Alerts display in reverse chronological order but the attack ran forward in time. Reorder by timestamp to reconstruct the kill chain — the suspicious DNS at 08:47 is patient zero.
Reading the Alert Queue
Alerts fire in reverse chronological order but the investigation runs forward. Sort chronologically: suspicious DNS at 08:47 is patient zero — that's when Sarah clicked. Impossible travel and C2 callback firing simultaneously at 09:44 means the attacker already has a foothold and is actively operating. Triage starts with highest severity + earliest in the attack chain. Ask the class: "Which alert would you open first?" and why the answer isn't always the highest severity one.
Class Exercise
Put the 6 alerts in chronological order of when each event occurred (not when it fired). What does the gap between the DNS alert (08:47) and the impossible travel alert (09:44) tell you about how long the attacker had undetected access? Answer: 57 minutes of dwell time before detection.
FromIT-Security-Team@acme-corp-secure.com (domain registered 3 days prior)
Tosarah.chen@acme-corp.com
Subject⚠ URGENT: Verify your account — unusual sign-in detected
Received2024-11-14 08:12:04 UTC · via 185.220.101.47
DKIMFAIL
SPFFAIL — acme-corp-secure.com not authorized
DMARCFAIL → QUARANTINE (user self-released 08:45)
Dear Sarah,
Our security systems have detected an unusual sign-in attempt on your account. To protect your account, please verify your identity immediately.
Action Required: Click the link below. This link expires in 15 minutes.
https://acme-corp-secure.com/login/verify(click to add as IOC)
IT Security Team — Acme Corporation
Proofpoint Analysis
AiTM phishing kit (EvilGinx2) — proxies real Microsoft login, captures session tokens, bypasses MFA entirely
Domain acme-corp-secure.com registered 2024-11-11 — 3 days before attack. Cloudflare privacy guard.
Sending IP 185.220.101.47 matches known AiTM infrastructure (Tor exit node)
DMARC quarantined this email — user manually released at 08:45 and clicked at 08:47
Urgency language, IT impersonation, 15-minute countdown — classic social engineering
Why DMARC Didn't Stop This
DMARC worked correctly — it quarantined the email. The failure was a process gap: users could self-release quarantined email. DMARC is only as strong as your quarantine policy. Document this as a control gap, not a DMARC failure.
Analyst Tip — Domain Age
Any sending domain registered fewer than 30 days ago is a strong phishing indicator. Threat actors register lookalike domains days before campaigns. Check WHOIS or Proofpoint domain intelligence on every suspicious sender.
IOC Collector
Click highlighted elements to add IOCs
Exercise
Identify all IOCs from this email. What type is each one (IP, domain, URL, email)? Which IOC would you block first to prevent further phishing victims?
AiTM — Why MFA Didn't Stop This
Classic phishing steals credentials. AiTM proxies the real login in real time — Sarah authenticates including MFA, but the attacker's proxy captures the session cookie. That cookie is replayed without credentials or MFA. Key lesson: user self-released this email from quarantine. DMARC worked — user override defeated it. Document this as a process gap. This is also why FIDO2/passkeys are the only MFA that defeats AiTM — they bind the challenge to the origin domain, so the proxy can't relay it.
Discussion Point
If Acme had required FIDO2 hardware keys instead of push MFA, would this attack have succeeded? Why or why not? Answer: No — FIDO2 challenges are cryptographically bound to acme-corp.com, so the proxy on acme-corp-secure.com would receive a challenge it can't fulfill.
The attacker sent 9 push notifications in 90 seconds while simultaneously using the stolen token. The MFA fatigue was a distraction — by the time Sarah denied push #9, the attacker had already authenticated via stolen cookie and was in her inbox.
⚠ MFA bypassed via token replay — no challenge presented
08:51:19 · AiTM-captured cookie — attacker never needed MFA
⚠ 2 active sessions — one legitimate, one attacker. Revoke all to contain.
Session
IP
Location
Started
Last Active
Status
a9f2...3d81
10.0.1.52
US/Seattle
08:34:12
09:41:22
LEGITIMATE
b4e7...9c22
185.220.101.47
RU/Moscow
08:51:19
09:44:01
MALICIOUS
Critical Action
Resetting Sarah's password will not terminate the attacker's session — you must revoke all Entra refresh tokens. Command: az ad user revoke-sign-in-sessions --id sarah.chen@acme-corp.com
Detection
Risk
Time
Detail
Impossible Travel
HIGH
09:44:18
US→RU in <4 min
Unfamiliar Sign-in Properties
MED
08:51:02
New device + IP
Malicious IP Address
HIGH
08:51:02
Tor exit / AiTM infra
Token Replay Attack
HIGH
08:51:19
Stolen AiTM session cookie
Event Detail
← Select an event
Token Theft vs Credential Theft
Resetting Sarah's password won't remove the attacker's session — you must revoke all Entra tokens. Also: the OAuth app registered at 09:08 persists even after token revocation. It's a second persistence mechanism that must be removed separately. This two-step persistence (token + OAuth app) is standard attacker practice to survive remediation. Walk through the Sessions tab — ask students: "How do you tell which session is the attacker's without geolocation?"
