SCENARIO

BASED
TRAINING WITH
SIMULATION
ATTACKS,
QUESTIONS AND
ANSWERS

BY IZZMIER IZZUDDIN
SCENARIO 1: RANSOMWARE ACTIVITY TRIGGERED BY POWERSHELL

Logs

[Windows Security Log – Logon]

EventID: 4624
User: charlie
LogonType: 2
SourceIP: [Link]
LogonTime: 09:03:12
Location: Malaysia

[PowerShell Operational Log]

EventID: 4104
User: charlie
HostApplication: [Link] -EncodedCommand aGVsbG8gd29ybGQ=
DecodedCommand: hello world
ExecutionTime: 09:05:22
Note: Base64 encoded command detected

[File Access - File Server Logs]

EventID: 5145
User: charlie
AccessType: Read
FilesAccessed: \\fileserver1\shared\docs\*, \\fileserver2\projects\*, \\fileserver3\finance\*
TimeWindow: 09:06:00 – 09:08:00
Note: High-volume access to multiple file shares

[File Modification Logs]

EventID: 4663
User: charlie
Action: Rename
OriginalFile: report_q1.xlsx
NewFile: report_q1.[Link]
FilesAffected: 212 files
Time: 09:08:15 – 09:10:00

[Firewall / Network Logs]

EventID: OUTBOUND_CONNECTION
SourceIP: [Link]
DestinationIP: [Link]
Port: 443
Protocol: HTTPS
Time: 09:11:05
ThreatLabel: Suspicious C2 IP (based on threat intel)

MITRE ATT&CK Mapping

Activity Technique Technique Name

ID
PowerShell with Base64 T1059.001 Command and Scripting Interpreter:
PowerShell
Mass file access T1005 Data from Local System
File renaming with .locked T1486 Data Encrypted for Impact
Outbound connection to T1071.001 Application Layer Protocol: Web
suspicious IP Protocols
Potential C2 traffic T1105 Ingress Tool Transfer
Initial access via normal user T1078 Valid Accounts
login

1. Initial Login
o User charlie logs in normally from Malaysia during business hours.
2. Suspicious PowerShell Execution
o A PowerShell command is executed with a Base64-encoded payload:
[Link] -EncodedCommand aGVsbG8gd29ybGQ=
o This is often a sign of obfuscated or malicious scripts.
3. Mass File Access
o The user rapidly accesses multiple files across different file servers within
minutes.
o This high-volume access pattern is often associated with ransomware pre-
encryption steps.
4. File Modification
o Files are renamed with a .locked extension, typical of ransomware
encrypting data.
5. External C2 Contact
o An outbound connection attempt to a suspicious IP address ([Link])
is made, suggesting possible contact with a command-and-control server..

Analyst Training Questions

1. Initial Suspicion

• What is the first sign of suspicious activity in this sequence?

 • Why might a PowerShell command using Base64 encoding raise a red flag?

2. Process Investigation

• What was the exact command executed via PowerShell?

• How can you decode the Base64 string to determine its actual intent?
• Is this PowerShell usage consistent with Charlie’s normal behaviour?

3. File Access Patterns

• How many files were accessed by charlie in a short span of time?

• Are these files normally accessed by this user?
• What is unusual about the file access locations?

4. File Modification

• What pattern is observed in the file modification events?

• Why might renaming files to a .locked extension be alarming?

5. Network Indicators

• What is the destination IP contacted after the file modification event?

• Is this IP known to be malicious or suspicious?
• Was this IP ever accessed by other users or systems previously?

6. Timeline Correlation

• Can you outline the full sequence of events from login to external contact?
• How much time passed between the first anomaly and the last?
• What does this tell you about the speed of the attack?

7. Privilege and Lateral Movement

• Is there any indication that the attacker attempted privilege escalation or lateral
movement?
• Would you recommend searching for similar activity on other systems?

8. Containment and Response

• What immediate containment steps would you take if you observed this in a live
environment?
• Would you isolate the user, the host or both?
• What logs or forensic data should you preserve for further analysis?
9. Prevention and Detection

• What detection rules or alerts could help catch this earlier?

• Could Endpoint Detection & Response (EDR) tools prevent such an attack? If so,
how?
• How could group policies (GPO) or PowerShell logging be used to mitigate this risk?

10. Reporting

• Would you escalate this event to incident response? Why or why not?
• How would you summarise this incident to management in a concise report?
SCENARIO 2: CREDENTIAL DUMPING AND EXFILTRATION

Logs

[Windows Security Log – Logon]

EventID: 4624
User: bob
LogonType: 2
SourceIP: [Link]
LogonTime: 14:22:11
Location: Office

[Process Creation – Sysmon Log]

EventID: 1
Image: C:\Tools\[Link]
CommandLine: [Link] privilege::debug sekurlsa::logonpasswords
User: bob
Time: 14:25:03
Note: Credential dumping tool detected

[EDR Alert – LSASS Access Attempt]

AlertType: Suspicious Memory Access

Process: [Link]
Target: [Link]
Time: 14:25:06
DetectionMethod: Memory access pattern signature

[Registry Access Logs]

EventID: 4657
RegistryKey: HKLM\SAM
User: bob
Time: 14:26:14
Action: Read
Note: Attempt to access SAM registry hive

[File Creation Log – File System]

EventID: 4663
User: bob
Action: File Created
FilePath: C:\Users\bob\Desktop\creds_dump.zip
Time: 14:27:35

[USB Activity Log – Device Plug-in]

EventID: 2003
Device: Kingston USB 32GB
User: bob
MountTime: 14:28:12

[File Transfer to USB Log]

EventID: 4663
User: bob
Action: File Copy
Source: C:\Users\bob\Desktop\creds_dump.zip
Destination: E:\creds_dump.zip
Time: 14:28:27

