Lab Progress
0%0 / 14 steps
LabsIncident Response › L08
LAB L08 · INCIDENT RESPONSE · ADVANCED

AI-Automated Incident Response

Simulate a ransomware incident from initial alert through full remediation. Use SIFT Workstation for evidence collection, Volatility for memory analysis, and the AI Analyst to orchestrate the entire IR playbook and write the final report.

120 min
🖥️ SIFT Workstation
🔧 Volatility · Autopsy · Timeline · Splunk
🤖 AI IR Orchestration
🚨 Incident Scenario — PRIORITY 1

03:47 AM — your EDR fires a P1 alert: ransomware encryption process detected on FINANCE-WS-01. The endpoint was isolated automatically, but you need to determine: How did it get in? What did it touch? Is there C2 still active? What data was exfiltrated before isolation?

A memory dump and disk image from the compromised workstation are available in your SIFT VM. The IR clock is running.

0
Phase 0 — Triage & Evidence Acquisition
First 15 minutes: assess scope and preserve evidence
Set up the IR workspace in SIFT
Organize evidence directories before touching anything
mkdir -p ~/IR/FINANCE-WS-01/{memory,disk,logs,timeline,network,reports}
cd ~/IR/FINANCE-WS-01
# Document everything — IR is legally defensible only if you log your actions
script ~/IR/FINANCE-WS-01/reports/ir_session.log
Download the practice memory image
Use a real forensic memory sample from Digital Corpora
# Download a practice memory image (real case data from Digital Corpora)
wget -O ~/IR/FINANCE-WS-01/memory/memory.img \
"https://downloads.digitalcorpora.org/corpora/scenarios/2009-m57-patents/ram/terry-work-usb-2009-12-11.img.gz"
gunzip ~/IR/FINANCE-WS-01/memory/memory.img.gz
# Alternatively use any Windows memory dump you have
Initial triage with Volatility — identify OS and processes
Quick wins: OS profile, running processes, network connections
cd ~/IR/FINANCE-WS-01/memory
# Step 1: Identify OS profile
volatility -f memory.img imageinfo 2>&1 | tee ../reports/01_imageinfo.txt

# Step 2: Export critical volatile data (set PROFILE from imageinfo output)
export PROFILE="WinXPSP3x86" # Replace with actual profile
volatility -f memory.img --profile=$PROFILE pslist | tee ../reports/02_pslist.txt
volatility -f memory.img --profile=$PROFILE pstree | tee ../reports/03_pstree.txt
volatility -f memory.img --profile=$PROFILE netscan | tee ../reports/04_netscan.txt
🤖 AI Analyst — Initial Triage

Paste your pslist and netscan output. The AI will immediately flag suspicious processes (unusual parents, random names, wrong paths) and active C2 connections.

1
Phase 1 — Memory Forensics
Deep memory analysis: injection, persistence, credentials
Scan for code injection and hollowed processes
Ransomware commonly uses process injection to evade detection
volatility -f memory.img --profile=$PROFILE malfind | tee ../reports/05_malfind.txt
volatility -f memory.img --profile=$PROFILE hollowfind 2>/dev/null | tee ../reports/06_hollowfind.txt
volatility -f memory.img --profile=$PROFILE cmdline | tee ../reports/07_cmdline.txt
volatility -f memory.img --profile=$PROFILE consoles | tee ../reports/08_consoles.txt
Extract network artifacts and registry hives
Find C2 domains, persistence keys, and credential material
volatility -f memory.img --profile=$PROFILE connections | tee ../reports/09_connections.txt
volatility -f memory.img --profile=$PROFILE hivelist | tee ../reports/10_hivelist.txt
volatility -f memory.img --profile=$PROFILE printkey -K "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | tee ../reports/11_run_keys.txt
volatility -f memory.img --profile=$PROFILE hashdump | tee ../reports/12_hashes.txt
🤖 AI Analyst — Persistence & C2

Share your Run key output, network connections, and command line history. The AI will identify persistence mechanisms, map to ATT&CK, and suggest immediate containment actions.

