Memory image and case scenario from stuxnet999/MemLabs Lab 1. The interactive terminal, ATT&CK mapping, stage decomposition, and analyst-training narration here are original.
TA0007 DiscoveryT1082 System Information Discovery
Stage 1 — Initial System Triage
🖥️ ANALYST TERMINAL💡 Need a hint?
🎯 Investigation Complete
You've reconstructed what happened on the sister's machine across all eight ATT&CK tactics — hypothesis by hypothesis.
The story you can now defend:
• Who:a second user account, Hershel, was active alongside the sister
• What:a batch script (St4G3$1.bat) was executed from C:\Windows\System32\ via cmd.exe
• When:2019-12-11 14:34–14:38 UTC, while the sister was using mspaint.exe
• How:interactive shell ("the black window"), staging a password-protected RAR of files from her profile
A real DFIR analyst would now pivot to disk forensics, write Sigma/YARA detection rules from the ATT&CK techniques used, and brief the IR team with this kill chain.
Attribution: memory image and case scenario from stuxnet999/MemLabs Lab 1. The interactive terminal, ATT&CK mapping, stage decomposition, and analyst-training narration in this lab are original.