BROKER-001 — Yousef Nabil

Incident Response Report

Ashford Sterling Recruitment
Initial Access Broker — Full-Chain Intrusion

BROKER-001 · Attack Date: 2026-01-15

ESCALATED TO

Josh — Cyber Range Community

Incident ID

BROKER-001

Report Date

February 25, 2026

Severity

CRITICAL

Status

Complete

Analyst

Yousef Nabil

Platform

MDE + Sentinel

Attack Date

2026-01-15

Dwell Time

~4 hours observed

Devices Compromised

AS-PC1, AS-PC2, AS-SRV

Threat Classification

Initial Access Broker

Attack Chain Overview

T1566

Phishing

→

T1059

Execution

→

T1071

→

T1003

Cred Dump

→

T1021

Lat. Move

→

T1053

Persist

→

T1005

Data Access

→

T1070

Anti-Forensics

00 Executive Summary

On January 15, 2026, Ashford Sterling Recruitment suffered a sophisticated full-chain intrusion consistent with Initial Access Broker (IAB) tradecraft. The compromise began when a user on AS-PC1 (Sophie.Turner) executed a malicious file masquerading as a recruitment CV — Daniel_Richardson_CV.pdf.exe — downloaded from the company network. The file used the double-extension technique (T1036.007) to deceive the user into believing it was a PDF document.

Once executed, the malware established Command & Control communications to cdn.cloud-endpoint.net and began systematic enumeration of the environment. The threat actor proceeded through credential access (registry hive dumping of SAM and SYSTEM), network discovery, and lateral movement across all three company devices — pivoting from AS-PC1 to AS-PC2 then to AS-SRV. The attacker deployed AnyDesk remote access tool on all three machines using certutil as a download proxy, configured an unattended-access password, and established scheduled task persistence on both AS-PC2 and AS-SRV under the masqueraded binary RuntimeBroker.exe.

On AS-SRV, the actor accessed the C:\Shares\Payroll\ directory, opened BACS_Payments_Dec2025.ods (a BACS payment file containing banking details), and created an archive Shares.7z packaging the share contents for exfiltration. In-memory credential theft was conducted via SharpChrome reflectively loaded into notepad.exe, targeting saved browser passwords from both Microsoft Edge and Google Chrome via DPAPI decryption. Event logs were cleared on completion to degrade forensic visibility. All evidence was reconstructed from Microsoft Defender for Endpoint telemetry in Microsoft Sentinel.

Critical Full-chain IAB compromise confirmed. The attacker achieved persistent access on three hosts, dumped NTLM-crackable registry hives, accessed payroll banking data (BACS), stole browser-stored credentials via SharpChrome/DPAPI, and packaged share data for exfiltration — all within a ~4-hour window before clearing logs.

01 WHO

Threat Actor Classification

The threat actor exhibits hallmarks of an Initial Access Broker (IAB) — a criminal specialist who gains entry into organizations, establishes persistent remote access, and either sells that access to ransomware operators or conducts espionage/financial fraud independently. The operational tempo (rapid tool deployment, AnyDesk persistence across all hosts, registry credential staging, payroll data access) is consistent with a financially motivated actor preparing to monetize access.

Attacker Infrastructure

Indicator	Role	Protocol/Port	Notes
`cdn.cloud-endpoint.net`	C2 server — command & control	HTTPS / 443	Malware beaconed here for instructions; blends with CDN traffic
`sync.cloud-endpoint.net`	Staging server — payload hosting	HTTPS / 443	certutil downloads sourced from here; RuntimeBroker.exe retrieved
`download.anydesk.com`	AnyDesk official download	HTTPS / 443	Attacker used legitimate AnyDesk CDN to avoid domain-based detection

Compromised Accounts Used

Account	Device	Type	Observed Usage
Sophie.Turner	AS-PC1	Domain user (victim)	Initial vector execution; all AS-PC1 malicious activity ran under this account
david.mitchell	AS-PC2	Domain user (victim)	Pivoted to AS-PC2 via RDP (mstsc); used to enable Administrator and deploy tooling
Administrator	AS-PC2, AS-SRV	Local built-in (disabled→enabled)	Activated via `net user Administrator /active:yes`; used for WMIC/PsExec attempts
AS.SRV.Administrator	AS-SRV	Local admin	Logged in via Guacamole RDP; created Shares.7z archive
svc_backup	AS-PC1	Backdoor local account (created by attacker)	Created by malware and added to Administrators group for persistence

