Preview Mode — This PBQ requires a Premium Membership and is being shown in a read-only preview mode. See Plans

This PBQ requires a Premium Membership and is being shown in a read-only preview mode.

Cyber Kill Chain Scenario

Acme Corp’s SOC is conducting a post-incident review of a breach that began on an administrative assistant’s Windows 11 workstation (ACME-WS-104). Investigators identified and collected a timeline of events and actor vectors. Your task is to map these items into their appropriate Cyber Kill Chain phase.

Findings

Findings

Adversaries performed targeted reconnaissance using public records and social media, with activity traced to the compromised employee's workstation.

A phishing email containing a malicious link was sent to the employee, providing the initial compromise of the workstation.

Customized malware was crafted to exploit known vulnerabilities in the employee's system

The phishing email with the malicious attachment was successfully delivered to the employee's inbox.

The malicious document exploit executed, leveraging a vulnerability in the employee's word processor to run code on the system.

The adversary created a scheduled task to maintain access and automatically re-launch the malware after reboot.

After establishing a foothold, attackers used stolen credentials to move laterally to a corporate file server.

Unauthorized remote connections were established from the infected PC, enabling adversaries to control the system.

Attackers exfiltrated sensitive customer data to an external server.