Investigation Overview

The Elevating Movement room simulates a post-compromise forensic investigation at DeceptiTech following a network collapse. This scenario focuses on the second attack stage where an attacker, having gained initial access, performs privilege escalation and lateral movement on a Windows server (SRV-IT-QA) that was compromised through Emily's stolen credentials.

The investigation requires analyzing Windows forensic artifacts including Event Logs, file system artifacts, process memory analysis, and timeline reconstruction to determine the attacker's movements and techniques.

Task 1: Introduction & Scenario Context

Background

DeceptiTech operates a hybrid infrastructure with:

On-Premises: Traditional Active Directory domain (~50 users)

Cloud Platform: AWS-hosted product platform (isolated)

The attack unfolded in multiple stages. This room focuses on Stage #2, where the attacker leveraged stolen credentials from Emily Ross (compromised in Stage #1) to access SRV-IT-QA, a QA server where Emily holds local admin privileges.

Key Attack Details

Pre-Investigation Facts:

  • Emily's domain credentials were stolen

  • The server became "unstable" after motherboard replacement (suspicious timing)

  • Emily accessed the machine with local admin account

  • Other IT administrators frequently log in

  • The attacker had access on Monday, Day 4

Task 2: Windows Forensic Investigation

Question 1: RDP Login Detection

Question: When did the attacker perform RDP login on the server?

Answer: 2025-06-30 16:33:18

Subscribe to keep reading

This content is free, but you must be subscribed to Andrés to continue reading.

Already a subscriber?Sign in.Not now

Keep Reading

No posts found

© 2025 Andrés.

Report abuse

Privacy policy

Terms of use

Powered by beehiiv