Member-only story
Elevating Movement
3 min read1 day ago
Investigate the second, Windows part of the Honeynet Collapse!
Press enter or click to view image in full size
Elevating Movement
Hey Emily, when you are done with DeceptiPot deployment, can you take a look at SRV-IT-QA? It became unstable after we replaced the motherboard, so maybe you can debug what’s going on there. ~ Matthew
While Emily worked on the issue from a local admin account, the threat actor continued the attack. With the entry point secured and Emily’s domain credentials stolen, they now wanted to explore opportunities for privilege escalation. Leveraging your knowledge of Windows forensics, can you uncover the elevating movement?
When did the attacker perform RDP login on the server?
Answer Format Example: 2025–01–15 19:30:45
Go to Event Viewer after starting the attack box Search 1149 event logs and look out for each event where u will find the emily ross login successfully
Press enter or click to view image in full size