MITRE ATT&CK Mapping

Activity Technique Technique Name

ID
Execution of mimikatz T1003.001 OS Credential Dumping: LSASS Memory
Accessing LSASS memory T1003.001 OS Credential Dumping: LSASS Memory
Accessing the SAM registry T1003.002 OS Credential Dumping: Security
hive Account Manager
Creating ZIP file for credential T1560.001 Archive Collected Data: Archive via
dump Utility
Use of removable media T1052.001 Exfiltration Over Removable Media
Normal login prior to malicious T1078 Valid Accounts
activity

1. User: bob
2. Suspicious Actions:
o Executed [Link] (known for extracting credentials)
o Accessed LSASS memory (where Windows stores credentials in memory)
o Retrieved the SAM registry hive (contains user account password hashes)
o Created a ZIP file and copied it to a USB drive

Analyst Training Questions

1. Initial Detection
 • What was the first anomalous activity that deviated from normal behaviour?
• Why is the execution of [Link] highly suspicious?

2. Process and Memory Analysis

• What is the significance of accessing LSASS memory?

• Which Windows Event ID (or EDR alert) would typically capture this memory access
attempt?

3. Registry Activity

• What information can be extracted from the HKLM\SAM registry hive?

• Is this registry access common for regular users or applications?

4. File Operations

• What was the name of the file created and where was it stored?
• Why is the use of a USB drive in this context considered a high-risk behaviour?

5. Sequence Correlation

• Map out the timeline of events from login to data exfiltration.

• How much time elapsed between execution of mimikatz and copying the ZIP to the
USB?

6. Intent and Impact

• What does this sequence suggest about the attacker’s goal?

• Could this be a case of an insider threat or an external actor with access?

7. Containment & Eradication

• What containment steps should be taken immediately?

• Would you isolate the endpoint or disable the user account first? Why?

8. Forensic and Evidence Collection

• What files or system artefacts would you collect for further investigation?
• What log sources are critical to confirm the full extent of compromise?

9. Detection & Prevention Recommendations

• How can future credential dumping attempts be detected earlier?

 • Which technical controls (e.g., AppLocker, LSASS protections) could prevent such
activity?

10. Escalation and Reporting

• Would you classify this as a high-severity incident? Justify your answer.

• What details must be included in the incident report to leadership?
SCENARIO 3: CLOUD ADMIN ACCOUNT COMPROMISE

Logs

[Cloud Sign-In Logs – Azure AD]

User: [Link]@[Link]
EventID: Sign-in Success
Location: Brazil
IP Address: [Link]
Time: 03:14:32 UTC
Note: Unusual geo-location for this account

[Azure Resource Creation Logs]

User: [Link]@[Link]
Action: Create Storage Account
ResourceGroup: unknown-resourcegroup
StorageAccount: suspiciousstorage2025
Time: 03:18:10 UTC

[Azure Network Activity – NSG Rule Change]

User: [Link]@[Link]
Action: Update Network Security Group (NSG)
Rule: Allow Inbound TCP Any/Any
Time: 03:19:55 UTC
Note: Opens unrestricted inbound traffic

[Azure Storage Access Log]

User: [Link]@[Link]
Action: Upload Blob
BlobName: data_100MB.zip
Container: suspiciousstorage2025
Time: 03:21:20 UTC

[Azure AD Security Log – MFA Settings]

User: [Link]@[Link]
Action: Disable Multi-Factor Authentication
Time: 03:23:01 UTC
Note: High-risk action for privileged account
MITRE ATT&CK Mapping

Activity Technique Technique Name

ID
Login from unusual location T1078.004 Valid Accounts: Cloud Accounts
Creation of suspicious resource T1136.003 Create Account: Cloud Account
group/storage
Modification of NSG rules T1562.007 Impair Defenses: Disable or Modify
Firewall
Upload of large ZIP file to cloud T1048.003 Exfiltration Over Alternative Protocol:
Exfil to Cloud Storage
Disabling of MFA T1556.006 Modify Authentication Process: MFA
Disablement

1. Initial Access
o Unusual login detected from Brazil to the [Link] account.
2. Persistence and Preparation
o Creation of a new Azure storage account in an unfamiliar resource group.
3. Defensive Evasion
o Network Security Group (NSG) rules modified to allow any inbound traffic —
a common backdoor technique.
4. Data Movement
o A 100MB ZIP file uploaded to the newly created storage account.
5. Security Downgrade
o Multi-factor authentication (MFA) was disabled for the admin account.

Analyst Training Questions

1. Initial Detection

• What is the significance of the login from Brazil?

• Has this account logged in from this region before?

2. Resource Monitoring

• Is the creation of a new storage account in this resource group typical for this
admin?
• Could this action be part of legitimate maintenance activity?

3. Configuration Changes

• Why is allowing all inbound TCP traffic a potential security concern?

• Which services or assets may now be exposed due to this rule?
4. Data Upload

• What file was uploaded and where did it go?

• Was the file exfiltrated or used for staging malware?

5. Security Control Evaluation

• What does it mean when MFA is disabled on a high-privilege account?

• What are the implications for the broader environment?

6. Chain of Events

• What is the exact sequence of anomalies that took place?

• How long did the entire activity span?

7. Attribution and Intent

• Could this have been an insider abusing access or an external attacker?

• What was likely the attacker’s objective?

8. Immediate Response

• What should be your first containment step in this cloud-based attack?

• How can you revoke or block access to the attacker in Azure?

9. Long-term Mitigation

• What recommendations would you make to harden this cloud environment?

• Should Conditional Access policies or Just-In-Time (JIT) access be enabled?

10. Reporting and Escalation

• Would this incident require reporting to cloud governance or compliance teams?

