Welcome to the BumbleSting lab walkthrough, an intensive investigation into a sophisticated cyber attack against CompliantSecure Company. This incident response exercise will guide you through the methodical analysis of a security breach that began with a seemingly innocent phishing email and escalated into a full-scale network compromise. Throughout this walkthrough, we'll retrace the attacker's steps by analyzing various log sources collected from the company's ELK (Elasticsearch, Logstash, Kibana) stack. We'll examine evidence from multiple systems including workstations, servers, and domain controllers to piece together the attack timeline and understand the techniques used by the threat actor.
The investigation will cover the entire attack lifecycle, from initial access and execution to credential theft, lateral movement, persistence, command and control communications, and ultimately the deployment of ransomware. We'll be using a wide range of Windows event logs and Sysmon data to identify indicators of compromise and understand the attacker's tactics, techniques, and procedures (TTPs). This lab is designed to strengthen your threat hunting and incident response skills by working with real-world attack patterns. As we progress through the analysis, you'll learn to identify suspicious network connections, recognize malicious process creation patterns, trace lateral movement activities, and uncover the various persistence mechanisms implemented by attackers.
The complexity of this attack scenario reflects the challenges faced by security teams in today's threat landscape, where attackers employ multiple stages of evasion and persistence to achieve their objectives. By the en