On September 10, 2025, trustwave.lab’s SOC team identified suspicious activity originating from a user workstation. The investigation revealed that the compromise began when the user searched online for legitimate software and clicked on an advertised website appearing in the first search results. Unbeknownst to the user, this site hosted a malicious download, which they executed with a single click, initiating a chain of malicious activity across the environment.
Subsequent events included staged payloads, beaconing to command-and-control (C2) infrastructure, lateral movement to the file server and domain controller, credential dumping, and attempts at data exfiltration.
Your task is to perform a full incident investigation using Splunk telemetry, process creation logs, registry artifacts, scheduled task information, network connections, and forensic disk images to reconstruct the attacker’s actions, identify persistence mechanisms, and determine the impact on trustwave.lab’s network.
Understanding the initial user action is critical, it tells us how the attacker baited the victim and which k