DJN2: Incident Response Virtual Lab Supplementary Instructions

D483 Task 1 Virtual Lab Supplementary Instructions

Screenshot Evidence Document

While in the virtual lab environment, a series of five challenge questions will be used to
verify that appropriate steps were taken at defined moments in the Detect, Investigate, and
Remediate steps of your incident response procedure. Challenge questions appear and are
answered within the instructions panel of the virtual lab environment. Each time a challenge
question is successfully answered, a screenshot of the active virtual machine’s desktop will
be captured and automatically added to an evidence document. All information requested by
a challenge question must be visible on the focal virtual machine’s desktop prior to
answering that question to ensure appropriate evidence is captured in the screenshot.

Note: If any replacement screenshots are needed, the challenge questions must be reset by
contacting your course instructor.

The screenshot evidence document should be exported to your local machine at the
conclusion of the incident response procedure. Within the virtual lab instructions panel,
expand the menu (≡) and select “Download Correct Screenshots” to obtain a copy of the
screenshot evidence document on your local machine. The exported file will be a .docx file
containing the recorded answers to all challenge questions and their accompanying
watermarked screenshots. The unaltered screenshot evidence document will be included in
your submission files.

PAGE 1
DJN2: Incident Response Virtual Lab Supplementary Instructions

Virtual Lab Process Directions

Note: Access credentials for all virtual machines and applications are provided within the
virtual lab instructions panel.

A. Detect
Use the Wazuh security information and event management (SIEM) dashboard to identify
the compromised system details using the following steps:
1. Access the Admin Workstation from the network topology.
2. From the Admin Workstation, use the Mozilla Firefox web browser to log in to the
Wazuh web app dashboard.

Note: The Wazuh server may take more time than the other virtual machines to start. If
the message “Wazuh dashboard server is not ready yet” is displayed, reload the Firefox
page or virtual machine window after a delay to allow time for the Wazuh server to load.
If a warning message appears regarding a bad certificate or a missing certificate, select
to advance anyway.

3. Within the Wazuh dashboard:

a. Go to “Agents” and view the active agents.
b. Select the agent corresponding to the compromised system identified in the
helpdesk tickets.
• Challenge #1: What is the IP value of the compromised system? The answer
should be in the format “XX.XX.XX.XX” as grouped numeric values. Ensure the
IP value is visible within the Wazuh dashboard prior to answering Challenge
#1.
4. Collect additional details about the compromised system and record them under
Section B of the "Incident Reporting Template."

B. Investigate
Use the Wazuh SIEM dashboard to further identify the compromised system details using
the following steps:
1. Within the Wazuh dashboard, expand the primary menu (≡) in the top left.
2. Navigate to OpenSearch Dashboards > Discover.
3. Select “Open” from the top-right navigation to perform a “Malicious Traffic Search.”
4. Click the Calendar drop down option.
5. In the Quick Select Search choose “Last 3 years,” select “Apply.”
6. Review the metadata to identify the destination port being used by attackers to
maintain communications with the compromised system.
• Challenge #2: What is the destination port value from the metadata returned by
the malicious traffic search? The answer should be in the format “XXXX” as a four-
digit numeric value. Ensure the destination port value is visible within the
malicious traffic search results prior to answering Challenge #2.
7. Record the findings under Section C of the "Incident Reporting Template." Include
additional notes or observations discovered by the malicious traffic search.

C. Remediate
Remediate the incident by quarantining and terminating high-resource processes, restoring
antivirus functionality, and updating firewall policies using the following steps:
1. Access the compromised system from the network topology. Do NOT perform a
Windows update.
2. From the compromised system, address the high-resource processes.

PAGE 2
DJN2: Incident Response Virtual Lab Supplementary Instructions

a. Right-click the start menu and select “Task Manager.” Ensure “More details” has
been selected.
b. Within the “Processes” tab, sort the processes by their CPU utilization in
descending order.
• Challenge #3: What is the name of the process causing the highest CPU
utilization in the compromised system? The answer should be formatted as
shown in the task manager, including capitalization. Ensure the process is
visible within the task manager prior to answering Challenge #3.
c. Gather details pertaining to the local process by right-clicking on the process and
exploring “Search online” and “Open file location” results.
d. Leave the Task Manager open for further observation.
3. Restore control of Windows Defender Antivirus.
a. Select the start menu and type “Group Policy” to initiate a search.
b. Select the search result “Edit group policy” to open the Local Group Policy Editor.
c. Navigate to “Computer Configuration\Administrative Templates\Windows
Components\Windows Defender Antivirus.”
d. Double Click on "Turn off Windows Defender Antivirus."
e. Select "Not Configured" and click “Apply” then “OK.” Click “Yes” if asked to save
settings.
f. Close the Local Computer Policy window.
g. Open the “Windows Security” app. You can also type “Windows Security” in the
search box.
• Challenge #4: What message is displayed to the right of the red “x” icon?
The answer should be formatted as shown in the “Virus & threat protection”
window, including punctuation. Double-click on the “Virus & threat protection”
menu and ensure the red icon and accompanying message are visible within
the window prior to answering Challenge #4.
h. Click “Virus & threat protection” and select “Restart now.”
i. Click “Quick scan,” which will run the scan and detect the miner.
j. Review current threats and select “start actions.”
k. Observe Windows Defender taking action on the threat within the Task Manager.
4. Access the Admin Workstation from the network topology.
5. From the Admin Workstation, block unauthorized outgoing traffic.
a. Use the Mozilla Firefox web browser to log in to the Server Firewall.
b. Navigate to Firewall > Rules > DMZ.
c. Click on the colored plus (+) icon to add a new rule.
d. Update the following fields in the new rule:

Field Value Details

Action Block Blocks the traffic
Direction Out Direction of the traffic
Protocol TCP/UDP
Destination port from: (Other)
range to: (Other)
Destination port from: <malicious port #> Add the port number identified
range value to: <malicious port #> in the metadata when
performing a malicious traffic
search.
Description <Add a description for the rule>

e. Select “Save.”

PAGE 3
DJN2: Incident Response Virtual Lab Supplementary Instructions

f. Rearrange the order of the rules so that the newly created “block” rule is at the
top of the DMZ rule list.
g. Select “Apply changes.”
• Challenge #5: Has a new rule been added to the firewall to block the TCP
port from unauthorized outgoing traffic? The answer should be “Yes” or “No.”
Ensure the appropriately ordered firewall DMZ rules are visible within the Server
Firewall user interface prior to answering Challenge #5.

D. Record
Record a summary of the actions taken under Section D of the "Incident Reporting
Template." Include any additional notes or observations relevant to the summary.

Note: Remember to download the screen capture evidence document. Instructions are at
the top of the document.

PAGE 4