• How would you summarise this incident to a non-technical executive?
SCENARIO 4: INSIDER DATA THEFT

Logs

[Windows Security Log – Logon]

EventID: 4624
User: diana
LogonType: 2
SourceIP: [Link]
LogonTime: 08:13:02 PM
Location: Office

[Database Access Log – FinanceDB]

User: diana
Query: SELECT * FROM payments
Database: FinanceDB
Time: 08:15:44 PM
Note: Full-table export initiated

[File Creation Log – System Logs]

User: diana
FilePath: C:\Users\diana\Documents\payments_export.csv
Action: File Created
Time: 08:18:20 PM

[Email Gateway Log – Outbound Mail]

Sender: diana@[Link]
Recipient: dianapriv@[Link]
Subject: Reports
Attachment: payments_export.csv
Time: 08:20:02 PM
Note: File sent to personal email account

MITRE ATT&CK Mapping

Activity Technique Technique Name

ID
After-hours database access T1078 Valid Accounts
Full-table SELECT query T1539 Steal Web Session Cookie / Data from
Database
 Exporting database results to T1005 Data from Local System
local file
Exfiltration via webmail (Gmail) T1041 Exfiltration Over C2 Channel
Use of legitimate credentials T1078 Valid Accounts

1. Normal Login
o Diana logs in during working hours from her office device.
2. After-Hours Database Access
o Accesses the FinanceDB around 8:15 PM, well outside business hours.
3. Full Data Extraction
o Executes a full-table query on payment records (SELECT * FROM payments),
an unusual operation for her role.
4. Data Export
o Exports the results to a .csv file on her local device.
5. Data Exfiltration
o Sends the exported file to her personal Gmail account.

Analyst Training Questions

1. Behavioural Baseline

• Is it normal for diana to access the Finance database?

• Does she usually work during late hours?

2. Data Access and Query Use

• Is the SELECT * FROM payments query appropriate for her role?

• What could be the risk of such queries being run without control?

3. Export and File Handling

• What alerts or tools could detect the export of data from sensitive databases?
• Should this type of data export be logged or blocked?

4. Data Exfiltration Indicators

• What are the signs that suggest this file was exfiltrated intentionally?
• How does the destination email impact your assessment of intent?

5. Timeline Analysis

• What is the time gap between login, database access and the exfiltration attempt?
• Could these actions be considered premeditated?
6. Insider Threat Profiling

• Does this look like data theft for personal gain or something else?
• What are common motivations behind insider threats?

7. Detection and Controls

• What Data Loss Prevention (DLP) policies could stop this activity?
• Should employees be allowed to email themselves work documents?

8. Response and Containment

• What should be your next step: disable account, isolate laptop or alert HR?
• What other logs or evidence would you collect before confronting the user?

9. Policy and Awareness

• Are there clear company policies on after-hours access and data handling?
• How can insider threat awareness training help mitigate such risks?

10. Reporting

• How should this incident be reported internally?

• Would this event require escalation to legal or regulatory authorities?
SCENARIO 5: PHISHING TO ACCOUNT TAKEOVER

Logs

[Email Gateway Log]

Recipient: eric@[Link]
Sender: unknown@[Link]
Subject: Important Security Notice
Link: [Link]
Attachment: none
ReceivedTime: 10:03:17 AM
Note: External sender, suspicious domain

[Web Proxy Log]

User: eric
URL Visited: [Link]
Time: 10:04:08 AM
PageTitle: Microsoft 365 Login
Note: Known phishing domain

[Cloud Sign-In Log – Azure AD]

User: eric@[Link]
EventID: Sign-in Success
Location: Nigeria
IP Address: [Link]
Time: 10:06:22 AM
Note: First login from this country

[Mailbox Audit Log – Exchange Online]

User: eric@[Link]
Action: New-InboxRule
RuleName: AutoForwardToExternal
ForwardTo: attackrelay@[Link]
Time: 10:07:31 AM

[Azure AD Log – MFA Settings Change Attempt]

User: eric@[Link]
Action: Register New MFA Device
Status: Failed
Time: 10:08:14 AM
Note: Attempt to bypass existing security settings

MITRE ATT&CK Mapping

Activity Technique Technique Name

ID
Phishing email with link T1566.002 Phishing: Spearphishing Link
Visiting fake login page T1566.002 Phishing: Spearphishing Link
Credential use from Nigeria T1078.004 Valid Accounts: Cloud Accounts
Mail forwarding rule creation T1114.003 Email Collection: Email Forwarding Rule
Attempted MFA method T1556.006 Modify Authentication Process: MFA
registration Disablement

1. Suspicious Email
o Eric receives an email with a suspicious link from an unknown sender.
2. Phishing Site Visit
o Eric clicks the link and lands on a fake login page mimicking Microsoft 365.
3. Account Compromise
o Minutes later, a successful login is detected from Nigeria (not previously
seen).
4. Persistence Mechanism
o A mailbox rule is created to forward all emails to an external address.
5. MFA Tampering
o The attacker attempts to register a new Multi-Factor Authentication (MFA)
method to retain long-term access.

Analyst Training Questions

1. Email Threat Detection

• What indicators in the original email suggest it could be a phishing attempt?

• Could this email have been blocked or flagged by a secure email gateway (SEG)?

2. User Behaviour and Web Activity

• What domain did the user visit after receiving the email?
• How could a phishing page be detected or prevented by browser protections?

3. Unusual Login Patterns

• Why is a login from Nigeria suspicious in this context?

• What correlation can you make between the phishing event and the login?
4. Persistence Techniques

• What is the purpose of the mailbox forwarding rule created by the attacker?
• How does this action aid in data exfiltration or future phishing attempts?

5. Security Control Changes

• Why would the attacker attempt to add a new MFA method?

• What are the implications of this if successful?

6. Timeline Reconstruction

• Can you construct the attack timeline from the initial email to the final security
change?
• How long did it take for the attacker to go from phishing to full account control?

