Hey DDFAN folks, this challenge is hardcoded like Ali Hadi’s cases, which this is one of the challenges in 13Cubed — Investigation Windows Endpoint course, so the files are restricted to students only.

Many thanks to Richard Davis for letting me post walkthrough and documentation on the blog.

Scenario :

Cobalt Edge Technologies recently expanded its IT footprint, launching a new email system and website. Employees responded positively, but inexperienced staff failed to keep several applications updated. Shortly after the website went live, a threat actor gained access and began moving laterally within the network. Some unusual activity was noticed, but a full domain compromise occurred before containment began.

Investigation Goals :

1. Identify the threat actor’s path through the environment
2. Determine what data was exfiltrated
3. Locate any persistence mechanisms left behind

WorkStation :

1. CHI-L-WEB-04 — Ubuntu 24.04 LTS web server running WordPress
2. CHI-L-CONF-01 — AlmaLinux OS 10 server hosting Confluence
3. DESKTOP-9RQ7DGC — Windows 11 25H2 user workstation
4. CHI-W-ADDC-01 — Windows Server 2025 domain controller and mail server (cobaltedge.xo)