Lab Guide 
Foundations of Breach & Attack 
Simulation 
 

 
Revision 2020.11.02 

 
  

Table of Contents 
Foundations of Breach & Attack Simulation Lab Guide 3 
Exercise 1: Continuous Security Validation 4 
Exercise 2: Continuous Security Validation - Reviewing The Data 8 
Exercise 3: FIN6 Emulation 11 
Exercise 4: MITRE ATT&CK Mapping 15 
Exercise 5: Reporting 18 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
2 
  

Foundations of Breach & Attack Simulation 

Lab Guide 
 

This lab guide is meant to be used in conjunction with the Foundations of Breach & 
Attack Simulation course. With these labs, we hope to provide you with some 
hands-on, practical experience with BAS tools. Please note that all of the tasks you 
are performing within the BAS tool can have a manual approach. Since the goal of 
this course is to familiarize you with putting that approach into action, we have 
decided to use the AttackIQ platform to assist in running these labs. 

   

 
3 
  

Exercise 1: Continuous Security Validation 

 

1. Click on the ​CREATE NEW ASSESSMENT b

​ utton 
 

 
 
2. Click ​CHOOSE TEMPLATE​. 

 
 
3. On the Assessment Templates page, click the dropdown under ​Select 
template type​, and choose ​Security Controls​.

 
 

 
4 
  
4. Find the ​Content Filtering​ assessment template on the page, and click it. 

 
5. Click ​Create New​. 
6. Add both assets to the Assessment. 
a. Click the M
​ anage Assets ​button 
b. Click the checkboxes of B
​ OTH​ assets listed. 

 
c. Click ​Apply 

 
5 
  
7. Under the assets, where it lists the tests configured, click on the three dots 
under the A
​ CTION​ column for the test name ​Social Media sites​. 

 
8. Click ​Manage Scenarios​. 
9. Under the details column, click on the icon to see the details for ​Test Web 
access to Social Media site Facebook​. 

 
6 
  
10. On the resulting scenario details page for Test Web Access to Social Media 
Site Facebook, read and make a note of the scenario description. 
11. Click on the heading for ​Scenario Configuration​ to expand the configuration 
details. 

 
 
12. Review the configuration settings and make note of the Headers sent during 
the test. Also, make a note of the method being used. 
13. Return to the assessment page and click D
​ one ​to close the scenario listing for 
the Social Media sites test. 
 

 
 
14. Click the C
​ ontinue​ button in the bottom right-hand corner of the page. 
15. Click the R
​ un Now​ button. 

You have completed Lab Excercise 1. Please r​ eturn to the 

course​ videos for more information on the next lab.   

 
7 
  

Exercise 2: Continuous Security Validation - 

Reviewing The Data 
With the testing from Excercise 1 completed, we can begin to explore the results of 
the emulation. 

1. Note the results in the top three panels for Overall Combined, Overall 
Prevention, and Overall Detection scores. 

2. In the Overall Detection score panel, expand Security Controls to see 

detection rates for security controls involved in testing. 
 

 
 

 
8 
  

3. Under the ​Results​ menu item, click on S

​ ummary 
 

4. Scroll down the results page until you find the Scenario results for T
​ est Web 
access to Social Media site Facebook​. 

5. Click on the entry for T

​ est Web access to Social Media site Facebook​. 

 
9 
  

6. If you’ve forgotten what this scenario is trying to accomplish, click the ?

​  
icon next to the scenario title. 
 

 
 

7. Expand the A
​ ctivity Details​ and make note of the response code received vs. 
the response code anticipated. 

8. Expand the I​ NDICATORS OF COMPROMISE (IOCS) DETAILS 

a. Make a note of the following information: 

i. Destination: 

ii. HTTP Method 

iii. Protocols 

iv. Request Path 

v. Source Port 

You have completed Lab Excercise 2. Please ​return to the 

course​ videos for more information on the next lab. 

 
10 
  

Exercise 3: FIN6 Emulation 

1. Click on the three horizontal lines in the top left-hand corner of the screen to 
open the main menu. 

 
2. Click on A
​ SSESSMENT​ in the main menu. 

 
11 
  
3. Click on the ​CREATE NEW ASSESSMENT b
​ utton 
 

 
 
4. Click ​CHOOSE TEMPLATE​. 

5. On the Assessment Templates page, click the dropdown under Select 

template type, and choose Operationalized Threat Analysis. 

 
 

 
12 
  
6. Find the ​FIN6​ assessment template on the page, and click it. 

 
7. Click ​Create New 
8. Add both assets to the Assessment. 
a. Click the M
​ anage Assets ​button 
b. Click the checkboxes of B
​ OTH​ assets listed. 

 
c. Click ​Apply 

 
13 
  
9. Under the assets, where it lists the tests configured, click on the three dots 
under the A
​ CTION​ column for the test name ​Lateral Movement​. 

 
10. Click ​DELETE TEST​. 
11. Click ​OK 
12. Click the C
​ ontinue​ button in the bottom right-hand corner of the page. 
13. Click the R
​ un Now​ button. 

You have completed Lab Excercise 3. Please r​ eturn 

to the course​ videos for more information on the 
next lab. 

   

 
14 
  

Exercise 4: MITRE ATT&CK Mapping 

1. In the left-hand menu, under ​Results​, click on ​MITRE ATT&CK  
2. Review the results for Prevention. 
3. Click on the ​Detection r​ adio button to toggle the view to detection results. 

 
4. Click the C
​ ombined​ radio button to toggle the view to combined detection 
and prevention results. 
5. Click on the Discover tactic column heading. 

 
6. On the Results page you will see a listing of results that have been filtered to 
display scenarios from the FIN6 assessment that fall under the ATT&CK tactic 
of Discovery. 

 
15 
  
7. Click on the line item for Get Hardware Model Using WMI (either one is 
okay). 

8. Click the ?
​ ​ icon next to the scenario title and read the scenario description to 
get a better understanding of what this scenario is trying to accomplish. 

9. Make a note of the WMI command used to obtain the hardware model, you 
will need this information for your final exam. 

 
16 
  

10. Review the Activity Details to see the output or error code for the scenario. 

11. Review the Indicators of Compromise (IOCs) Details. 

You have completed Lab Excercise 4. Please r​ eturn to the 

course​ videos for more information on the next lab. 

   

 
17 
  

Exercise 5: Reporting 
1. Click on F
​ IN6 (Results) ​in the breadcrumb navigation at the top of the page. 

 
2. Click on R
​ eports​ in the left-hand menu. 
3. Click the A
​ DD Report b
​ utton. 
4. Give your report a name, select MITRE ATT&CK Report as the report type, and 
chose the assessment you ran in previous exercises. 

 
18 
  
5. Click ​SAVE CHANGES​. 
6. Click on the three vertical dots at the end of the row for the report you just 
created. 

 
 
7. Click ​VIEW​. 

 
8. Review the report to get a better understanding of how the lab environment 
responded to different MITRE ATT&CK techniques.   

 
19