On December 2, 2025, the SOC team received an alert indicating a potentially malicious file download on a corporate workstation. Initial triage revealed that a user had downloaded software from an untrusted source, triggering suspicious process chains and network connections to external infrastructure.
Within hours, the attack escalated dramatically: the threat actor deployed a sophisticated command-and-control framework, harvested domain credentials, forged Kerberos tickets for unrestricted domain access, and moved laterally to all critical servers including the domain controller, file server, and backup server. The attack culminated in data exfiltration of sensitive corporate information followed by ransomware deployment demanding a substantial Bitcoin payment.
You have been provided with Splunk logs and disk forensic artifacts from the affected systems. Your mission is to reconstruct the complete attack chain and determine the full scope of the compromise.
To begin an investigation, it is crucial to establish the initial point of compromise. Since the alert pointed to a suspicious download on WORKSTATION-01, the first logical step is to trace the origin of the downloaded file.
When a file is downloaded from the internet through a web browser, Windows applies a Mark of the Web (MotW) by writing a Zone.Identifier Alternate Data Stream (ADS) to the file. Sysmon Event ID 15 (FileCreateStreamHash) captures the creation of these streams and, critically, logs the Contents of the ADS. This co