02 WHAT

Initial Access: User Sophie.Turner executed Daniel_Richardson_CV.pdf.exe after double-clicking it from the Downloads folder — masqueraded as a recruitment CV using double-extension technique (T1036.007). Parent process: explorer.exe.
C2 Establishment: Malware immediately established outbound HTTPS communications to cdn.cloud-endpoint.net for command & control beaconing.
Discovery: Malware executed whoami.exe, ipconfig.exe, and net.exe view to enumerate the victim identity, network configuration, and visible network shares. net localgroup Administrators was also queried.
Credential Access: reg.exe was used to dump HKLM\SAM and HKLM\SYSTEM registry hives to C:\Users\Public\ as sam.hiv and system.hiv — enabling offline NTLM hash extraction.
Remote Tool Deployment: AnyDesk was downloaded via certutil.exe -urlcache -split -f from download.anydesk.com to C:\Users\Public\AnyDesk.exe on all three hosts. Unattended password set to intrud3r!.
Backdoor Account Creation: net.exe user svc_backup [password] /add followed by net.exe localgroup Administrators svc_backup /add — creating a persistent local admin account on AS-PC1.
Lateral Movement: From AS-PC1, attacker attempted WMIC (×4) and PsExec (×2) against AS-PC2 — all failed. Succeeded via mstsc.exe /v:10.1.0.183 (RDP). From AS-PC2, WMIC (×2) against AS-SRV failed; succeeded via mstsc.exe /v:10.1.0.203.
Scheduled Task Persistence: On AS-PC2 and AS-SRV, Daniel_Richardson_CV.pdf.exe was downloaded via certutil and saved as C:\Users\Public\RuntimeBroker.exe (masquerading as a Windows system binary). A scheduled task named MicrosoftEdgeUpdateCheck was created to execute it daily at 03:00 with highest privileges.
Data Access: On AS-SRV, the attacker accessed C:\Shares\Payroll\BACS_Payments_Dec2025.ods (BACS banking payment file) — confirmed editing via LibreOffice lock file artifact. Contents of all shares were archived into Shares.7z.
In-Memory Credential Theft: SharpChrome was reflectively loaded (T1620) into notepad.exe — a legitimate Windows process — to steal saved passwords from Chrome and Edge via DPAPI decryption. No SharpChrome file ever appeared on disk.
Anti-Forensics: Four Windows event logs cleared using wevtutil.exe cl: Security, System, Application, Windows PowerShell. Memory region protection was also modified in notepad.exe address space.

03 WHEN All times UTC (Sentinel)

Full Attack Timeline

04:28 UTC

Sophie.Turner RDP logon to AS-PC1 via Guacamole (IP 10.0.8.6). Explorer.exe spawned as user context. AS-PC1

06:31 UTC

Initial compromise — Sophie.Turner double-clicks Daniel_Richardson_CV.pdf.exe from Downloads folder. Explorer.exe spawns malware with High integrity. AS-PC1

06:31 UTC

C2 established — malware beacons to cdn.cloud-endpoint.net over HTTPS. AS-PC1

06:31 UTC

Discovery phase — whoami.exe, ipconfig.exe, net.exe view, net localgroup Administrators executed by malware. AS-PC1

~06:45 UTC

Credential staging — reg.exe dumps HKLM\SAM → C:\Users\Public\sam.hiv and HKLM\SYSTEM → C:\Users\Public\system.hiv. AS-PC1

06:48 UTC

David.Mitchell RDP logon to AS-PC2 via Guacamole (IP 10.0.8.5). AS-PC2

07:08 UTC

AnyDesk deployed on AS-PC1 — certutil downloads AnyDesk.exe to C:\Users\Public\. cmd.exe launches AnyDesk. AnyDesk config read from C:\Users\Sophie.Turner\AppData\Roaming\AnyDesk\system.conf. AS-PC1

07:10 UTC

AnyDesk started — cmd.exe /c "start C:\Users\Public\AnyDesk.exe" AS-PC1

07:18 UTC

Lateral movement attempts begin — WMIC (×4) against AS-PC2 with Administrator credentials — all fail. PsExec (×2) against AS-PC2 — all fail. AS-PC1

07:29 UTC

RDP to AS-PC2 succeeds — mstsc.exe /v:10.1.0.183. Remote session initiator switches to AS-PC1 (10.1.0.154). AS-PC1 → AS-PC2

07:40 UTC

AS-PC2 takeover — PowerShell spawned; net.exe user Administrator /active:yes; AnyDesk downloaded via certutil, password set to intrud3r!. AS-PC2

07:42 UTC

Share enumeration — dir \\AS-SRV\Payroll executed from AS-PC2. AS-PC2

07:52 UTC

Scheduled task persistence on AS-PC2 — certutil downloads malware as RuntimeBroker.exe; schtasks creates MicrosoftEdgeUpdateCheck. AS-PC2

07:53–07:54 UTC

WMIC to AS-SRV fails (×2) then mstsc to AS-SRV succeeds — mstsc.exe /v:10.1.0.203. AS-PC2 → AS-SRV

07:56 UTC

AS-SRV takeover — certutil downloads RuntimeBroker.exe from sync.cloud-endpoint.net; AnyDesk downloaded; schtasks creates MicrosoftEdgeUpdateCheck. AS-SRV

07:57 UTC

Backdoor account created on AS-PC1 — net.exe user svc_backup [pw] /add; net.exe localgroup Administrators svc_backup /add. AS-PC1

~Payroll access

BACS_Payments_Dec2025.ods opened for editing on AS-SRV shares from AS-PC2. LibreOffice lock file created. Shares.7z archive created. AS-SRV

08:07 UTC

Log clearing begins — wevtutil cl Security, System, Application, Windows PowerShell. AS-PC1

08:09 UTC

SharpChrome injection #1 — malware injects into notepad.exe; CLR module loaded; Edge credentials decrypted via DPAPI (UnprotectData). AS-PC1

08:10 UTC

SharpChrome injection #2 — second notepad.exe instance; Chrome Login Data accessed; Google Chrome credentials decrypted via DPAPI. AS-PC1

08:17 UTC

Memory protection manipulation — malware modifies memory region protection in notepad.exe address space (VirtualProtectEx equivalent). AS-PC1

04 WHERE

Compromised Hosts

Hostname	IP (Attack Day)	Role	Primary User	Compromise Method
`AS-PC1`	10.1.0.154	User workstation — Patient Zero	Sophie.Turner	Direct execution of malicious PDF.EXE
`AS-PC2`	10.1.0.183	User workstation — Pivot host	david.mitchell	RDP lateral movement from AS-PC1 (mstsc)
`AS-SRV`	10.1.0.203	File server — Final target	AS.SRV.Administrator	RDP lateral movement from AS-PC2 (mstsc)

