Prepared by: Triskele Labs Marketing | Last update: 18 February 2026
Triskele Labs has partnered with Hack The Box to transform a real-world Digital Forensics and Incident Response investigation into a practical learning scenario that shows how modern ransomware attacks unfold.
Hack The Box is a leading cyber security training platform that helps individuals and organisations build practical skills through realistic, hands-on scenarios. Their approach is grounded in real-world attacker techniques, enabling security teams to develop capability that translates directly into operational readiness.
This collaboration brings together Triskele Labs’ frontline DF and IR expertise and Hack The Box’s hands-on cyber training platform, providing security teams with insight grounded in real attacker behaviour.
The scenario is based on an actual ransomware engagement investigated by Triskele Labs’ Digital Forensics team, where an exposed *Remote Desktop Gateway (RD Gateway) became the entry point for a full domain compromise and ransomware deployment.
Built from an actual RD Gateway compromise investigated by Triskele Labs’ Digital Forensics team, this scenario allows security professionals to explore attacker behaviour, decision points, and impact in a safe, hands-on environment, ideal for teams looking to test their readiness, deepen practical understanding, and train against threats as they occur in the wild.
Triskele Labs was engaged following the detection of ransomware encryption across critical servers within a client environment. The infrastructure consisted of a Remote Desktop Gateway used for external access and a combined Domain Controller and File Server hosting internal data.
While the compromise was limited to server infrastructure, the attack demonstrated how quickly threat actors can escalate privileges and establish persistence once initial access is achieved.
The timeline below provides a high-level overview of the incident, with full technical detail and hands-on analysis available through the Hack The Box scenario.
This diagram illustrates the full intrusion lifecycle observed during the engagement, from initial access through to ransomware execution, highlighting key attacker techniques such as credential abuse, privilege escalation, persistence, and command-and-control activity.
.png?width=852&height=659&name=Attack%20Diagram%20Light_v1%20(2).png)
The threat actor gained access using a compromised domain account through the externally exposed Remote Desktop Gateway, bypassing the need for exploit-based intrusion.
Following access, credential recovery tools and network reconnaissance utilities were deployed to expand visibility and privilege within the environment. Evidence strongly indicated successful recovery of plaintext credentials.
A new domain account was created and elevated to administrative groups, ensuring long-term access. A proxy-based command-and-control mechanism was also introduced to maintain persistence even if initial access paths were closed.
Windows Event Logs were deliberately cleared, removing historical authentication evidence and limiting early-stage visibility of attacker activity.
Tools commonly associated with data exfiltration were executed, followed by deployment of a ransomware payload that encrypted server data and targeted backup infrastructure. Attribution was made to the LockBit ransomware group.
This table maps observed attacker behaviours to MITRE ATT&CK tactics and techniques, providing defenders with a structured reference aligned to real incident data.
|
MITRE ATT&CK TACTIC |
MITRE ATT&CK TECHNIQUE |
DESCRIPTION |
TOOL USED |
|
Initial Access |
T1133 – External Remote Services T1078.002 – Valid Accounts: Domain Accounts |
The Threat Actor’s first activity was a successful sign-in using the exposed RDP service with the compromised domain account CONTOSO\test. |
RDP Gateway |
|
Initial Access |
T1133 – External Remote Services T1078.002 – Valid Accounts: Domain Accounts |
The Threat Actor authenticated via Remote Desktop Gateway within the available logs, confirming additional access activity. |
RDP connections |
|
Persistence |
T1136.001 – Create Account: Domain Account |
A new account named UserSupport was created by the Threat Actor to maintain persistence within the environment. |
Net.exe |
|
Defense Evasion |
T1070.001 – Indicator Removal: Clear Windows Event Logs |
The Threat Actor cleared the Windows Event Logs to remove traces of their activity and evade detection. |
wevtutil (native Windows utility) |
|
Credential Access |
T1555 - Credentials from Password Stores |
The Threat Actor attempted to dump saved credentials on a host. |
Account Restore (Arestore.exe / AccountRestore.exe) |
|
Exfiltration |
T1567 – Exfiltration Over Web Service |
The Threat Actor executed WinSCP on RDS01 to facilitate exfiltration of data over web services. |
WinSCP (Portable Edition) |
|
Command and Control |
T1572 – Protocol Tunneling |
Taskhostex.exe (NPS1 Client) was executed on RemoteDesktopServer-01, indicating tunneling activity to maintain covert C2 communications. |
Taskhostex.exe |
|
Command and Control |
T1572 – Protocol Tunneling |
Taskhostex.exe (NPS Client) was executed on DomainController01 to support tunneling activity and persistence of C2 channels. |
Taskhostex.exe |
|
Impact |
T1485 – Data Destruction |
The Threat Actor gained access to the Veeam Backup and Replication Console, likely with the intent of destroying backup data to hinder recovery efforts.
|
Veeam |
|
Impact |
T1486 – Data Encrypted for Impact |
Ransomware was executed, and the first encrypted file was identified on DC01, demonstrating encryption for impact. |
LockBit Ransomware |
Building real-world ransomware readiness
By translating a real DFIR investigation into a practical training scenario, this collaboration closes the gap between incident response and defensive readiness.
Security teams are exposed to the same techniques, tooling, and decision points observed during live ransomware incidents — without the cost of learning them the hard way.
Ransomware incidents rarely begin with sophisticated exploits. More often, they start with simple exposure, valid credentials, and time.
Through this collaboration, Triskele Labs and Hack The Box aim to equip organisations with the insight and experience needed to recognise attacker behaviour early, respond effectively, and reduce the impact of real-world incidents.
Triskele Labs
Triskele Labs is an Australian cyber security consultancy specialising in managed detection and response, digital forensics, incident response and advanced security services. With deep experience responding to real-world cyber incidents, Triskele Labs works with organisations across regulated and high-risk sectors to investigate, contain, and recover from complex threats while strengthening long-term resilience.
Hack The Box
Hack The Box is a leading cyber security training platform that enables individuals and organisations to continuously upskill through realistic, hands-on scenarios. By simulating real-world attack techniques and adversary behaviour, Hack The Box helps security teams build practical capability across offensive and defensive disciplines, bridging the gap between theory and operational readiness.
