End-to-end investigation of the APT29 emulation dataset using Splunk, including detection development, evidence-backed timelines, and MITRE ATT&CK mapping. The project covers decoded obfuscated PowerShell payloads, LSASS credential dumping, WinRM/WMI lateral movement, and covert credential staging and persistence, culminating in a full DFIR report.