Key File System Paths

Path	Device	Significance
`C:\Users\Sophie.Turner\Downloads\Daniel_Richardson_CV\Daniel_Richardson_CV.pdf.exe`	AS-PC1	Initial access vector — malicious executable
`C:\Users\Public\`	AS-PC1/PC2/SRV	Attacker staging directory — AnyDesk, sam.hiv, system.hiv stored here
`C:\Users\Public\AnyDesk.exe`	All three	Remote access tool deployed on all hosts
`C:\Users\Public\RuntimeBroker.exe`	AS-PC2, AS-SRV	Malware masquerading as Windows process for scheduled task persistence
`C:\Users\Sophie.Turner\AppData\Roaming\AnyDesk\system.conf`	AS-PC1	AnyDesk config file — read by attacker via cmd.exe type command
`C:\Shares\Payroll\BACS_Payments_Dec2025.ods`	AS-SRV	Sensitive payroll banking file — accessed and edited
`C:\Shares\Clients\Shares.7z`	AS-SRV	Exfiltration archive — entire share contents packaged

External Infrastructure

Domain / IP	Role	Used By
`cdn.cloud-endpoint.net`	C2 — command & control	Daniel_Richardson_CV.pdf.exe (beaconing)
`sync.cloud-endpoint.net`	Staging — payload hosting	certutil.exe (payload downloads)
`download.anydesk.com`	AnyDesk official CDN	certutil.exe (AnyDesk downloads)
10.0.8.6	Guacamole RDP gateway IP for AS-PC1 initial logon	Sophie.Turner RDP source
10.0.8.5	Guacamole RDP gateway IP for AS-PC2 initial logon	David.Mitchell RDP source

05 HOW

The intrusion followed a systematic, multi-stage methodology consistent with a professional IAB operator. The attacker leveraged social engineering for initial access, a custom malware dropper for C2 and execution, legitimate Windows binaries (certutil, reg, net, schtasks, mstsc) for all subsequent actions — a LOLBIN (Living Off the Land Binaries) strategy that minimizes new file writes and evades AV detection. The full methodology is detailed in sections S1–S9 below.

Key Techniques by MITRE ATT&CK

Technique ID	Name	Implementation Observed
T1566.001	Spearphishing Attachment	CV-themed .exe delivered as apparent PDF
T1036.007	Double File Extension	Daniel_Richardson_CV.pdf.exe masquerading as PDF
T1071.001	Application Layer Protocol — Web	C2 over HTTPS to cdn.cloud-endpoint.net
T1003.002	Security Account Manager	reg save HKLM\SAM + HKLM\SYSTEM to Public folder
T1021.001	Remote Desktop Protocol	mstsc.exe for lateral movement PC1→PC2→SRV
T1053.005	Scheduled Task	MicrosoftEdgeUpdateCheck on PC2 and SRV
T1105	Ingress Tool Transfer	certutil -urlcache -split -f for all payload downloads
T1219	Remote Access Software	AnyDesk deployed on all 3 hosts with set-password
T1136.001	Create Local Account	svc_backup added to Administrators group on AS-PC1
T1620	Reflective Code Loading	SharpChrome loaded into notepad.exe memory — no disk artifact
T1555.003	Credentials from Web Browsers	SharpChrome + DPAPI targeting Edge and Chrome Login Data
T1005	Data from Local System	BACS_Payments_Dec2025.ods accessed; Shares.7z created
T1070.001	Clear Windows Event Logs	wevtutil cl Security/System/Application/Windows PowerShell

S1 Initial Access T1566.001 · T1036.007 · T1204.002

Initial access was achieved via user execution of a masqueraded executable. The file Daniel_Richardson_CV.pdf.exe was delivered to Sophie.Turner's Downloads folder, disguised as a recruitment CV using the double-extension technique — the .pdf prefix was designed to make the file appear as a PDF document to an untrained user. Windows hides known file extensions by default, making this deception highly effective.

When Sophie.Turner double-clicked the file, Windows Explorer (explorer.exe) spawned it as the parent process — confirming direct user interaction. The malware ran with High integrity level and Default token elevation, meaning it ran with Sophie.Turner's full privileges. Almost immediately it spawned notepad.exe "" as a child process — an unusual invocation (empty argument string) that serves as a host process for code injection.

Initial Vector

Daniel_Richardson_CV.pdf.exe

SHA256

48b97fd91946e81e3e7742b3554585360551551cbf9398e1f34f4bc4eac3a6b5

User Interaction Parent

explorer

Suspicious Child Process

notepad.exe

Process Arguments

notepad.exe ""

How I Found It

The initial vector was identified directly from the MDE Alert Story for AS-PC1, which showed the full process tree: userinit.exe → explorer.exe → Daniel_Richardson_CV.pdf.exe → notepad.exe. The SHA256 required a KQL query against DeviceProcessEvents since the alert story only shows SHA1.

Q-S1 — Confirm initial vector SHA256 and process chain

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName == "as-pc1"
| where FileName =~ "Daniel_Richardson_CV.pdf.exe"
| project Timestamp, FileName, SHA256, FolderPath,
          InitiatingProcessFileName, ProcessCommandLine

S2 Command & Control T1071.001 · T1102

Once executed, the malware established outbound communications over HTTPS (port 443) to cdn.cloud-endpoint.net — the C2 server. Using HTTPS over port 443 is deliberate: this traffic is encrypted and blends into normal web browsing, making it difficult to distinguish from legitimate CDN traffic at the network layer without TLS inspection. The domain name itself (cdn.cloud-endpoint.net) is designed to appear as a legitimate cloud CDN service.

