Silent Miner - DFIR Lab
Something suspicious is happening on this Windows workstation. The system appears mostly idle, yet CPU usage spikes outside business hours. Initial triage found that the system was accessed remotely and used to deploy a cryptocurrency miner while attempting to remain unnoticed.
You have been provided a forensic image of the Windows workstation with Velociraptor preinstalled. Using Velociraptor, perform a digital forensics investigation to reconstruct the attacker’s actions.
This lab was part of the
Mobile Hacking Conference talk:
by Andreas van Leeuwen Flamino, and is an introduction to the upcoming Windows DFIR course.
Your goal is to identify the attacker’s actions, persistence mechanisms, and the malicious components involved in the Silent Miner compromise.
