INC-2025-CH01

CorpHealth Traceback

STATUS: CLOSED / COMPLETE

ANALYST: Erick Cisneros Ruballos

DATETIME: Dec 05, 2025

A full traceback investigation detailing the compromise of operational assets via stolen credentials, advanced PowerShell token manipulation, and data staging utilizing external Ngrok tunnels for Command & Control.

Threat Hunting

MDE

KQL

Token Manipulation

Archive Evidence (GitHub)

Executive Summary

During a routine operational review, anomalous activity was detected on workstation ch-ops-wks02. The investigation confirmed that a threat actor gained unauthorized access using valid administrative credentials, performed local reconnaissance, escalated privileges via Windows token manipulation, and established persistence using scheduled tasks and startup folders.

The attacker successfully staged internal data for exfiltration and deployed a reverse shell downoaded via an external Ngrok tunnel. The threat actor originated from an external IP geolocated to Vietnam and utilized an internal Azure pivot point to reach the target.

CLASSIFICATION

HIGH SEVERITY

TARGET ASSETch-ops-wks02

ORIGIN GEOVietnam

COMPROMISED ADchadmin

Investigation Timeline (Intrusion Chain)

PHASE 1

Access & Reconnaissance

Attacker logged in as 'chadmin' from Vietnam IP 104.164.168.17. Executed 'ipconfig.exe' and accessed a sensitive file: 'CH-OPS-WKS02 user-pass.txt'.

PHASE 2

Execution & Staging

Deployed 'MaintenanceRunner_Distributed.ps1'. Created inventory CSVs in Diagnostic and Temp directories to stage data for exfil. Hashes differed indicating tampering.

PHASE 3

Privilege Escalation

Modified primary token privileges (Event ProcessPrimaryTokenModified via PID 4888). Process executed an encoded PowerShell command to handle the impersonation token.

PHASE 4

System Persistence

Created scheduled task 'CorpHealth_A65E64'. Added 'MaintenanceRunner' to Registry Run keys ephemerally. Tampered with 'EventLog/Application/CorpHealthAgent'.

PHASE 5

C2 & Tool Ingress

Attempted to add Defender exclusions. Used 'curl.exe' to download 'revshell.exe' from an ngrok-free.dev URL.

PHASE 6

Execution & Tunneling

'revshell.exe' executed by explorer.exe, opening an outbound reverse shell over port 11746. Copied payload to Windows StartUp folder for reboot persistence.

Indicators of Compromise (IOCs)

Network Infrastructure

Attacker IP	104.164.168.17
C2 Address	13.228.171.119:11746
Pivot Tunnel	*.ngrok-free.dev
Pivot IP	10.168.0.7
VPN/CGNAT Node	100.64.100.6

Filesystem & Payloads

Malicious Script	MaintenanceRunner_Distributed.ps1
Payload Binary	revshell.exe
Staging File	inventory_6ECFD4DF.csv
Scheduled Task	CorpHealth_A65E64
Target Account	ops.maintenance / chadmin

KQL Threat Hunt Reconstruction

Highlighted Defender queries bridging the investigation timeline.

Flag 11 & 14: Token Privilege Modification

// A process modified token privileges for user SID
DeviceEvents
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-10))
| where DeviceName =~ "CH-OPS-WKS02"
| where AdditionalFields has_any ("tokenChangesDescription", "Privileges")
| where InitiatingProcessCommandLine contains "powershell"
| project InitiatingProcessId, ActionType, TimeGenerated

Flag 5: CSV Data Staging Discovery

DeviceFileEvents
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-10))
| where DeviceName == "ch-ops-wks02"
| where FolderPath contains "Diagnostics"
| where ActionType == "FileCreated"
| project FolderPath, FileName

Flag 13: Encoded Base64 Execution

// Decoded reveals: Write-Output 'token-6D5E4EE08227'
DeviceProcessEvents
| where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-10))
| where DeviceName =~ "CH-OPS-WKS02"
| where ProcessCommandLine has "-EncodedCommand"
| extend EncodedBlob = extract(@"-EncodedCommand\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine)
| extend DecodedCommand = base64_decode_tostring(EncodedBlob)
| project DecodedCommand

