This lab simulates a real-world, multi-stage ransomware attack that unfolds across several critical systems within an enterprise environment. Through a series of forensic tasks and Splunk-based threat hunting, you are placed in the role of a cybersecurity analyst tasked with uncovering the full scope of the intrusion.
The attack begins with a phishing attempt targeting a specific user, which leads to initial access via malicious payloads and unauthorized command execution. From there, the threat actor demonstrates persistence and lateral movement techniques, leveraging system tools, scheduled tasks, and remote management utilities such as PsExec. Once a foothold is established, the adversary performs extensive reconnaissance to identify file servers and valuable data repositories.
The attacker compresses and exfiltrates sensitive data using publicly accessible cloud storage platforms and obfuscates their activities by using common applications and renaming techniques. Subsequently, the environment is prepared for ransomware deployment: access control permissions are modified, network shares are created on the domain controller, and batch scripts are used to spread and execute the ransomware payload across domain-joined machines.
To ensure maximum disruption, the attacker executes commands to delete local backups, removing shadow copies and disabling recovery options. Every step is traceable thro