A separate domain — sync.cloud-endpoint.net — served as the payload staging server. This separation of C2 and staging infrastructure is a tradecraft indicator: if the staging domain is burned (blocked), the C2 channel remains intact, and vice versa. All certutil-based payload downloads (RuntimeBroker.exe on PC2 and SRV) originated from the staging domain.

C2 Domain

cdn.cloud-endpoint.net

C2 Process

daniel_richardson_cv.pdf.exe

Staging Domain

sync.cloud-endpoint.net

Q-S2 — Confirm C2 domain and outbound connections from malware

KQL · DeviceNetworkEvents

DeviceNetworkEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName == "as-pc1"
| where InitiatingProcessFileName =~ "Daniel_Richardson_CV.pdf.exe"
| project Timestamp, RemoteUrl, RemoteIP, RemotePort,
          InitiatingProcessFileName
| order by Timestamp asc

S3 Credential Access T1003.002 · T1552.001

The attacker used reg.exe — a built-in Windows utility — to dump two critical registry hives from HKLM (HKEY_LOCAL_MACHINE) to disk. These two hives together are sufficient to extract all local account NTLM password hashes offline using tools like Impacket secretsdump or samdump2.

HKLM\SAM (Security Account Manager) stores all local user account password hashes. However, the hashes inside SAM are encrypted using the system boot key. HKLM\SYSTEM contains that boot key. Without SYSTEM, SAM is useless. Together, they allow full offline NTLM hash extraction — which can then be cracked offline or used directly in Pass-the-Hash attacks without ever knowing the plaintext password. Both files were staged to C:\Users\Public\ — a world-readable directory ideal for attacker staging due to no permission restrictions.

Registry Targets

SAM,SYSTEM

Local Staging Directory

C:\Users\Public\

Execution Identity

Sophie.Turner

Q-S3 — Registry hive dumping activity

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName == "as-pc1"
| where FileName =~ "reg.exe"
| project Timestamp, AccountName, FileName, ProcessCommandLine
| order by Timestamp asc

Evidence Rows

Timestamp (UTC)	AccountName	Command Line
2026-01-15T04:13:32Z	sophie.turner	`"reg.exe" save HKLM\SAM C:\Users\Public\sam.hiv`
2026-01-15T04:13:32Z	sophie.turner	`"reg.exe" save HKLM\SYSTEM C:\Users\Public\system.hiv`

S4 Discovery T1033 · T1135 · T1069.001 · T1016

Immediately after execution, the malware launched a systematic environment discovery phase using native Windows utilities. This is consistent with automated post-exploitation reconnaissance scripts embedded in the malware — the commands ran within seconds of initial execution in rapid succession.

Identity Command

whoami.exe

View Shares Command

net.exe view

Local Group Queried

Administrators

Discovery Command Analysis

Command	MITRE	Purpose	Attacker Use
`whoami.exe`	T1033	Confirms current user identity	Verify privilege level — domain user, local admin, or SYSTEM?
`ipconfig.exe`	T1016	Network configuration	IP addressing, subnet, domain — maps the environment
`net.exe view`	T1135	Enumerates network shares	Discovered AS-SRV and its accessible shares — direct path to data
`net localgroup Administrators`	T1069.001	Local admin group members	Identifies high-value accounts to target or impersonate

Q-S4 — Discovery commands executed by malware

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName == "as-pc1"
| where FileName in~ ("whoami.exe","net.exe","ipconfig.exe","hostname.exe")
| project Timestamp, AccountName, FileName, ProcessCommandLine
| order by Timestamp asc

S5 Persistence — Remote Tool (AnyDesk) T1219 · T1105 · T1552.001

AnyDesk is a legitimate remote desktop application widely used in enterprise environments. The attacker leveraged it as a persistent, covert remote access channel — separate from the C2 malware — meaning even if the malware is detected and removed, the attacker retains GUI-level access to all three compromised hosts through AnyDesk's unattended access feature.

Deployment method: AnyDesk was downloaded using certutil.exe -urlcache -split -f — a classic LOLBIN technique abusing a built-in Windows certificate utility for file download. Certutil is not expected to make external connections in most environments, but it is rarely blocked because it has legitimate uses. The -split flag forces binary file writing, and -urlcache uses IE's URL cache mechanism.

Unattended access password: After deployment, the attacker configured AnyDesk for unattended access using the command echo intrud3r! | AnyDesk.exe --set-password — piping the password directly into stdin to avoid it appearing as a visible argument in process telemetry (the password appears as asterisks in most logging). The config file was then read via cmd.exe /c "type C:\Users\Sophie.Turner\AppData\Roaming\AnyDesk\system.conf" to verify configuration.

Remote Tool

AnyDesk

Download Binary

certutil.exe

Unattended Password

intrud3r!

