On December 2, 2025, the SOC team received an alert indicating a potentially malicious file download on a corporate workstation. Initial triage revealed that a user had downloaded software from an untrusted source, triggering suspicious process chains and network connections to external infrastructure.
Within hours, the attack escalated dramatically: the threat actor deployed a sophisticated command-and-control framework, harvested domain credentials, forged Kerberos tickets for unrestricted domain access, and moved laterally to all critical servers including the domain controller, file server, and backup server. The attack culminated in data exfiltration of sensitive corporate information followed by ransomware deployment demanding a substantial Bitcoin payment.
You have been provided with Splunk logs and disk forensic artifacts from the affected systems. Your mission is to reconstruct the complete attack chain and determine the full scope of the compromise.
To begin an investigation, it’s crucial to establish the initial point of compromise. Since the initial alert pointed to a suspicious download on WORKSTATION-01 by the user ncooper, the first logical step is to examine the user’s web browsing activity to understand the context of the download.
Modern web browsers like Google Chrome store a wealth of information, including browsing history, downloads, and cookies, in SQLite database files. For this investigation, we focus on the Chrome history database, which is typically located at C:\\Users\\<username>\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History. To analyze this file, we use a tool like DB Browser for SQLite, whi