This investigation addresses a sophisticated ransomware attack targeting multiple endpoints within an enterprise environment. As the forensic analyst assigned to this case, my primary objective was to determine the delivery method of the ransomware, trace the attacker’s activities, and establish a timeline of events. The analysis involved inspecting logs, examining system artifacts, and identifying tools leveraged during the attack. Tools such as Event Log Explorer , KAPE , EZ Tools , and Registry Explorer were utilized to conduct this investigation. The analysis focused on uncovering tactics associated with initial access, execution, privilege escalation, defense evasion, and data exfiltration. This report provides insights into the attacker’s methodology and highlights actionable recommendations for mitigating similar incidents in the future.
Upon analyzing the event logs with Event Log Explorer , I filtered entries based on Event ID 4624 , which corresponds to successful logons. My investigation specifically focused on logon type 10 , indicative of a remote interactive logon, often associated with Remote Desktop Protocol (RDP) access. The l