7. Detection and Monitoring

• What types of alerts (from SIEM or Microsoft Defender) would help detect this
behaviour?
• Which log sources are essential for verifying the compromise (e.g., sign-in logs,
mailbox audit logs)?

8. Response and Containment

• What should be the immediate steps upon detecting this mailbox rule and foreign
login?
• Should Eric’s account be disabled or should the session just be revoked?

9. Prevention and Awareness

• How can user awareness training reduce the chance of falling for phishing?
• What additional technical controls can prevent mailbox rule abuse?

10. Communication and Reporting

• How would you communicate this incident to the affected user?

• Does this incident qualify for reporting under any data breach laws?
SCENARIO 6: INTERNAL LATERAL MOVEMENT AND RECONNAISSANCE

Logs

[Firewall Log – Internal Traffic]

Source: workstation-10 ([Link])

Destination: [Link]/24
Protocol: TCP
Ports: 135, 139, 445, 3389
Time: 01:12:05 AM
Note: Port scan detected (Nmap pattern)

[Windows Security Log – Service Account Logins]

EventID: 4624
User: svc_backup
LogonType: 10 (Remote Interactive)
LogonTarget: workstation-12, workstation-14, workstation-17
TimeWindow: 01:14:00 – 01:17:30 AM
Note: Unusual use of backup service account

[SMB Share Access – File Server Log]

Source: svc_backup
Target: \\dc01\C$
Action: Attempted Access
Time: 01:19:02 AM
Result: Access Denied

[Process Creation Log – Sysmon]

EventID: 1
Image: C:\Tools\[Link]
CommandLine: [Link] \\workstation-14 -u svc_backup -p Password123 [Link]
Time: 01:20:11 AM

MITRE ATT&CK Mapping

Activity Technique Technique Name

ID
Internal port scanning (Nmap) T1046 Network Service Discovery
Use of service account for T1078 Valid Accounts
interactive login
 Attempt to access C$ share on T1021.002 Remote Services: SMB/Windows
domain controller Admin Shares
Use of PsExec for remote T1569.002 System Services: Service Execution
command execution (PsExec)
Lateral movement to multiple hosts T1021 Remote Services

1. Unusual SMB Connection

o A compromised host (workstation-10) initiates an SMB connection to
another internal system.
2. Service Account Misuse
o The account svc_backup, typically used for backups, is used to log in across
multiple systems interactively.
3. Network Reconnaissance
o An internal Nmap port scan targets the [Link]/24 subnet.
4. Admin Share Access
o Attempts to access the C$ administrative share on the domain controller.
5. PsExec Execution
o Remote commands executed using PsExec, a known lateral movement tool.

Analyst Training Questions

1. Reconnaissance Detection

• Why is an internal port scan considered a red flag in a secure network?

• What tools and logs can detect internal scanning?

2. Account Behaviour Analysis

• Is it normal for svc_backup to be used for RDP or SMB sessions?

• What risks are introduced when service accounts are reused for interactive logins?

3. Access Attempt

• Why is accessing C$ on the domain controller suspicious?

• What permissions are typically required for this action?

4. Remote Execution

• What is PsExec and how is it typically used by attackers?

• How can EDR or Sysmon detect PsExec use?

5. Event Timeline Correlation

• Map out the full attack chain from the first network activity to PsExec usage.
 • How much time passed between the reconnaissance and the lateral movement?

6. Attack Goals

• What might be the attacker’s objective based on the observed behaviour?

• Is this indicative of a pre-ransomware staging or credential theft campaign?

7. Detection & Alerting

• Which SIEM rules or detection use cases would flag this behaviour?
• Would this activity generate high-confidence alerts or low-fidelity signals?

8. Incident Response Actions

• What immediate steps would you take to contain the compromised host?
• Should you disable the service account or reset credentials across the domain?

9. Prevention & Hardening

• How can lateral movement be mitigated through network segmentation or host

hardening?
• Would implementing Just Enough Administration (JEA) or LAPS help?

10. Executive Summary

• How would you explain this activity to a non-technical stakeholder?

• What recommendations would you make to prevent recurrence?
SCENARIO 7: SUPPLY CHAIN COMPROMISE VIA SOFTWARE UPDATE

Logs

[Web Proxy Log – Software Download]

User: it_admin
URL: [Link]
FileHash: f2a45c38b9... (unknown to threat intel)
DownloadTime: 11:22:48 AM
Note: No hash verification before deployment

[Software Deployment Tool Log]

User: it_admin
Action: Deploy [Link]
Targets: 45 endpoints (accounting-PC-*)
DeploymentTime: 11:30:10 AM

[Network Log – Outbound Connection]

Host: accounting-PC-12
DestinationIP: [Link]
Port: 443
Time: 11:33:15 AM
Note: Rare external connection after update

[Sysmon Process Creation Log]

EventID: 1
Host: accounting-PC-12
ParentImage: C:\Program Files\AccountingApp\[Link]
Image: C:\Temp\[Link]
Time: 11:33:30 AM
Note: Unexpected child process spawned by accounting app

[File Creation – Credential Dump]

User: SYSTEM
File: C:\Temp\[Link]
Time: 11:34:05 AM
Note: File contains credential material

MITRE ATT&CK Mapping

 Activity Technique Technique Name
ID
Malicious software update T1195.002 Supply Chain Compromise: Compromise
Software Supply Chain
Lateral deployment to T1072 Software Deployment Tools
endpoints
Outbound connection to rare T1071.001 Application Layer Protocol: Web
external IP Protocols
Unexpected child process T1055.012 Process Injection: Process Hollowing /
from known app Suspicious Parent
Dumping credentials to temp T1003 OS Credential Dumping
file

1. Software Download
o it_admin downloads a legitimate-looking accounting software update from a
vendor website.
2. Software Deployment
o The update is pushed to multiple endpoints using the organisation’s
software distribution tool.
3. Suspicious Network Activity
o A system updated with the new software initiates outbound traffic to a rare
external IP address.
4. Unexpected Child Process
o The updated application spawns a suspicious process not typical of its
expected behaviour.
5. Credential Dumping
o A temporary file ([Link]) is created, containing dumped credentials.