Flag 27: Geolocation Inference Validation

DeviceLogonEvents
| where DeviceName == "ch-ops-wks02"
| where RemoteIP == "104.164.168.17"
| extend GeoInfo = geo_info_from_ip_address(RemoteIP)
| project RemoteIP, GeoInfo.country

Strategic Recommendations

1Implement strict Multi-Factor Authentication (MFA) across all remote administrative logon gateways to sever compromised credentials.
2Enhance Edge perimeter monitoring for unauthorized Ngrok or alternative tunneling services bridging into standard ports.
3Review and actively harden Windows Defender exclusion policies globally across the domain.
4Actively monitor for Event ProcessPrimaryTokenModified in production to detect sophisticated privilege escalation.

CorpHealth Traceback

STATUS: CLOSED / COMPLETE

ANALYST: Erick Cisneros Ruballos

DATETIME: Dec 05, 2025

Threat Hunting

MDE

KQL

Token Manipulation

Executive Summary

CLASSIFICATION

HIGH SEVERITY

TARGET ASSETch-ops-wks02

ORIGIN GEOVietnam

COMPROMISED ADchadmin

Investigation Timeline (Intrusion Chain)

PHASE 1

Access & Reconnaissance

Attacker logged in as 'chadmin' from Vietnam IP 104.164.168.17. Executed 'ipconfig.exe' and accessed a sensitive file: 'CH-OPS-WKS02 user-pass.txt'.

PHASE 2

Execution & Staging

Deployed 'MaintenanceRunner_Distributed.ps1'. Created inventory CSVs in Diagnostic and Temp directories to stage data for exfil. Hashes differed indicating tampering.

PHASE 3

Privilege Escalation

Modified primary token privileges (Event ProcessPrimaryTokenModified via PID 4888). Process executed an encoded PowerShell command to handle the impersonation token.

PHASE 4

System Persistence

Created scheduled task 'CorpHealth_A65E64'. Added 'MaintenanceRunner' to Registry Run keys ephemerally. Tampered with 'EventLog/Application/CorpHealthAgent'.

PHASE 5

C2 & Tool Ingress

Attempted to add Defender exclusions. Used 'curl.exe' to download 'revshell.exe' from an ngrok-free.dev URL.

PHASE 6

Execution & Tunneling

'revshell.exe' executed by explorer.exe, opening an outbound reverse shell over port 11746. Copied payload to Windows StartUp folder for reboot persistence.

Indicators of Compromise (IOCs)

Network Infrastructure

Attacker IP	104.164.168.17
C2 Address	13.228.171.119:11746
Pivot Tunnel	*.ngrok-free.dev
Pivot IP	10.168.0.7
VPN/CGNAT Node	100.64.100.6

Filesystem & Payloads

Malicious Script	MaintenanceRunner_Distributed.ps1
Payload Binary	revshell.exe
Staging File	inventory_6ECFD4DF.csv
Scheduled Task	CorpHealth_A65E64
Target Account	ops.maintenance / chadmin

// A process modified token privileges for user SID DeviceEvents | where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-10)) | where DeviceName =~ "CH-OPS-WKS02" | where AdditionalFields has_any ("tokenChangesDescription", "Privileges") | where InitiatingProcessCommandLine contains "powershell" | project InitiatingProcessId, ActionType, TimeGenerated

// Decoded reveals: Write-Output 'token-6D5E4EE08227' DeviceProcessEvents | where TimeGenerated between (datetime(2025-11-20) .. datetime(2025-12-10)) | where DeviceName =~ "CH-OPS-WKS02" | where ProcessCommandLine has "-EncodedCommand" | extend EncodedBlob = extract(@"-EncodedCommand\s+([A-Za-z0-9+/=]+)", 1, ProcessCommandLine) | extend DecodedCommand = base64_decode_tostring(EncodedBlob) | project DecodedCommand