In this forensic investigation, we'll be examining a critical security incident where adversaries successfully compromised a corporate domain controller. As a SOC analyst tasked with investigating this case, our goal is to uncover the complete attack chain and reveal the who, when, what, where, why, and how behind this sophisticated breach. Throughout this walkthrough, we'll explore how to navigate through Windows event logs, examine email artifacts, analyze malicious code, investigate memory dumps, and trace the attacker's activities from initial access to domain compromise. By following a methodical approach, we'll reconstruct the attack timeline, identify the initial infection vector, determine how the attackers established persistence, discover what Active Directory reconnaissance techniques they employed, and analyze the ransomware payload that was ultimately deployed. Each step of our analysis will provide critical insights into the tactics, techniques, and procedures (TTPs) utilized in this attack, aligning them with the MITRE ATT&CK framework to better understand the adversary's methodology.
To begin our investigation, we need to examine the Windows Defender logs to identify the first malware detection. We start by using Arsenal Image Mounter to mount the DC disk triage image, which provides us with ac