Analyst Training Questions

1. Initial Observation

• Is the source of the downloaded update trustworthy?

• Was the hash of the file verified before deployment?

2. Propagation Risks

• What risks are involved when software is distributed automatically to multiple

systems?
• Could this have been prevented with application allowlisting?

3. Network Indicators

• Why is the outbound connection from accounting-PC-12 suspicious?

 • How would you verify if [Link] is a known malicious IP?

4. Process Anomalies

• What is unusual about the child process spawned by the accounting update?
• Could behavioural analysis tools (e.g. EDR) have detected this execution?

5. Credential Theft

• What techniques are commonly used to dump credentials into temp files?
• How can file integrity monitoring assist in detecting such activity?

6. Timeline and Correlation

• How much time passed between software installation and credential dumping?
• Does the sequence of events suggest a prepackaged malicious payload?

7. Supply Chain Attack Characteristics

• How is this attack different from a typical phishing or ransomware attempt?

• What are common signs that a supply chain compromise has occurred?

8. Containment and Mitigation

• What should you do immediately after detecting this compromise?

• Would you isolate only the affected endpoint or all systems with the same update?

9. Detection Strategy

• What detection rules can you write to monitor for child processes from software
update executables?
• Should vendor software be restricted from network communication by default?

10. Policy and Governance

• What policies should govern software updates from third-party vendors?

• Should software be tested in a sandbox before deployment? How would you
implement this?
SCENARIO 8: DNS TUNNELING AND BEACONING

Logs

[Windows Security Log – Logon]

EventID: 4624
User: haris
LogonType: 2
Host: workstation-27
LogonTime: 09:10:03 AM

[Process Creation – Sysmon Log]

=
EventID: 1
Image: C:\Users\haris\AppData\Roaming\dns_b64.exe
ParentImage: [Link]
Time: 09:12:47 AM
Note: Hidden executable, suspicious location

[DNS Logs – Internal DNS Server]

Host: workstation-27
QueryCount: 512 in 5 minutes
QueryPattern: *.dGhpcyBpcyBhIGV4ZmlsdHJhdGVkIGZpbGU=.[Link]
TimeWindow: 09:13:00 – 09:18:00 AM
Note: Base64 encoded subdomains detected

[File Access Log – Endpoint DLP]

User: SYSTEM (non-interactive session)

File Accessed: C:\HR\[Link]
Time: 09:16:15 AM
Note: Sensitive file accessed outside user session

MITRE ATT&CK Mapping

Activity Technique Technique Name

ID
Execution of hidden DNS payload T1059.003 Command and Scripting Interpreter:
tool Windows Command Shell
Excessive DNS queries with T1071.004 Application Layer Protocol: DNS
encoded subdomains
 Use of DNS for data T1048.003 Exfiltration Over Alternative
exfiltration/beaconing Protocol: Exfil via DNS
Access of sensitive file via non- T1005 Data from Local System
interactive user
Use of custom executable in user T1036.005 Masquerading: Match Legitimate
AppData path Name or Location

1. Normal Login
o haris logs in during working hours on workstation-27.
2. Malicious Process Launch
o A hidden process named dns_b64.exe (base64 encoded DNS payload) starts
silently.
3. Suspicious DNS Activity
o The system sends frequent DNS queries to a domain controlled by an
attacker, using base64-encoded subdomains.
4. Abnormal Network Behaviour
o Over 500 DNS queries are generated within 5 minutes — an unusually high
volume for a single host.
5. Sensitive File Access
o A confidential document ([Link]) is accessed by a non-interactive
user session, likely for exfiltration.

Analyst Training Questions

1. Process Detection

• What does the filename dns_b64.exe suggest?

• Is it common for such processes to start silently without user input?

2. DNS Anomalies

• Why are DNS queries with encoded subdomains suspicious?

• How can DNS tunneling be used to exfiltrate or beacon data?

3. Network Monitoring

• What thresholds or patterns should trigger alerts for DNS anomalies?

• Is sending 500 DNS queries in 5 minutes normal behaviour for any internal system?

4. File Access Concerns

• Why is the access of a sensitive file by a background system process concerning?

• What tools can alert on non-interactive access to protected documents?
5. Timeline Analysis

• Construct the attack sequence. How quickly did the malware go from execution to
exfiltration?
• Could earlier detection of the DNS anomaly have prevented the file access?

6. Detection and Response

• What kind of detection rules can identify DNS tunneling (e.g., long subdomain
lengths, frequency analysis)?
• Would you isolate the host or investigate the DNS logs first?

7. Threat Actor TTPs

• Which MITRE ATT&CK techniques are demonstrated in this scenario?

• Are there known threat groups that use DNS tunneling as a method of
communication?

8. Mitigation Strategies

• How can you prevent DNS tunneling in the future? Would DNS logging or filtering
help?
• Can limiting outbound DNS to only internal DNS servers reduce risk?

9. Endpoint Hardening

• What endpoint controls can stop unknown processes from running or accessing
files?
• Could EDR tools have blocked or alerted on dns_b64.exe?

10. Executive Summary

• How would you explain this incident to an executive who isn’t technical?
• What would you recommend as immediate and long-term action steps?
ANSWERS

SCENARIO 1

1. Initial Suspicion

• First Suspicious Sign: PowerShell command with Base64-encoded content.

• Why It's Suspicious: Encoding often hides malicious intent and avoids detection by
basic logging.

2. Process Investigation

• Exact Command: [Link] -EncodedCommand aGVsbG8gd29ybGQ=

• Decoded: hello world (seems benign, likely a test or placeholder).
• User Behaviour Consistency: If Charlie doesn’t typically use PowerShell or
Base64, this is highly unusual.