Dump and analyze suspicious processes
Extract malicious executables from memory for further analysis
# Dump a suspicious process (replace PID with actual suspicious PID)
SUSPICIOUS_PID=1234
volatility -f memory.img --profile=$PROFILE procdump -p $SUSPICIOUS_PID --dump-dir ../reports/dumps/
md5sum ../reports/dumps/*.exe # Hash for VirusTotal lookup
2
Phase 2 — Timeline & Scope Assessment
Build the attack timeline and determine blast radius
Build a super-timeline with Plaso
Correlate filesystem, registry, and event log timestamps
# If you have a disk image, create a timeline with log2timeline
log2timeline.py ~/IR/FINANCE-WS-01/timeline/timeline.plaso disk.img
psort.py -z UTC ~/IR/FINANCE-WS-01/timeline/timeline.plaso "date > '2024-01-01' AND date < '2024-12-31'" \
-o l2tcsv -w ~/IR/FINANCE-WS-01/timeline/events.csv

# Search timeline for ransomware indicators
grep -i "encrypt\|ransom\|shadow\|vssadmin\|bcdedit" ~/IR/FINANCE-WS-01/timeline/events.csv
Determine patient zero and initial access vector
Find how the attacker got in — email, web, RDP, USB?
# Check browser history (if SIFT and disk image available)
volatility -f memory.img --profile=$PROFILE iehistory | tee ../reports/13_iehistory.txt
# Check recent files and downloads
volatility -f memory.img --profile=$PROFILE mftparser | grep -i "\.exe\|\.zip\|\.pdf\|\.doc" | tee ../reports/14_mft_suspicious.txt
# Check clipboard for phishing artifacts
volatility -f memory.img --profile=$PROFILE clipboard | tee ../reports/15_clipboard.txt
🤖 AI Analyst — Attack Timeline

Share your timeline data, browser history, and MFT entries. The AI will reconstruct the attack timeline from initial access through ransomware execution, and identify which technique (phishing, exploit, RDP brute force) was used.

3
Phase 3 — Containment, Eradication & Report
AI-generated playbook, remediation steps, and executive report
AI generates full containment playbook
Based on your findings, get a prioritized remediation list
🤖 AI Analyst — Containment Playbook

Share all your findings: attacker entry point, persistence mechanisms, C2 infrastructure, affected systems, and hashes. The AI will generate a prioritized containment and eradication playbook with specific commands.

Generate IOCs for threat intel sharing
Extract and format all indicators for SIEM/EDR deployment
🤖 AI Analyst

Share all hashes, IPs, domains, registry keys, and file paths found. The AI will structure them as a STIX 2.1 bundle ready for sharing with ISACs and deploying to your SIEM.

MITRE ATT&CK mapping
Map all observed behaviors to the ATT&CK framework
🤖 AI Analyst

List all attacker behaviors observed. The AI will map each to ATT&CK technique IDs, identify which tactics were used (Initial Access through Impact), and suggest detection opportunities for each technique.

AI drafts executive incident report
Full incident report ready for CISO and legal review
🤖 AI Analyst — Executive Report

Provide: incident date/time, affected systems, attack timeline, attacker TTPs, business impact, and remediation steps taken. The AI will write a professional incident report with executive summary, technical analysis, and recommendations.

Conduct lessons learned
What controls would have prevented or detected this earlier?
🤖 AI Analyst

Describe how the attacker got in and what detection gaps existed. The AI will suggest specific security controls (technical and procedural) that would have prevented or detected this incident sooner.

Lab complete — restore and close
Revert SIFT to clean snapshot, file the report
✅ Memory image acquired and analyzed with Volatility
✅ Processes, connections, and persistence mechanisms documented
✅ Attack timeline reconstructed
✅ Containment playbook generated
✅ IOCs extracted and formatted
✅ ATT&CK mapping completed
✅ Executive report drafted
✅ Lessons learned documented

Next: Lab L09 — Cloud Security AI Monitoring

Apply IR skills to cloud environments — detect privilege escalation in AWS CloudTrail logs.

Start L09 →
🤖
CyberSec AI Analyst
L08 — IR Orchestration Mode
Lab Context: Ransomware incident response using SIFT Workstation and Volatility. Evidence collection, memory forensics, attack timeline reconstruction, and executive reporting.

→ Connect AI Analyst — add your Claude API key

IR Actions