Deployed Hosts

AS-PC1, AS-PC2, AS-SRV

Config File Accessed

C:\Users\Sophie.Turner\AppData\Roaming\AnyDesk\system.conf

AnyDesk SHA256

f42b635d93720d1624c74121b83794d706d4d064bee027650698025703d20532

Q-S5a — AnyDesk download and file creation events

KQL · DeviceFileEvents

DeviceFileEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName has_any ("AnyDesk.exe","AnyDesk[1].exe")
| project Timestamp, DeviceName, ActionType, FolderPath,
          FileName, SHA256, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp asc

Q-S5b — AnyDesk config file access (honest hunting approach)

KQL · DeviceFileEvents

DeviceFileEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where InitiatingProcessFileName =~ "AnyDesk.exe"
| project Timestamp, DeviceName, ActionType, FolderPath,
          FileName, InitiatingProcessAccountName
| order by Timestamp asc

Q-S5c — Config file read via cmd type command (how the path was confirmed)

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where ProcessCommandLine has ".conf"
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine
| order by Timestamp asc

S6 Lateral Movement T1021.001 · T1569.002 · T1047 · T1543

The attacker systematically attempted lateral movement using multiple remote execution tools before succeeding with RDP. This trial-and-error pattern — exhausting WMIC then PsExec before falling back to mstsc — is characteristic of a human operator adapting in real-time to environmental restrictions (firewall rules, disabled services, credential issues).

Lateral Movement Sequence — AS-PC1 → AS-PC2

Time (UTC)	Tool	Target	Command	Result
04:18–04:23	WMIC.exe (×4)	AS-PC2	`/node:AS-PC2 process call create certutil...`	❌ Failed — retried 4 times
04:24–04:25	PsExec.exe (×2)	AS-PC2	`-accepteula \\AS-PC2 -u Administrator cmd.exe`	❌ Failed — switched tools
04:29	mstsc.exe	AS-PC2 (10.1.0.183)	`"mstsc.exe" /v:10.1.0.183`	✅ Success

Lateral Movement Sequence — AS-PC2 → AS-SRV

Time (UTC)	Tool	Target	Command	Result
04:53–04:54	WMIC.exe (×2)	AS-SRV (10.1.0.203)	`/node:10.1.0.203 process call create certutil...`	❌ Failed
04:54	mstsc.exe	AS-SRV (10.1.0.203)	`"mstsc.exe" /v:10.1.0.203`	✅ Success

Failed Tools

psexec.exe, wmic.exe

Failed Target Host

as-pc2

Successful Pivot Tool

mstsc.exe

Movement Path

AS-PC1 > AS-PC2 > AS-SRV

Successful Auth User

david.mitchell

Activation Parameter

/active:yes

Activation Context User

david.mitchell

Why Failed Attempts Are Still Forensic Gold

The failed WMIC and PsExec attempts are as valuable as the successful RDP pivots. They reveal the attacker's full credential set at the time — they were using the local Administrator account with a password obtained earlier. They also reveal the attacker's tooling — both WMIC and PsExec were present on AS-PC1, suggesting a prepared toolkit. Most importantly, the 4× WMIC retry pattern shows human operator behavior, not automated execution.

Q-S6 — All remote execution tool attempts (broad hunt — not just known tools)

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName in~ ("psexec.exe","wmic.exe","winrs.exe","mstsc.exe",
                      "schtasks.exe","sc.exe","at.exe","net.exe")
| where ProcessCommandLine has_any ("\\\\","/node:","-s ","/s ",
                                    "/v:","computername","/r:")
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine
| order by Timestamp asc

S7 Persistence — Scheduled Task T1053.005 · T1036.003 · T1136.001

On both AS-PC2 and AS-SRV, the attacker established scheduled task persistence using the same malware binary (Daniel_Richardson_CV.pdf.exe) renamed to RuntimeBroker.exe. RuntimeBroker.exe is a legitimate Windows system process (responsible for managing permissions for apps from the Microsoft Store), making this an effective masquerade — defenders are less likely to question a process with a known-legitimate name.

The scheduled task was named MicrosoftEdgeUpdateCheck — again chosen to blend in with legitimate Microsoft Edge update tasks that exist in enterprise environments. It was configured to run daily at 03:00 (3 AM) with highest privilege, providing the attacker with a persistent daily callback window even if the active session is terminated or the machine is rebooted.

The SHA256 of RuntimeBroker.exe matches the original malware exactly — confirming it is the same payload, just renamed. Additionally, the backdoor account svc_backup was created on AS-PC1 and added to the Administrators group — providing a second persistent access path via local credentials, independent of AnyDesk or scheduled tasks.

Task Name

MicrosoftEdgeUpdateCheck

Renamed Binary

RuntimeBroker.exe

Persistence SHA256

48b97fd91946e81e3e7742b3554585360551551cbf9398e1f34f4bc4eac3a6b5

Backdoor Account

svc_backup

Q-S7a — Scheduled task creation across all devices

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp asc

Q-S7b — Backdoor local account creation

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName in~ ("net.exe","net1.exe")
| where ProcessCommandLine has " user "
| where ProcessCommandLine has "/add"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp asc

S8 Data Access & Exfiltration Preparation T1005 · T1039 · T1560.001 · T1083

On AS-SRV, the attacker navigated to C:\Shares\Payroll\ and opened BACS_Payments_Dec2025.ods — a LibreOffice spreadsheet containing BACS (Bankers' Automated Clearing Services) payment records. BACS files typically contain employee or supplier bank account numbers, sort codes, and payment amounts. This is highly sensitive financial data with direct fraud potential.

Proof of editing (not just viewing): When LibreOffice opens a document for editing, it immediately creates a lock file in the same directory with the naming pattern .~lock.<filename>#. This lock file exists ONLY while the document is actively open. A simple copy or view would never create this file. The presence of .~lock.BACS_Payments_Dec2025.ods# is therefore forensic proof that the document was opened and edited — not merely copied.

