Scenario

Lab Link: Spooler APT28

The SOC team was notified by the IT department regarding a potentially compromised workstation recently reassigned to a new government employee named Keela. Upon receiving the workstation, Keela reported unusually slow performance and suspected the system had not been properly cleaned before being handed over. The IT team initiated a routine cleanup but identified indicators of suspicious activity suggesting that the machine, and possibly the department's website may have been previously compromised.

As a forensics investigator, you have been provided with a disk image of Keela's workstation. Your task is to perform a comprehensive investigation to uncover any signs of malicious activity, reconstruct the timeline of events, and assess the scope and impact of the potential compromise.

Initial Access

Q1

What is the full name of the previous user of this machine, before it was assigned to Keela?

looking at

C:\Users\Administrator\Desktop\Start Here\Artifacts\C\Users

There is another user called yanis, but that's not the full name. To find the full name:

1. Open the SAM hive using Registry Explorer
2. The file is located in

   C:\Users\Administrator\Desktop\Start Here\Artifacts\C\Windows\System32\config

Answer:

Yanisara Denthongkul

Q2

The previous user downloaded an archive from a compromised internal website that led to the initial infection. When was this archive successfully downloaded?

in

C:\Users\Administrator\Desktop\Start Here\Artifacts\C\Users\yanis\AppData\Local\Google\Chrome\User Data\Default

execute this sql command in the history file to show end time

SELECT 
  *, 
  datetime((end_time / 1000000) - 11644473600, 'unixepoch') AS end_time_readable
FROM downloads

HTTP and .gov yet our karen fell for it

Answer:

2025-08-10 11:11

Execution

Q3

What is the name of the file executed by the user that initiated the infection chain on this machine?

I initially thought it must be in the .zip file. However, after an hour of searching, I discovered it was actually a .lnk file all along, not an .exe file. I'll demonstrate what you need to load. Note: You won't find it in either the MFT or Prefetch files.

Answer:

Printing_Guideline.lnk

Q4

Upon executing the file, an HTA script was executed remotely. What is the name of the temporary copy of this script created on this machine?

In the PECmd output, look for mshta.exe. You will find that it loaded multiple files, one of which was

Answer:

STAGING[1].HTA

Q5

Two files were created in the temporary directory of the compromised user. What are their names? (Provide in alphabetical order)

Answer:

edge.exe,wininet.dll

Q6

What is the original filename of first file identified in previous question?

go to amache hive you will see the sha1 of edge.exe which is

SHA1
ed13af4a0a754b8daee4929134d2ff15ebe053cd

look it up you will find its

Answer:

CALC.EXE

Q7

What is the MITRE ATT&CK technique that corresponds to the method the malicious payload used to load itself?

Answer:

T1574.001

Q8

Which LOLBin was used to download malicious payload?

Answer:

certutil.exe

Persistence

Q9

A persistence mechanism was created to execute the malicious payload at every system startup. What is the name assigned to this persistence entry?

it netuser.dat navigate to

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Answer:

EdgeUpdate

Q10

Another Boot or Logon Autostart persistence was configured to execute a DLL payload remotely through the Print Spooler service. What is the MITRE ATT&CK Technique ID associated with this persistence mechanism?

Answer:

T1547.010

Q11

What is the full path of the malicious DLL configured to be loaded through the Print Spooler service?

load system hive

Answer:

\\google.gov\debug\spooler.dll

Q12

According to the event logs, how many failed attempts to load the persistence DLL were recorded due to the network path not being found?

look for event id no 808 related to spooler.dll

Answer:

3

Privilege Escalation

Q13

A few days later, the attacker dropped and executed an executable to enumerate possible privilege escalation paths on the machine. What is the filename of this executable?

in SYSTEM hive

SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache

Answer:

winPEASx64.exe

Q14

The attacker executed a privilege escalation technique by leveraging a Windows Installer file. What is the full path of this installer file?

you can see msiexec which basically download MSI and stuff in the loaded files

C:\Users\yanis\AppData\Local\Temp\ekYyxTyqUJQj.msi

Q15

The attacker successfully gained higher privileges by installing software as SYSTEM. Which registry key needed to be enabled for both the user and the software?

in the same place

Answer:

AlwaysInstallElevated