Welcome to the ShadowCitadel lab walkthrough, where you’ll dive into a sophisticated cyber intrusion targeting a corporate network, compromising critical Active Directory infrastructure and sensitive documents. The attack begins when an unsuspecting employee downloads and extracts a seemingly innocuous ZIP file, unwittingly unleashing a multi-stage assault. This triggers a JavaScript file that downloads a PowerShell script, which in turn deploys a beacon, establishing a covert command-and-control channel. The attacker escalates their foothold with an rogue SSH server, persists through registry keys and scheduled tasks, and laterally moves to the Domain Controller, exfiltrating valuable data.
As a threat hunting and digital forensics investigator, your mission is to reconstruct this breach using a blend of Splunk for real-time threat detection and industry-standard forensic tools. You’ll leverage Splunk to analyze logs and identify malicious patterns, alongside Autopsy and FTK Imager for file system and disk analysis. This lab challenges you to trace the attack vector, detect anomalies, identify persistence mechanisms, recover dumped credentials, and piece together the timeline of this security incident. You’ll navigate endpoint artifacts, and malware traces, honing skills essential for SOC analysts and threat hunters.
This investigation demands a methodical approach, blending technical expertise with analytical prowess to uncover the attacker’s methods and recover compromised intelligence. The stakes are high, failure could allow this data to fall into malicious hands, threatening the organization’s security. Let’s embark on this forensic and hunting journey to dismantle the breach!