Scenario

Lab Link: Nitrogen

On September 10, 2025, trustwave.lab's SOC team identified suspicious activity originating from a user workstation. The investigation revealed that the compromise began when the user searched online for legitimate software and clicked on an advertised website appearing in the first search results. Unbeknownst to the user, this site hosted a malicious download, which they executed with a single click, initiating a chain of malicious activity across the environment.

Subsequent events included staged payloads, beaconing to command-and-control (C2) infrastructure, lateral movement to the file server and domain controller, credential dumping, and attempts at data exfiltration.

Your task is to perform a full incident investigation using Splunk telemetry, process creation logs, registry artifacts, scheduled task information, network connections, and forensic disk images to reconstruct the attacker's actions, identify persistence mechanisms, and determine the impact on trustwave.lab's network.

Initial Access

Q1

Before the compromise, the victim performed a web search that led them to the malicious download. What exact search query did the victim enter into the browser?

C:\Users\Administrator\Desktop\Start Here\Artifacts\PC01\uploads\auto\C%3A\Users\james\AppData\Local\Microsoft\Edge\User Data\Default

Answer:

advanced ip scanner download

Q2

After conducting a search, the victim accessed a malicious site. What was the name of the rogue website they visited prior to the compromise?

Answer:

pcrendal.com

Q3

After the victim visited the rogue site, a file was downloaded. What is the full path to the file that was downloaded on the victim machine?

Check downloads in history

Answer:

C:\Users\james\Downloads\Version.zip

the file exact download time was at

2025-09-10 09:54:24

using this query at history folder

Select
  *, 
  datetime((end_time / 1000000) - 11644473600, 'unixepoch') AS end_time_readable
FROM downloads

Execution

Q4

After the malicious archive was downloaded, the victim user extracted its contents and executed a program inside it. What was the name of the executable that was launched, and which DLL did it attempt to load?

index=* EventCode=1 User="*james*" 
earliest="09/10/2025:09:54:24" latest="09/10/2025:10:30:00"
| table _time, Image, CommandLine, ParentImage, Hashes, CurrentDirectory
| sort _time

to find all the process that were executed minutes after .zip file downloading

index=* EventCode=7 
earliest="09/10/2025:09:54:00" latest="09/10/2025:10:30:00"
User="*james*"
| table _time, Image, ImageLoaded, Signed, SignatureStatus
| sort _time

to find what DLL were loaded

Answer:

install.exe,python311.dll

Q5

Immediately after the executable from Q4 ran, a second-stage component was launched. What is the full path to the script file that was executed as the next stage?

I Noticed python files were loaded at first so i assumed that .py scripts were exec

index=* User="*james*" 
earliest="09/10/2025:09:54:24" latest="09/10/2025:10:30:00" |search "*.py*"
| table _time, Image, CommandLine, ParentImage, Hashes, CurrentDirectory
| sort _time

yup i was right

Answer:

C:\Users\james\AppData\Roaming\Notepad\slv.py

Q6

After the second-stage script ran, it performed a decryption step to load attacker code into memory. Which Python library was used for the decryption, and what was the name of the encrypted file that was decrypted?

load MFT file and look for

.\Users\james\AppData\Roaming\Notepad

Answer:

Cryptodome,data.aes

Q7

On the file server, a remote file was downloaded by the attacker. What is the full path to that downloaded file on the FILES host?

i noticed that

C:\Windows\System32\wbem\WmiPrvSE.exe

ok after alot of looking and searching

index=* EventCode=11 (host="FILES" OR Computer="FILES") earliest="09/10/2025:09:00:00" latest="09/10/2025:23:59:59" "*Windows\\ADFS\\py*"  TargetFilename="C:\\Windows\\ADFS\\py\\python.zip"

Answer:

C:\Windows\ADFS\py\python.zip

Q8

After the downloaded file was unpacked on the Files server, what three files were written into the staging directory?

index=* EventCode=11 (host="FILES" OR Computer="FILES")
TargetFilename="C:\\Windows\\ADFS\\py\\*"
earliest="09/10/2025:11:25:00" latest="09/10/2025:11:30:00"
| table _time, TargetFilename, Image
| sort _time

Answer:

wmisock.exe,wof15.exe,worksliv.exe

Command & Control

Q9

Shortly after the staged script ran, the host made an outbound connection to the attacker's C2. What is the destination IP address and port used for that first C2 communication?

index=* EventCode=3 host="PC01"
earliest="09/10/2025:09:54:00" latest="09/10/2025:9:59:59"
| table _time, Image, SourceIp, SourcePort, DestinationIp, DestinationPort, User
| sort _time

Answer:

10.10.5.219:1337

Q10

After the initial C2 connection, the attacker deployed additional beacons. Which ports did these newly executed files use to connect to the attacker's server?

index=* EventCode=3 host=*
earliest="09/10/2025:09:54:00" latest="09/10/2025:23:59:59" DestinationIp = 10.10.5.219
| table _time, Image, SourceIp, SourcePort, DestinationIp, DestinationPort, User |dedup DestinationPort
| sort _time

Answer:

8844,8855

Q11

After deploying additional beacons on the files server, the attacker communicated with a secondary infrastructure. What is the domain name of the second C2 server used during the attack?

index=* host="FILES"  EventCode=22 earliest="09/10/2025:09:54:00" latest="09/10/2025:23:59:59"
| table _time, QueryName, Image
| sort _time
| head 50

Answer:

docusong.com

Q12

The attacker moved a beacon from the Files server to the Domain Controller. What exact command did they use to copy the file across the network?

index=* (host="FILES" OR Computer="FILES") EventCode=1
CommandLine="xcopy*"
earliest="09/10/2025:09:00:00" latest="09/10/2025:23:59:59"
| table _time, CommandLine
| sort _time

