In this lab, we investigate an intrusion following a confirmed phishing attack that led to a potential network-wide compromise. As a Tier 2 SOC Analyst at EliteSystems Corp, the objective is to analyze forensic artifacts to uncover the full extent of the breach, identify compromised assets, and determine the attacker’s tactics, techniques, and procedures (TTPs). By leveraging various forensic tools such as Event Log Explorer, NTFS Log Tracker, Registry Explorer, Timeline Explorer, and various EZ Tools, we will reconstruct the attack chain and assess the methods used by the adversary to gain initial access, establish persistence, escalate privileges, and move laterally within the network. This investigation will require examining key Windows event logs, including Sysmon events, system modifications, process executions, and network activity. Through timeline analysis, we will determine how the attacker executed their payload, identify malicious scripts, and detect unauthorized system changes. Registry analysis will provide insights into modifications that enabled remote access or bypassed security controls, while forensic examination of execution logs will help trace how the attacker escalated privileges and established persistence.
A critical aspect of this investigation involves identifying command execution patterns, registry modifications, service installations, and credential theft attempts. Attackers often deploy remote access tools, modify security settings, and manipulate system configurations to ensure continued access. By analyzing executio