3. File Access Patterns

• Files Accessed: Over 200+ files across docs, projects, finance shares.
• Normal Behaviour? Unlikely unless Charlie is a sysadmin or backup operator.
• Unusual Locations: Accessing multiple different file servers in quick succession is
abnormal.

4. File Modification

• Pattern: Renaming files to .locked extension — a known ransomware encryption

tactic.
• Why Alarming? Indicates active data encryption to hold files hostage.

5. Network Indicators

• Destination IP: [Link]

• Reputation: Marked as Suspicious C2 by threat intel.
• Historical Use: Should be checked via threat intel platforms or historical logs.

6. Timeline Correlation

• Event Timeline:
o 09:03 – Login
o 09:05 – PowerShell executed
o 09:06–09:08 – Files accessed
o 09:08–09:10 – Files renamed
o 09:11 – Outbound C2 connection
 • Time Between Events: ~8 minutes
• Attack Speed: Very fast – typical of automated ransomware.

7. Privilege and Lateral Movement

• Privilege Escalation? No signs yet, but monitoring is needed.

• Recommendation: Search logs for signs on other systems.

8. Containment and Response

• Immediate Action: Isolate both host and user account.

• Preserve: Windows event logs, PowerShell logs, file server logs, memory dump.

9. Prevention and Detection

• Detection Rules:
o PowerShell encoded command detection
o High-volume file access alerts
o File renaming with known ransomware extensions
• EDR Role: Yes — can block or alert on unusual PowerShell + file activity.
• GPO & Logging: Enforce script block logging and disable unnecessary PowerShell
features.

10. Reporting

• Escalation Needed? Yes, confirmed ransomware behaviour.

• Summary for Management:

"A user system exhibited signs of ransomware activity, including PowerShell

execution, mass file access, file renaming and a suspicious outbound
connection. Immediate containment was performed. Forensic analysis is
ongoing."

SCENARIO 2

1. Initial Detection

• The first anomaly was the execution of [Link], a known credential dumping
tool.
• Mimikatz is well-known for extracting plaintext credentials and hashes from
memory. Its presence is a major red flag.

2. Process and Memory Analysis

 • Accessing LSASS memory is significant because it holds users' credentials during
active sessions.
• This memory access is typically detected via Event ID 10 (Sysmon) or through EDR
alerts focused on process injection or memory manipulation.

3. Registry Activity

• HKLM\SAM contains password hashes for local user accounts.

• Accessing this registry hive is not common for standard users or applications and
indicates potential credential theft.

4. File Operations

• The file created was creds_dump.zip stored on Bob’s desktop.

• Transferring this file to a USB device is high-risk, particularly when it contains
sensitive credential data.

5. Sequence Correlation

• 14:22 – Login
• 14:25 – Mimikatz executed
• 14:26 – SAM registry accessed
• 14:27 – ZIP file created
• 14:28 – USB device mounted and data copied
• The entire sequence took about 6 minutes.

6. Intent and Impact

• This behaviour indicates intentional credential harvesting, likely for later use or
sale.
• It may be an insider threat or an external attacker with Bob’s credentials.

7. Containment & Eradication

• Immediate action: isolate the endpoint to prevent further exfiltration.

• Disable Bob’s account quickly if compromise is confirmed to prevent additional
misuse.

8. Forensic and Evidence Collection

• Collect the creds_dump.zip file (if possible), memory dump, full Windows Event
logs, Sysmon logs, USB history and registry access records.
• These sources help confirm the scope and nature of the compromise.
9. Detection & Prevention Recommendations

• Use EDR tools to detect suspicious tools like Mimikatz.

• Apply LSASS memory protections (e.g., Credential Guard), block SAM access via
permissions and restrict use of USB ports.
• AppLocker can also block unauthorised execution of tools like Mimikatz.

10. Escalation and Reporting

• This should be treated as a high-severity incident due to confirmed credential theft

and exfiltration.
• Incident report should include: user involved, tools used, data accessed, potential
impact, systems affected, timeline and response actions.

SCENARIO 3

1. Initial Detection

• The login from Brazil is suspicious due to its geographic anomaly.

• If the account has no history of accessing from Brazil, this should immediately raise
a red flag.

2. Resource Monitoring

• The creation of a new storage account in an unknown resource group is not typical
for standard operations.
• If this is not part of a documented change or maintenance activity, it may indicate
abuse of privileges.

3. Configuration Changes

• Allowing all inbound TCP traffic introduces a major security risk.

• It can expose internal resources to external access, increasing the likelihood of
exploitation or backdoor communication.

4. Data Upload

• A 100MB ZIP file (data_100MB.zip) was uploaded to the new storage account.
• This file may have been exfiltrated data or a staging payload for future activity.

5. Security Control Evaluation

• Disabling MFA on a high-privilege account significantly weakens security controls.

• It increases the likelihood of persistent compromise and lateral movement.
6. Chain of Events

• 03:14 – Login from Brazil

• 03:18 – New storage account created
• 03:19 – NSG rules changed to allow unrestricted access
• 03:21 – ZIP file uploaded
• 03:23 – MFA disabled
• The full activity took less than 10 minutes.

7. Attribution and Intent

• This was likely an external attacker using compromised credentials.

• The attacker’s objective seems to be data exfiltration, establishing persistence and
weakening defences.

8. Immediate Response

• First step: disable the admin account and revoke all active sessions in Azure.
• Review sign-in logs to determine the attacker’s IPs and implement conditional
access blocks.

9. Long-term Mitigation

• Enforce Conditional Access Policies (e.g., country-based restrictions).

• Enable Just-In-Time access for high-privileged accounts and enforce strict resource
deployment controls.
• Require MFA and use Azure PIM for privileged roles.

