A Windows workstation was recently compromised, and evidence suggests it was an attack against internet-facing RDP, then Meterpreter was deployed to conduct ‘Actions on Objectives’. Can you verify these findings?
You have been provided with the Security.evtx and System.evtx log exports from the compromised system – you should analyze these, NOT the Windows logs generated by the lab machine (when using DeepBlueCLI ensure you’re providing the path to these files, stored inside \Desktop\Investigation\.Challenge Description
Overall, this was a super easy challenge. There wasn’t really any obfuscation used and the commands were very noticeable for what went wrong. I don’t know if it was an error or intentional that it started with Mike Smith in the beginning being compromised, then all of a sudden switched to Mike Daniels running commands for persistance.