A Windows workstation was recently compromised, and evidence suggests it was an attack against internet-facing RDP, then Meterpreter was deployed to conduct 'Actions on Objectives'. Can you verify these findings?You have been provided with the Security.evtx and System.evtx log exports from the compromised system - you should analyze these, NOT the Windows logs generated by the lab machine (when using DeepBlueCLI ensure you're providing the path to these files, stored inside \Desktop\Investigation\.
Reading Material:https://github.com/sans-blue-team/DeepBlueCLI
https://blueteamlabs.online/home/investigation/deep-blue-a4c18ce507
we can see GoogleUpdate execution with base64 encoded under the user mike smith
An event shows the attacker attempting getsystem via a Meterpreter shell to escalate privileges. This outdated method, easily detected by modern AV/EDR, uses named pipes to impersonate higher-privileged processes (similar to Linux’s suid). Metasploit typically creates a named pipe, attaches it to cmd.exe, and leverages default impersonation privileges to gain admin access.
and here the attacker is trying to creates a service