Scenario

Lab Link: RansomHub

On October 19, 2025, the SOC team detected anomalous RDP authentication patterns on a public-facing workstation, including hundreds of failed login attempts followed by successful authentications from an unknown external IP address. The IT team reported that several critical systems became unavailable approximately two days after the initial alerts, with files appearing encrypted and ransom notes discovered on affected machines.

Initial triage reveals suspicious tool executions, unauthorized service installations, and unusual network connections to external IP addresses. The timeline suggests a multi-stage incident with escalating impact over a 48-hour period.

You have been provided with disk forensic artifacts and Splunk logs from the affected systems. Your mission is to reconstruct the complete attack chain, identify compromised accounts, and determine the full scope of the incident including any data exfiltration that occurred before the ransomware execution.

Initial Access

Q1

During the initial reconnaissance phase, the threat actor conducted a password spray attack against a publicly exposed RDP host, attempting numerous authentication combinations before successfully breaching the perimeter. What is the IP address of the external threat actor that orchestrated this initial RDP password spray campaign?

index=* sourcetype="XmlWinEventLog" EventCode=4625 OR EventCode=4624 earliest="10/19/2025:00:00:00" | stats count by EventCode, src_ip, user, _time | where count > 5 | sort - count

Answer:

18.195.184.4

Q2

The password spray attack successfully compromised multiple accounts without triggering lockout policies. How many user accounts were compromised during this attack?

index=* sourcetype="XmlWinEventLog" EventCode="4624" earliest="10/19/2025:00:00:00" src_ip=18.195.184.4 | stats count by EventCode, src_ip, user, _time |dedup user

Answer:

6

Q3

After compromising multiple accounts, the attacker selected one for post-exploitation activities. Which account was primarily used for lateral movement?

Answer:

tfox

Q4

The threat actor later connected to the compromised host from a different IP address to maintain access. What IP address was used to access the compromised account via RDP?

index=* sourcetype="XmlWinEventLog" EventCode="4624" earliest="10/19/2025:00:00:00" user="tfox" | stats count by EventCode, src_ip, user, _time |dedup src_ip

Answer:

54.93.231.126

Discovery

Q5

The threat actor downloaded a third-party network scanning utility to map the internal network infrastructure and identify potential targets. What is the filename of this initial network scanning tool?

From

C:\Users\Administrator\Desktop\Start Here\Artifacts\PC01\Users\tfox\AppData\Local\Microsoft\Edge\User Data\Default

Answer:

advanced_ip_scanner.exe

Q6

A second network scanning utility was deployed for detailed service discovery. What is the name of this second tool?

index=* sourcetype="XmlWinEventLog" EventCode="3" earliest="10/19/2025:00:00:00" user="tfox" | table _time, Image, SourceIp, SourcePort, DestinationIp, DestinationPort, User |dedup DestinationPort
| sort _time

Answer:

Netscan

Q7

The threat actor utilized the secondary scanning tool to perform targeted port enumeration on critical systems. How many ports were scanned on the PC01 workstation during this reconnaissance phase?

index=* sourcetype="XmlWinEventLog" EventCode="3" earliest="10/19/2025:00:00:00" user="tfox" | table _time, Image, SourceIp, SourcePort, DestinationIp, DestinationPort, User |dedup DestinationPort
| sort _time

Answer:

7

Q8

During network share enumeration, the scanning tool created a specific file to validate write permissions on discovered SMB shares. What is the name of this file that confirmed write access to network shares?

index=* EventCode=5145 
| search RelativeTargetName="*.*" 
| search AccessMask="*0x2*" OR AccessMask="*0x100080*"
| table _time, RelativeTargetName, ShareName, IpAddress, SubjectUserName
| sort _time

Answer:

delete.me

Q9

After successfully mapping network shares, the threat actor began accessing sensitive documents on the file server. What is the filename of the first document that the threat actor accessed from the file server?

navigate to

C:\Users\Administrator\Desktop\Start Here\Artifacts\FileServer\share

Answer:

IT_Security_Policy.pdf

Credential Access

Q10

The threat actor deployed a specialized credential dumping utility designed to extract stored passwords from various Windows credential stores. What is the name of this credential harvesting tool?

Answer:

CredentialsFileView

Command and Control

Q11

The threat actor established persistent command and control channel by installing legitimate RMM agent on one of the compromised hosts. What are the names of the executables for the two RMM tools installed as services?

index=* EventCode=7045
| table _time, ServiceName, ImagePath, ServiceType
| sort _time

Answer:

AteraAgent.exe,SRService.exe

Q12

During later stages of the attack, the threat actor utilized the RMM infrastructure to establish a connection to the organization's backup server. What display name did the threat actor configure for this RMM session?

Answer Format: *******

Answer:

infedef

Q13

What is the hostname of the device used to connect to the compromised host via the RMM tool?

Answer Format: *******-*******

Answer:

EC2AMAZ-B1MTP0B

Execution

Q14

To evade detection and silently execute data exfiltration commands, the threat actor created a VBScript file that would run processes without displaying command prompt window. What is the name of this VBScript file?

index=* | search ParentCommandLine="*.vbs*"  |table ParentCommandLine

Answer:

nocmd.vbs

Q15

The VBS script served as a wrapper to execute a batch script containing the actual exfiltration tool configuration and command parameters. What is the filename of this batch script executed by the VBS script?

index=* "*nocmd.vbs*" 

Answer:

rcl.bat

Exfiltration

Q16

For data exfiltration, the threat actor deployed a legitimate cloud synchronization tool commonly abused by ransomware operators to transfer stolen data. What is the name of this exfiltration utility?

index=* "*Rclone*"

Answer:

Rclone

Q17

The network traffic analysis revealed that data exfiltration occurred to a specific external IP address. What is the destination IP address used for data exfiltration?

index=* EventCode=3 Initiated="true"
|search Image="*rclone*"
| table _time, SourceIp, DestinationIp, DestinationPort, Image, User
| sort _time

Answer:

18.185.121.245

Q18

The exfiltration tool was configured to use a specific network protocol for secure file transfer. What protocol was utilized for the data exfiltration process?

Answer:

sftp

Persistence

Q19

The threat actor changed multiple user account passwords to maintain persistence. What is the new password that was set for all compromised user accounts?

Answer:

asRanHub@#5862!#@

Impact

Q20

The threat actor deployed the ransomware payload through the established RMM channel, dropping an executable file that would initiate the encryption process across the domain infrastructure. What is the filename of this ransomware executable deployed via the RMM tool?

Answer Format: *****.***

Answer:

amd64.exe

Q21

Analysis of execution artifacts indicates the ransomware binary was executed multiple times. What is the timestamp of the first ransomware execution attempt?

yyyy-mm-dd hh:mm

Answer:

2025-10-21 02:08

Q22

The ransomware propagated via SMB with a unique filename on each host. What is the filename of the ransomware executable that was executed on the file server?

Answer Format: ******.***

Answer:

LQBEvT.exe