10. Reporting and Escalation

• Yes, this incident must be reported to the cloud governance and compliance teams.
• Executive Summary:

"A cloud administrator account was accessed from an unusual location.

Malicious actions included the creation of a storage account, modification of
firewall rules and the disabling of MFA. Immediate actions were taken to
disable the account and investigate further. This incident indicates a serious
compromise of privileged cloud access."

SCENARIO 4

1. Behavioural Baseline

• It needs to be confirmed whether Diana is authorised to access the FinanceDB.

 • Working at 8:15 PM may not be normal. If she doesn’t usually work after hours, this
is suspicious.

2. Data Access and Query Use

• A SELECT * FROM payments query fetches all records from a sensitive table. This is
rarely justifiable for non-finance roles.
• Uncontrolled access to such queries may lead to data leakage or abuse.

3. Export and File Handling

• Data export detection can be done via DLP tools, database activity monitoring
(DAM) or logging full query activity.
• Exporting sensitive data should trigger an alert or be blocked without proper
authorisation.

4. Data Exfiltration Indicators

• The exported file was sent to a personal Gmail account, indicating clear intent to
exfiltrate.
• Sending sensitive company data to a personal address violates data handling
policies.

5. Timeline Analysis

• 08:13 – Login
• 08:15 – Full-table query executed
• 08:18 – File exported
• 08:20 – File emailed externally
• The full sequence occurred within 7 minutes and shows planning and intent.

6. Insider Threat Profiling

• This is consistent with personal data theft.

• Motivations for insider threats may include financial gain, disgruntlement or
external coercion.

7. Detection and Controls

• Implement DLP rules to detect and block external email of sensitive files.
• Use database logging and access controls to prevent unauthorised exports.
• Employees should not be allowed to email sensitive work files to personal
accounts.
8. Response and Containment

• Next step: isolate Diana’s laptop, disable her account and notify HR for formal
investigation.
• Collect relevant logs: login records, database access logs, email gateway records
and file creation evidence.

9. Policy and Awareness

• Clear policies must exist regarding after-hours access and exporting data.
• Insider threat awareness training helps employees understand the consequences
of policy violations.

10. Reporting

• Internally, this should be reported to the security and HR teams, with documented
evidence.
• If sensitive financial data was exposed, legal or regulatory teams may need to be
involved for breach notification obligations.

SCENARIO 5

1. Email Threat Detection

• The indicators of phishing include:

o Suspicious sender domain ([Link])
o Misleading subject line (“Important Security Notice”)
o URL pointing to a non-Microsoft domain ([Link])
• A secure email gateway (SEG) could have flagged or quarantined the email based on
domain reputation, link analysis and sender anomalies.

2. User Behaviour and Web Activity

• Eric visited the phishing site [Link]

• Browser protections (e.g., Safe Browsing, DNS filtering) could block access to
known phishing sites if updated with threat intel.

3. Unusual Login Patterns

• A login from Nigeria was recorded shortly after the phishing site was accessed.
• Correlation: credentials were likely harvested from the phishing site and used within
minutes.

4. Persistence Techniques
 • The attacker created a mailbox rule to forward all emails to
attackrelay@[Link].
• This allows continuous access to sensitive communications, even if the original
account access is revoked.

5. Security Control Changes

• The attacker attempted to register a new MFA device, likely to gain persistent
access.
• If successful, it would bypass existing security mechanisms and prevent legitimate
recovery by the user.

6. Timeline Reconstruction

• 10:03 – Phishing email received

• 10:04 – Phishing link visited
• 10:06 – Login from Nigeria
• 10:07 – Mail forwarding rule created
• 10:08 – MFA change attempted
• Less than 6 minutes from phishing to complete compromise.

7. Detection and Monitoring

• Useful detections:
o External login from unknown region
o New inbox rule creation
o Failed MFA registration
• Key log sources: Azure sign-in logs, Exchange mailbox audit logs, web proxy logs,
email gateway logs.

8. Response and Containment

• Immediate steps:
o Disable Eric’s account or revoke sessions from Azure AD.
o Remove the inbox forwarding rule.
o Reset credentials and enforce MFA re-registration.

9. Prevention and Awareness

• User awareness training can help users identify phishing emails.

• Technical controls:
o Block inbox rules to external domains
o Geo-blocking or conditional access for sensitive roles
o Enhanced phishing detection on email gateways
10. Communication and Reporting

• Notify Eric of the account compromise and educate on the incident.

• This may be reportable under data protection laws if sensitive information was
accessed or exfiltrated.

SCENARIO 6

1. Reconnaissance Detection

• Internal port scanning is a red flag because it indicates active network

reconnaissance, which is not typical for normal users or services.
• Tools like IDS/IPS, firewall logs and EDRs can detect scanning patterns such as
those generated by Nmap.

2. Account Behaviour Analysis

• The svc_backup account is normally used for backup tasks, not for interactive
logins or RDP/SMB sessions.
• When service accounts are reused for interactive sessions, it increases the risk of
misuse and credential theft.

3. Access Attempt

• Attempting to access the C$ share on a domain controller is suspicious and

indicative of privilege abuse.
• Access to administrative shares typically requires administrative privileges and
failed attempts suggest reconnaissance or lateral movement efforts.

4. Remote Execution

• PsExec is a legitimate admin tool that can be used by attackers for lateral
movement.
• EDR or Sysmon can detect PsExec by monitoring parent-child process relationships
and command-line activity.

5. Event Timeline Correlation

• 01:12 – Internal port scan

• 01:14–01:17 – Interactive logins using svc_backup
• 01:19 – Attempt to access C$ on domain controller
• 01:20 – PsExec used to access another workstation
• The attacker moved from reconnaissance to lateral movement within 8–10 minutes.
6. Attack Goals

• The objective appears to be lateral movement and possibly privilege escalation or

data access.
• This could be part of a pre-ransomware phase or preparation for a credential
harvesting campaign.

