BTLO: Investigation – Deep Blue


A Windows workstation was recently compromised, and evidence suggests it was an attack against internet-facing RDP, then Meterpreter was deployed to conduct ‘Actions on Objectives’. Can you verify these findings?

You have been provided with the Security.evtx and System.evtx log exports from the compromised system – you should analyze these, NOT the Windows logs generated by the lab machine (when using DeepBlueCLI ensure you’re providing the path to these files, stored inside \Desktop\Investigation\.

Challenge Description
Restricted Content
This investigation is currently active on Blue Team Labs Online, thus is required to be password protected. You can unlock this challenge by using the last password requested, or wait until the investigation is retired.


Overall, this was a super easy challenge. There wasn’t really any obfuscation used and the commands were very noticeable for what went wrong. I don’t know if it was an error or intentional that it started with Mike Smith in the beginning being compromised, then all of a sudden switched to Mike Daniels running commands for persistance.


No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *