Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
VaultBreak Lab – CyberDefenders
Disk Analysis
Scenario
In May 2025, a financial services firm detected suspicious activity after an employee opened an urgent document received via email. The workstation exhibited abnormal behavior, including unexpected processes and unusual network connections. Security teams identified evidence of unauthorized system modifications and potential persistence mechanisms.
Analyze the collected forensic evidence to determine the sequence of the attack. Identify how the initial compromise occurred, trace the execution flow of malicious components, uncover persistence mechanisms deployed, and determine what external infrastructure is being utilized for command and control activities.
Questions
Initial Access & Execution
Q1. What is the filename of the malicious document that was downloaded after clicking a link in the phishing email?
- I first parsed the logs using EVTXCmd.exe and opened the results using Timeline Explorer
- Searching for Zone in the logs, we find:
Finanical_Support.docmQ4. What was the Process ID of the command shell that was spawned with SYSTEM privileges during the attack?
- We can filter on Sysmon Event ID 1 (Process Create) and filter on User NT\AUTHORITY SYSTEM.
- We find then notepad.exe spawned cmd.exe and the Process ID is :
10660Q7. After the macro executed within the malicious document, it dropped and executed a malware payload. What is the name of the first executable that was launched?
After downloading Finanical_Support.docm, we find in the logs:
MSUPDATE-2381.EXEDefense Evasion
Q2. The malware created a configuration file to store its settings. What is the name of this configuration file?
After downloading MSUPDATE-2381.exe we find:
content.infQ10. To evade detection, the malware employed process spoofing techniques. Which legitimate Windows process was impersonated during the attack?
We see so many notepad.exe launched
Persistence
Q3. During the establishment of WMI persistence, a compromised user account was used to create the malicious event filter. Which domain user account was leveraged for this activity?
It can be found by filtering on Sysmon Event ID 19 (WmiEventFilter activity detected):
WIN-DMZ0\nevansQ5. What MITRE ATT&CK technique ID is associated with the WMI persistence mechanism?
A google search for MITRE Wmi Persistence returns:
T1546.003Q6. In addition to scheduled tasks, the attacker implemented WMI-based persistence. What is the Security Identifier (SID) associated with the WMI binding event that linked these persistence components?
Filtering on Sysmon Event ID 21 (WmiEventConsumerToFilter activity detected), we find:
S-1-5-21-403280985-4081385913-4248903659-2063598570Q9. The attacker established persistence using Windows Task Scheduler. What is the full task path that was created?
A scheduled task will modify registry once created. We can search for :
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\We find a scheduled task created:
Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCommand and Control
Q8. The malware established communication with its C2 infrastructure. What is the IP address and port used for C2 communications?
Filtering on Sysmon Event ID 3, we find:
3.127.36.5:8443