Answer:

xcopy wmisock.exe \DC01.trustwave.lab\c$\Windows\ADFS\py\ /E /H /D /Y /I

Q13

After executing the beacon on the Domain Controller in Q12, which IP address and port were used for C2 communication?

index=* EventCode=3 (host="DC01" OR Computer="DC01" OR SourceHostname="DC01")
earliest="09/10/2025:09:00:00" latest="09/10/2025:12:59:59"
| table _time, Image, SourceIp, DestinationIp, DestinationPort, User
| sort _time

Answer:

10.10.5.174:8080

Persistence

Q14

The attacker created scheduled tasks for persistence. What was the name of the first scheduled task created on the first compromised host?

go to:

C:\Users\Administrator\Desktop\Start Here\Artifacts\PC01\uploads\auto\C%3A\Windows\System32\Tasks

also:

index=* EventCode=1 (host="PC01" OR Computer="PC01")
(Image="*schtasks.exe" OR CommandLine="*schtasks*")
earliest="09/10/2025:09:00:00" latest="09/10/2025:23:59:59"
| table _time, CommandLine, ParentImage, User
| sort _time

Answer:

OneDrive Security Task-S-1-5-20-Main

Q15

On the file server, the attacker also used scheduled tasks for persistence. How many times per day will the attacker's final scheduled task be executed?

index=* EventCode=4698 (host="FILES" OR Computer="FILES")
earliest="09/10/2025:09:00:00" latest="09/10/2025:23:59:59"
| table _time, TaskName, TaskContent, User
| sort _time

look at details

Answer:

2

Q16

The attacker modified the Windows registry to achieve persistence. Which registry value name did they change?

index=* host="PC01" EventCode=13 
earliest="09/10/2025:09:00:00" latest="09/10/2025:23:59:59"
(
    TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*" OR
    TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*" OR
    TargetObject="*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit*" OR
    TargetObject="*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell*" OR
    TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\*"
)
| table _time, host, Computer, Image, TargetObject, Details, EventType
| sort _time

Answer:

UserInit

Reconnaissance

Q17

During the reconnaissance phase the attacker enumerated domain trust relationships. Which command did they run to collect that information?

index=* EventCode=1 host="*" 
earliest="09/10/2025:9:00:00" latest="09/10/2025:23:59:59"|search "*nltest*"
| table _time, host, Image, CommandLine, ParentImage
| sort _time

Answer:

nltest /domain_trusts /all_trusts

Q18

The attacker leveraged an automated script to gather system details. What was the complete URL of the remote script that was downloaded and executed?

index=* EventCode=3 OR EventCode=1 OR EventCode=11 host="*" 
earliest="09/10/2025:9:54:00" latest="09/10/2025:23:59:59" |search "*http://10*"
| table _time, host, Image, CommandLine, ParentImageth
| sort _time

Answer:

http://10.10.5.218:54350/PowerView.ps1

Credential Access

Q19

The attacker managed to dump hashes on the PC01 host. When did this dump occur?

index=* host=PC01 EventCode=10 TargetImage="*lsass.exe" 
| table _time, Image, TargetImage, GrantedAccess

Answer:

2025-09-10 10:47

Q20

The attacker attempted to dump credentials from LSASS on the Files server. What GrantedAccess code was observed when the attacker accessed lsass.exe?

index=* host=PC01 EventCode=10 TargetImage="*lsass.exe" 
| table _time, Image, TargetImage, GrantedAccess

Answer:

0x1fffff

Lateral Movement

Q21

The attacker laterally moved to the Files server. What was the username they used to log in during this movement?

index=* host=*files* EventCode=4624
(LogonType=3 OR LogonType=10)
| table _time, AccountName, AccountDomain, WorkstationName, IpAddress, LogonType,TargerUserName
| sort _time

Answer:

liam

Q22

The attacker logged into the Domain Controller using RDP. What was the source IP address they connected from?

index=* host=DC* EventCode=4624 LogonType=10
| table _time, TargetUserName, WorkstationName, IpAddress, LogonType
| sort _time

Answer:

10.10.5.96

Exfiltration

Q23

The attacker used a command-line utility to push collected files off-network. What was the name of the tool they used to perform the exfiltration?

Answer Format: ******.***

Answer:

restic.exe

Impact

Q24

The attacker modified Safe Mode settings so a service would be allowed to start when the system boots into Safe Mode with Networking. What is the exact registry subkey name that the attacker created?

look for safe boot setting that were modified

reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\FAKE123456789 /d Service /f

Answer:

FAKE123456789

Q25

The attacker attempted to push a ransomware binary to every machine in the environment. What is the name of the executable the attacker distributed?

index=* (EventCode=11) earliest="09/10/2025:9:54:00"
| search TargetFilename="*.exe"
| sort - _time
| table _time Computer TargetFilename Image CommandLine

Answer:

wavcomp.exe

Q26

The attacker executed a single command to run a script remotely on every host listed in their target file. What was the full command they used to launch the remote execution?

index=* (EventCode=1 OR EventCode=4688)
(CommandLine="*for /f*" OR CommandLine="*psexec*" OR CommandLine="*wmic*" OR CommandLine="*invoke-command*" OR CommandLine="*winrs*" OR CommandLine="*script*")
| table _time, Computer, User, CommandLine
| sort _time

Answer:

PsExec64.exe -accepteula @pc.txt -c -f -d -h c:\Users\Administrator\AppData\5.bat

Q27

The attacker dropped a ransom note on the Domain Controller. What exact URL did the note instruct the victim to visit?

Navigate to

C:\Users\Administrator\Desktop\Start Here\Artifacts\DC01\uploads\auto\C%3A\Users\Administrator\Desktop

you will find note there

Answer:

https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion//?access-key=!15982tge32