7. Detection & Alerting

• SIEM rules should look for:

o Port scan patterns
o Service account interactive logins
o PsExec or remote command execution
• These events can generate high-confidence alerts when correlated together.

8. Incident Response Actions

• Immediate containment:
o Isolate workstation-10
o Disable the svc_backup account temporarily
o Reset any credentials that may have been exposed
• Review logs across all systems the account interacted with.

9. Prevention & Hardening

• Segment internal networks to limit lateral movement paths.

• Apply Just Enough Administration (JEA) and restrict service accounts from
interactive logins.
• Implement Local Administrator Password Solution (LAPS) to prevent credential
reuse.

10. Executive Summary

• An internal host initiated reconnaissance followed by attempted lateral movement

using a service account.
• Steps were taken to contain the affected systems and prevent further access.
• Recommendations include improved monitoring of service account usage, network
segmentation and better controls around administrative tools.

SCENARIO 7

1. Initial Observation
 • The update was downloaded from [Link], which is not a verified or
trusted domain.
• The hash was not verified before deployment, making it impossible to ensure the
file’s integrity or authenticity.

2. Propagation Risks

• Automatically deploying software to 45 endpoints without verification introduces

organisation-wide risk.
• Application allowlisting or testing in a sandbox could have prevented malicious files
from spreading.

3. Network Indicators

• The outbound connection from accounting-PC-12 to [Link] is suspicious,

especially if the IP is not associated with business operations.
• This IP should be checked against threat intelligence feeds and firewall logs for
reputation.

4. Process Anomalies

• A child process [Link] spawned by the accounting app is abnormal and

indicates possible process hollowing or code injection.
• EDRs and behavioural analytics can detect unusual parent-child process
relationships or execution from unusual paths.

5. Credential Theft

• The creation of [Link] in the temp directory suggests credential dumping.

• Attackers commonly dump credentials using tools like Mimikatz or custom scripts
and store them temporarily before exfiltration.

6. Timeline and Correlation

• 11:22 – Update downloaded

• 11:30 – Deployed across 45 machines
• 11:33 – External connection and suspicious process
• 11:34 – Credentials dumped
• The compromise occurred within 10–12 minutes of installation, indicating a
prepackaged payload.

7. Supply Chain Attack Characteristics

 • Unlike phishing or direct intrusion, this attack leverages trust in third-party
software.
• Indicators include unexpected behaviours post-installation, such as network
activity, unknown processes or credential access.

8. Containment and Mitigation

• Immediate containment: isolate all 45 affected endpoints, not just accounting-PC-

12.
• Stop further deployments from the same source and block the domain vendor-
[Link].

9. Detection Strategy

• Detection rules should monitor:

o Unexpected child processes from known applications
o File writes to sensitive directories (e.g., Temp)
o Outbound traffic after software deployment
• Vendor applications should have restricted network permissions unless necessary.

10. Policy and Governance

• Establish strict policies for third-party software:

o Mandatory hash verification
o Sandbox testing before enterprise deployment
o Use of vendor allowlists
• Implement software asset management to track unauthorised tools.

SCENARIO 8

1. Process Detection

• The process dns_b64.exe indicates a tool designed to perform DNS-based data

exfiltration using Base64-encoded queries.
• Silent execution from the AppData\Roaming directory is not typical for legitimate
processes and should trigger an alert.

2. DNS Anomalies

• DNS queries using Base64-encoded subdomains are highly suspicious. These

patterns are used to smuggle data out of the network in DNS queries.
• DNS tunneling allows attackers to exfiltrate data or communicate with command-
and-control servers even if other protocols are blocked.
3. Network Monitoring

• Alerts should trigger when:

o Query volume is unusually high (e.g. >500 queries in 5 minutes)
o Subdomain lengths are abnormally long
o Requests go to domains with poor reputations or newly registered TLDs
• This behaviour is not normal for standard enterprise systems.

4. File Access Concerns

• A system process (non-interactive session) accessing [Link] is unusual

and suggests automated or malicious activity.
• Tools like Endpoint DLP, EDR or UEBA can detect non-user-initiated access to
sensitive files.

5. Timeline Analysis

• 09:10 – User logs in

• 09:12 – dns_b64.exe executed silently
• 09:13 – High volume DNS queries begin
• 09:16 – Sensitive file accessed
• 09:18 – Query pattern continues
• This indicates the malware launched shortly after login and began data exfiltration
almost immediately.

6. Detection and Response

• Detection rules should include:

o DNS query frequency thresholds
o Encoded or suspicious domain patterns
o Execution of hidden binaries in non-standard paths
• Response should start with isolating the host to stop further exfiltration, then
reviewing DNS server logs for similar activity across the network.

7. Threat Actor TTPs

• Techniques used:
o T1059.003 (Command & Scripting via Windows Shell)
o T1071.004 (Application Layer Protocol: DNS)
o T1048.003 (Exfiltration over DNS)
o T1036.005 (Masquerading via file path)
o T1005 (Data from Local System)
• Known APT groups like APT32 and DNSpionage have used DNS tunneling for
stealthy C2 and data exfiltration.
8. Mitigation Strategies

• Enable full DNS logging and monitoring.

• Apply DNS filtering (e.g. only allow internal DNS servers, block known tunneling
domains).
• Restrict non-standard application execution using application control or
allowlisting.

9. Endpoint Hardening

• Use EDR to block unauthorised executable launches from user profile paths.
• Limit access to sensitive files based on user roles and behaviour.
• Monitor background services that access documents without user interaction.

10. Executive Summary

• A hidden malware was executed on a workstation that performed DNS tunneling to

exfiltrate sensitive HR data.
• Immediate containment was performed and DNS logs are under review for lateral
impact.
• Recommendations include enhancing DNS monitoring, endpoint controls and
reviewing data access permissions.