On August 4, 2025, CORP.lab’s SOC team detected unusual activity from an engineering user’s workstation. Initial anomalies quickly escalated as security alerts revealed file executions in unusual locations and network connections on unexpected ports, with many events evading antivirus detection.
Given the potential compromise of sensitive systems, including the domain controller, investigators suspected credential theft, data exfiltration, and persistent access. Your task is to investigate this incident using available logs, Splunk telemetry, and forensic artifacts from both the workstation and the domain controller.
To begin our forensic investigation into the infection on PC01, our first objective is to identify the initial file that initiated the attack, as this represents the entry point of the compromise. In real-world scenarios, end-users often introduce malicious files through routine activities, such as clicking links in phishing emails, visiting compromised websites, or interacting with deceptive web elements like fake CAPTCHA prompts. In this case, the user william, a local administrator on