Following data access, the attacker used Windows Explorer (explorer.exe via a Guacamole RDP session as AS.SRV.Administrator) to create Shares.7z — packaging the entire contents of the C:\Shares directory for exfiltration. The archive was staged within the shares directory itself before exfiltration.

Sensitive Document

BACS_Payments_Dec2025.ods

Editing Proof Artifact

.~lock.BACS_Payments_Dec2025.ods#

Access Origin Host

AS-PC2

Exfil Archive

Shares.7z

Archive SHA256

6886c0a2e59792e69df94d2cf6ae62c2364fda50a23ab44317548895020ab048

How Access Origin Was Determined

The DeviceFileEvents query against AS-SRV showed ntoskrnl.exe (Windows kernel) as the initiating process for the BACS file access — this is normal behavior for SMB remote file access, where the kernel handles I/O on behalf of the remote session. The access origin was determined by correlating the RequestAccountName field which showed david.mitchell — the account associated with AS-PC2. This confirms AS-PC2 as the origin workstation.

Q-S8 — Full share activity on AS-SRV (data access + archive creation)

KQL · DeviceFileEvents

DeviceFileEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName =~ "as-srv"
| where FolderPath has @"C:\Shares"
| project Timestamp, ActionType, FolderPath, FileName, SHA256,
          InitiatingProcessFileName, InitiatingProcessAccountName,
          InitiatingProcessRemoteSessionDeviceName
| order by Timestamp asc

S9 Anti-Forensics & In-Memory Execution T1070.001 · T1620 · T1055.001 · T1555.003 · T1552.004

The attacker conducted two distinct anti-forensic operations: log clearing to degrade visibility into their actions, and reflective code loading to execute credential theft tooling without touching disk — making traditional file-based detection impossible.

Log Clearing — wevtutil

Four Windows event logs were cleared using wevtutil.exe cl <logname> — a built-in Windows utility for event log management. The Security log contains logon events, privilege use, account management — the most forensically valuable log for investigating what happened. The System log contains service starts/stops, driver loads. Application and Windows PowerShell logs were cleared to cover scripting activity. MDE telemetry still captured the clearing actions themselves, which is how we can enumerate what was cleared despite the logs being gone.

Time (UTC)	Command	Log Cleared	Why It Matters
08:07:59	`wevtutil.exe cl Security`	Security	Logon events, privilege escalation, account creation
08:08:00	`wevtutil.exe cl System`	System	Service creation, driver loads, system errors
08:08:01	`wevtutil.exe cl Application`	Application	Application errors, AnyDesk activity
08:08:09	`wevtutil.exe cl "Windows PowerShell"`	Windows PowerShell	PowerShell script execution history

SharpChrome — Reflective Code Loading into notepad.exe

SharpChrome is a GhostPack tool written in C# (.NET) that targets browser credential stores. It was never written to disk — instead, it was injected directly into the memory of notepad.exe as a .NET assembly using reflective loading (T1620). The Windows CLR (Common Language Runtime) — the engine that executes .NET code — loaded SharpChrome entirely in memory. Since there is no file on disk, traditional AV/EDR file scanning cannot detect it.

The execution sequence: Daniel_Richardson_CV.pdf.exe called CreateRemoteThread() in notepad.exe's process space, loading System.ni.dll (the compiled .NET framework library) and then SharpChrome as an unbacked CLR module. MDE detected this via the ClrUnbackedModuleLoaded ActionType — a specific detection for .NET assemblies loaded with no corresponding file on disk. SharpChrome then called UnprotectData() (Windows DPAPI) twice — once for Microsoft Edge credentials and once for Google Chrome credentials — decrypting saved passwords from the Chrome/Edge Login Data SQLite database.

Cleared Logs (any two)

Security, System

Reflective Loading ActionType

ClrUnbackedModuleLoaded

In-Memory Tool

SharpChrome

Host Process

notepad.exe

Q-S9a — Log clearing events (anti-forensics)

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName =~ "wevtutil.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp asc

Q-S9b — Reflective CLR module loading (SharpChrome) — the honest hunting approach

KQL · DeviceEvents

DeviceEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName == "as-pc1"
| where InitiatingProcessFileName =~ "notepad.exe"
| project Timestamp, ActionType, InitiatingProcessFileName,
          AdditionalFields
| order by Timestamp asc

Why DeviceEvents and Not DeviceProcessEvents?

DeviceProcessEvents only captures new process creation. SharpChrome was never launched as a process — it was injected into an existing process (notepad.exe) as a .NET assembly in memory. DeviceEvents is MDE's catch-all table for security events that don't fit process/file/network categories — including CLR module loads, DPAPI calls, memory protection changes, and process injection indicators. The ClrUnbackedModuleLoaded ActionType specifically identifies .NET assemblies loaded into memory with no corresponding file path on disk — the exact signature of reflective loading.

10 Impact Assessment

ConfidentialityBACS payment data accessed and archived. BACS_Payments_Dec2025.ods contains employee/supplier banking details (account numbers, sort codes, payment amounts). Direct fraud potential if exfiltrated to threat actor.

ConfidentialityBrowser credentials stolen via SharpChrome/DPAPI. All saved passwords in Microsoft Edge and Google Chrome on AS-PC1 were decrypted and exfiltrated in plaintext — internal systems, email, banking portals, SaaS applications.

