CredSnare - Angry Likho APT Lab

On August 4, 2025, CORP.lab’s SOC team detected unusual activity from an engineering user’s workstation. Initial anomalies quickly escalated as security alerts revealed file executions in unusual locations and network connections on unexpected ports, with many events evading antivirus detection.   Given the potential compromise of sensitive systems, including the domain controller, investigators suspected credential theft, data exfiltration, and persistent access. Your task is to investigate this incident using available logs, Splunk telemetry, and forensic artifacts from both the workstation and the domain controller. Splunk Credentials: User: student Password: CyDefStudent