. It’s a hidden directory which is almost guaranteed to exist on all Windows installations, accessible to all users regardless of privilege levels, and often overlooked by basic security scans. These conditions make it an ideal staging location. Seeing executables running from this parent directory is almost always a red flag.  ## User Enumeration Let's turn to the two text files which the user “Administrator” had opened, ==C:\ProgramData\AdUsers.txt== & ==C:\ProgramData\AdComp.txt.== Notably, these are located within the same staging folder location as our two network enumeration tools, but the contents are, to say the least - fairly concerning. The following screenshots are snippets of the contents of ==C:\ProgramData\AdUsers.txt== ![[image-8.png]] What do these contents look like? Looks an awful lot like information one would obtain from running an enumeration command via powershell.  A trick I learned early on in my previous law enforcement career was to (in some instances, quite literally) put myself in the seat/mindset of a suspect. This came in handy when attempting to locate drugs or other illicit items stashed away in a vehicle. When you search the vehicle from the outside in, as opposed to when sitting in the seat, it gives you a different perspective; what would be easy/quick to reach now appears to be vastly different. Put yourself in the seat, and it becomes significantly easier to figure out where the items of interest are stashed. We can apply the same trick to our cybersecurity investigations. Let's put our threat actor hat on and review the output from their perspective. ![[image-9.png]] We can see some interesting information for a user I will refer to as CH, which are parts of an “Accounting” and “REDACTED Restaurant” group. The last logon date for this user was 8 years ago, so the odds of them still having access are low (but not impossible, depending on the organisation's security practices and offboarding procedures for old user accounts). We can infer that there are likely a bunch of users who work in the accounting department - this would mean these users are high-value targets. E crime affiliates/threat actors commonly employ a double-extortion tactic, exfiltrating sensitive data and deploying ransomware. Obtaining the victim’s data allows them to put pressure on the victim to pay by threatening to release the data publicly, AND to regain access to their systems post-ransomware deployment. ![[Pasted image 20260315174051.png]] Another user  - KM - is part of the accounting group, office group, and the RDS (likely the remote desktop services, meaning we may be able to obtain RDP access with their user credentials on the hosts that they have permissions to). Even better, the user was created back in 2010, implying some level of seniority and/or tenure at the company (and thus possibly allowed to access or involved in more sensitive work), the password was last set in 2017 (implying poor password security policy) and a more recent logon date.  Now that we have established why this text file, which was accessed by our suspected compromised user “administrator”, remember how we said the output looked an awful lot like the output of an enumeration tool or PowerShell command? Based on experience, this was output of a PowerShell command, so let's obtain the user’s Windows PowerShell history from ==c:\users\administrator.REDACTED\appdata\roaming\microsoft\windows\powershell\psreadline\consolehost_history.txt== A quick control-f to search for the attacker's file ==“C:\ProgramData\AdUsers.txt“== gives us the following  ![[Pasted image 20260224203036.png]] Based on the contents of the text files and the PowerShell history, we can now infer that the compromised user account “Administrator” ran the PowerShell commands of Get-ADUser and Get-ADComputer to enumerate the Active Directory. ## Impairing  At this point, we should be pretty comfortable that this is more than likely a threat actor at work rather than a sys admin due to ……. We turn to the last piece of information provided to us by the detectors, which was Disabling the firewall via netsh and Enumerated the domain trust relationships - =="C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off"== - ==“C:\Windows\system32\nltest.exe" /domain_trusts”== When we examine the parent process for these, it turns out its powershell.exe ![[Pasted image 20260224203336.png]] Remember those PowerShell history logs? Let's take a closer look at those. ![[Pasted image 20260224203504.png]] Powershell history logs do not come with timestamps, but since we have had the detectors fire on some of these commands, we can infer and assume that those commands and other surrounding commands were run by the compromised user account. The surrounding commands are all indicative of commands intended to disable Defender, we can add that to our list of reasons as to why we strongly suspect that this is threat actor activity. ## The Stool Theory One of the core rules of thumb I lean on is Jai Minton’s “stool theory”: > “As an analyst we can use the premise of a stool where if there’s 3 or more unique, clear-cut attributes (legs) are there to stand on, then this generally indicates something may be malicious based on deviations to what you see as normal.” - HISAC - High Impact Security Analysis and Communication ([link](https://www.jaiminton.com/internal-blog/high-impact-security-analysis#)) In this case, we have the following unique attributes that far exceed the minimum 3. A high privilege (Administrator) user: - Ran two network enumeration tools - Used powershell to run multiple Active Directory enumeration commands - Get-ADUser - Enumerated the users part of the Active Directory environment, outputted the result to C:\ProgramData\AdUsers.txt and then opened the file with notepad.exe - Get-AdComputer - Enumerated the hosts part of the active directory environment, outputted the result to ==C:\ProgramData\AdComp.txt== and then opened the file with notepad.exe - Enumerated the domain trust relationships - Used powershell to disable the firewall via netsh - Used powershell to disable Windows Defender For clarity, the combination of running multiple AD-related enumeration commands in quick succession would already be enough to satisfy our 3 legs to make a stool theory; everything else is just extra grounds that strengthen our suspicion that this is a threat actor. ## Tracing the Source Now that we are satisfied that the user account of “Administrator” has been compromised, let's figure out initial access. Turning to our Windows Event logs, in particular the Security event logs using the [Chainsaw](https://github.com/WithSecureLabs/chainsaw) Hunt function, we get some interesting results. ![[Pasted image 20260224204215.png]] The IP addresses ending in .60 and .61 were hosts that we do not monitor or have agents installed on. Often, attacker infrastructure becomes anomalously apparent when they authenticate to a Windows machine, due to the underlying workstation name they might use in comparison to the standard naming conventions of the legitimate machines in the network. With the rise of VPN appliances, more often than not, we’ll see the attacker join the victim's environment directly, and threat actors often re-use the same infrastructure; hence, as investigators, we can come across the same adversarial workstation names over and over again. ## The Response: Slamming the Brakes Given the compromise of Domain Admin credentials and active reconnaissance, immediate containment was necessary and was deployed to prevent further adversarial ingress or access Time to come clean, dear reader: the analysis chain above is not how this incident was initially responded to. In reality, our containment action was taken within 51 seconds of the detection first being acknowledged. A combination of high-fidelity detectors, experience, and recognition of this particular threat actors and their affiliates’ TTPs justified pulling the containment levers.  ## Connecting the Dots When responding to an incident, analysts often scramble to look for a "smoking gun," but reality usually provides a trail of breadcrumbs instead. By applying the Stool Theory and noting the convergence of high-privilege account abuse, the use of C:\ProgramData as a staging area, numerous enumeration tools and commands run in quick succession, and the systematic disabling of security defences, a clear picture emerged of a financially motivated threat actor affiliate mapping their way through an environment. We moved beyond a vague sense of "something is wrong" to an evidence-based theory: this wasn't a sysadmin performing maintenance, it was a coordinated and rapid intrusion.