ConfidentialityNTLM hashes dumped from registry. SAM + SYSTEM hives staged at C:\Users\Public\ — local account hashes available for offline cracking or Pass-the-Hash attacks against internal systems.

ConfidentialityEntire Shares directory archived (Shares.7z). All data across C:\Shares\ — Payroll, Clients, Contractors — packaged for exfiltration. Full organizational data exposure likely.

PersistenceAnyDesk deployed on all 3 hosts with known password. Unattended access active with password intrud3r! — provides persistent GUI-level access independent of malware C2.

PersistenceScheduled task MicrosoftEdgeUpdateCheck on AS-PC2 and AS-SRV. Daily execution at 03:00 of RuntimeBroker.exe (malware) with highest privileges. Survives reboots.

PersistenceBackdoor account svc_backup created on AS-PC1 with Administrators membership. Provides credential-based access that persists even if AnyDesk is uninstalled and scheduled tasks are removed.

IntegrityBuilt-in Administrator account activated on AS-PC2. net user Administrator /active:yes — re-enables a high-value account that is typically disabled in hardened environments.

AvailabilityFour event logs cleared. Security, System, Application, Windows PowerShell — forensic visibility significantly degraded. Scope of compromise may be underestimated.

Critical Estimated blast radius: all three AS domain hosts, full share content, credential material for browser-stored accounts, local NTLM hashes, and active persistent access channels (AnyDesk + scheduled task + backdoor account). The attacker has multiple redundant access paths. Remediation must address all simultaneously or the attacker will re-enter through whichever path was missed.

11 Threat Intelligence Context

Initial Access Broker (IAB) Profile

The tradecraft observed in this intrusion is highly consistent with Initial Access Broker operations. IABs are a specialized criminal ecosystem that emerged prominently around 2019–2020. Rather than conducting full ransomware attacks themselves, they specialize in gaining initial entry, establishing persistent access across the victim's environment, and then selling that access on dark web forums — typically for $500–$50,000 depending on organization size and access level.

Key IAB indicators observed in this incident: (1) Multiple remote access channels established (AnyDesk on all hosts + C2 malware + scheduled task) — IABs establish redundancy to maximize sale value. (2) Credential harvesting scope (browser passwords, SAM hives) — credentials are bundled with access to increase sale price. (3) Financial data targeting (BACS payroll file) — confirms attacker understood the high value of this data. (4) Clean operational tempo with minimal dwell time — IABs are efficient to avoid detection before completing the access package.

Tool Association — GhostPack / SharpCollection

SharpChrome is part of the GhostPack offensive security toolkit maintained by SpecterOps. The use of reflective loading to inject C# tools into legitimate processes (notepad.exe, explorer.exe) is a signature tradecraft of groups using the SharpCollection ecosystem. This technique is heavily associated with post-exploitation frameworks like Cobalt Strike and Sliver, suggesting the malware may be a custom loader for a commercial C2 framework.

12 IOC Summary

File Hashes

48b97fd91946e81e3e7742b3554585360551551cbf9398e1f34f4bc4eac3a6b5 — Daniel_Richardson_CV.pdf.exe / RuntimeBroker.exe (same payload)
f42b635d93720d1624c74121b83794d706d4d064bee027650698025703d20532 — AnyDesk.exe
6886c0a2e59792e69df94d2cf6ae62c2364fda50a23ab44317548895020ab048 — Shares.7z (exfil archive)

Domains

cdn.cloud-endpoint.net — C2 domain
sync.cloud-endpoint.net — Staging / payload hosting domain

Accounts Created by Attacker

svc_backup — Backdoor local admin account on AS-PC1

Scheduled Tasks Created by Attacker

MicrosoftEdgeUpdateCheck — on AS-PC2 and AS-SRV, executing C:\Users\Public\RuntimeBroker.exe daily at 03:00

Files of Interest

C:\Users\Public\sam.hiv
C:\Users\Public\system.hiv
C:\Users\Public\AnyDesk.exe
C:\Users\Public\RuntimeBroker.exe
C:\Shares\Clients\Shares.7z

Unattended Access Credential

intrud3r! — AnyDesk unattended password set on all three hosts via --set-password

13 Recommendations

Immediate — Now

Isolate AS-PC1, AS-PC2, AS-SRV immediately from the network. All three hosts have active persistent access channels. Network isolation prevents the attacker from using any of them while remediation proceeds.
Uninstall AnyDesk from all three hosts and revoke any AnyDesk IDs associated with them. The password intrud3r! must be considered burned across all AnyDesk installations in the organization.
Delete scheduled task MicrosoftEdgeUpdateCheck on AS-PC2 and AS-SRV. Delete RuntimeBroker.exe from C:\Users\Public\ on both hosts.
Disable and delete svc_backup account on AS-PC1. Audit all local accounts on all three hosts for other attacker-created accounts.
Re-disable the built-in Administrator account on AS-PC2. Rotate the Administrator password on all three hosts.
Delete sam.hiv and system.hiv from C:\Users\Public\ on AS-PC1. Consider all local account passwords on AS-PC1 compromised — rotate immediately.
Force password reset for Sophie.Turner and David.Mitchell domain accounts. All browser-saved passwords on AS-PC1 must be considered compromised — notify affected users to reset credentials on all sites stored in Chrome/Edge.
Block C2/staging domains at perimeter firewall and DNS: cdn.cloud-endpoint.net, sync.cloud-endpoint.net.

Short-Term — This Week

Forensic imaging of all three hosts before reimaging. Preserve memory dumps if possible — SharpChrome output may still be recoverable from memory.
Hunt for additional compromised hosts. Query DeviceNetworkEvents for any hosts that connected to cdn.cloud-endpoint.net or sync.cloud-endpoint.net. Run SHA256 hash 48b97fd... across the entire estate.
Notify relevant parties about BACS data exposure. If BACS_Payments_Dec2025.ods was exfiltrated, financial institutions and affected employees/suppliers may need to be notified per applicable data protection regulations.
Block certutil.exe outbound internet access via firewall rules. Certutil has no legitimate reason to download files from external domains in most enterprise environments.
Audit all AnyDesk installations across the organization. AnyDesk should be allowlisted only for approved business use and managed centrally.
Enable Windows Defender Attack Surface Reduction (ASR) rules to block process injection, prevent credential dumping, and restrict Office/browser processes from spawning child processes.

Long-Term — Strategic

Deploy email attachment sandboxing that detonates executable files disguised with double extensions before delivery. The initial vector was a .exe masquerading as a PDF — basic attachment analysis would have caught this.
Enable file extension visibility in Windows Explorer for all user endpoints (disabled by default). Users cannot identify double-extension attacks when extensions are hidden.
Implement Privileged Access Workstations (PAW) for accounts with administrative access to AS-SRV. The Payroll share should not be directly accessible from standard user workstations.
Deploy EDR with memory scanning capabilities. ClrUnbackedModuleLoaded events should trigger immediate alert escalation — notepad.exe loading CLR modules is never legitimate.
Implement network segmentation to prevent direct RDP access between workstations and the file server. Lateral movement via mstsc should require explicit jump server routing through a PAM solution.
Enable PowerShell Constrained Language Mode and Script Block Logging on all endpoints. This would have preserved PowerShell activity even after log clearing.
User security awareness training focused on double-extension attacks, CV-themed lures, and the risks of executing files from email/downloads without verification.

14 Full KQL Query Library

All queries are scoped to the attack window and the three compromised hosts. Run in Microsoft Sentinel (Logs blade) or MDE Advanced Hunting.

Q01 — Scope variables (reuse across queries)

KQL

let Start   = datetime(2026-01-15 00:00:00);
let End     = datetime(2026-01-15 23:59:59);
let Devices = dynamic(["as-pc1","as-pc2","as-srv"]);

Q02 — Initial access vector — SHA256 and process chain

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName == "as-pc1"
| where FileName =~ "Daniel_Richardson_CV.pdf.exe"
| project Timestamp, FileName, SHA256, FolderPath,
          InitiatingProcessFileName, ProcessCommandLine

Q03 — C2 connections initiated by malware

KQL · DeviceNetworkEvents

DeviceNetworkEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName == "as-pc1"
| where InitiatingProcessFileName =~ "Daniel_Richardson_CV.pdf.exe"
| project Timestamp, RemoteUrl, RemoteIP, RemotePort,
          InitiatingProcessFileName
| order by Timestamp asc

Q04 — Registry hive dumping (credential access)

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName =~ "reg.exe"
| where ProcessCommandLine has_any ("save","HKLM")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp asc

Q05 — Discovery commands

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName in~ ("whoami.exe","net.exe","ipconfig.exe","hostname.exe","arp.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp asc

Q06 — AnyDesk deployment (file creation across all hosts)

KQL · DeviceFileEvents

DeviceFileEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where InitiatingProcessFileName =~ "AnyDesk.exe"
| project Timestamp, DeviceName, ActionType, FolderPath,
          FileName, InitiatingProcessAccountName
| order by Timestamp asc

Q07 — certutil download activity (LOLBIN abuse)

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("urlcache","http","download")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp asc

Q08 — All remote execution tool attempts (lateral movement hunt)

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName in~ ("psexec.exe","wmic.exe","winrs.exe","mstsc.exe",
                      "schtasks.exe","sc.exe","at.exe","net.exe")
| where ProcessCommandLine has_any ("\\\\","/node:","/v:","computername","/r:")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp asc

Q09 — Scheduled task creation (persistence)

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp asc

Q10 — Backdoor account creation

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName in~ ("net.exe","net1.exe")
| where ProcessCommandLine has " user " and ProcessCommandLine has "/add"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp asc

Q11 — File share access and exfil archive on AS-SRV

KQL · DeviceFileEvents

DeviceFileEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName =~ "as-srv"
| where FolderPath has @"C:\Shares"
| project Timestamp, ActionType, FolderPath, FileName, SHA256,
          InitiatingProcessFileName, InitiatingProcessAccountName,
          InitiatingProcessRemoteSessionDeviceName
| order by Timestamp asc

Q12 — Event log clearing (anti-forensics)

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| where FileName =~ "wevtutil.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp asc

Q13 — SharpChrome reflective loading detection (in-memory tool)

KQL · DeviceEvents

DeviceEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName == "as-pc1"
| where InitiatingProcessFileName =~ "notepad.exe"
| project Timestamp, ActionType, InitiatingProcessFileName, AdditionalFields
| order by Timestamp asc

Q14 — Full wide process scan (initial triage baseline)

KQL · DeviceProcessEvents

DeviceProcessEvents
| where Timestamp between (datetime(2026-01-15) .. datetime(2026-01-16))
| where DeviceName has_any ("as-pc1","as-pc2","as-srv")
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, SHA256
| order by Timestamp asc

CONFIDENTIAL Ashford Sterling Recruitment — BROKER-001 · Yousef Nabil · February 25, 2026