Analyst Note
The 90-day default token TTL in M365 is what made this attack so impactful. Continuous Access Evaluation (CAE) would have forced re-authentication when the IP changed from US to Russia, potentially cutting attacker access in seconds instead of 57 minutes.
04Endpoint AnalysisSentinelOne EDRReconstruct dropper behavior · identify all artifacts
Filter:
Artifact Detail
← Select an event
Key Concept
The dropper chain here is textbook: Browser → cmd.exe → PowerShell (encoded) → File drop → Registry persistence → C2 beacon. Each step is detectable — browsers must never spawn cmd.exe.
Analyst Tip
Check file names masquerading as system processes: svchosts.exe (extra 's') mimics svchost.exe. Look at the file path — legitimate svchost.exe only runs from System32, never from AppData.
Dropper Anatomy
Walk through the timeline chronologically. The key detection opportunity is at 08:47:45: chrome.exe renderer spawning cmd.exe. This is almost never legitimate — browser renderers operate in sandboxed processes and should never interact with the shell. PowerShell script block logging would have captured the decoded payload. The Registry Run key in HKCU (user space) is chosen to avoid needing admin rights — the dropper runs entirely as sarah.chen with no privilege escalation.
Class Exercise
WKSTN-0112 is reimaged. Which artifacts could survive a reimage? Answer: None of these — all are user-space. However, the attacker's OAuth app in Entra ID and the stolen session token would survive endpoint remediation. This is why identity and endpoint remediation must happen in parallel.
05ContainmentSentinelOne EDRIsolate → Revoke → Kill C2 · order matters
SentinelOneEndpoint: WKSTN-0112 · sarah.chen
● ACTIVE THREAT
WKSTN-0112
● ACTIVE THREAT — NOT ISOLATED
Process Tree — WKSTN-0112
explorer.exePID 1204
chrome.exePID 3892
chrome.exe --rendererPID 4201 ⚠ spawned cmd
cmd.exePID 5512 · browser-spawned ⚠
powershell.exe -enc JAB…PID 6104 · MALICIOUS
net.exe → 45.142.212.100:4444C2 ACTIVE
Process Detail
← Select a process
Containment Checklist
Host Isolated✗ Pending
Sessions Revoked✗ Pending
C2 Killed✗ Pending
Order Matters
Isolate first — cuts all network paths simultaneously. Then revoke sessions. Then kill process. Killing C2 first may trigger secondary persistence.
Containment Order Matters
Isolate first — cuts all network paths simultaneously. Then revoke tokens. Then kill the process. If you kill C2 first, the attacker may trigger a secondary persistence mechanism. The browser→cmd→powershell chain is a classic click-to-execute dropper — chrome renderers should never spawn cmd.exe. That's your smoking gun in the process tree. Also: network isolation happens at the EDR agent level, so even if WKSTN-0112 is plugged in, it can't route traffic to the internet or the internal network during isolation.
Class Exercise
Click each containment action in order — Isolate, then Revoke, then Kill C2. Then discuss: What would happen if you revoked sessions first but forgot to isolate? The C2 channel (powershell.exe → port 4444) runs independently of the M365 session — so revoking tokens doesn't kill the C2. You need both.
06MITRE ATT&CK MappingKill Chain AnalysisMap each technique to evidence · identify detection gaps
INC-2024-0847 · ATT&CK Coverage
Initial Access
T1566.002Spearphishing Link
Execution
T1059.001PowerShell
Persistence
T1547.001Registry Run Keys
T1098.001Additional Cloud Credentials
Credential Access
T1557Adversary-in-the-Middle
T1539Steal Web Session Cookie
Defense Evasion
T1078Valid Accounts
Command & Control
T1090.003Multi-hop Proxy (Tor)
Lateral Movement
T1021.002SMB/Admin Shares
Collection
T1213Data from Info Repositories
Exfiltration
T1567.002Exfil to Cloud Storage
← Select a technique to see evidence and detection opportunities
Key Concept
MITRE ATT&CK is a knowledge base of adversary behaviors. Mapping an incident to ATT&CK techniques helps you answer: Where are your detection gaps? If you have no telemetry for a technique, that's a sensor coverage gap.
Exercise
For each technique, ask: Which security control could have prevented or detected it? Some techniques like T1078 (Valid Accounts) are nearly impossible to prevent — you can only detect through behavioral analytics.
ATT&CK Mapping — Instructor Notes
Walk through each phase left-to-right. This incident touches 9 tactics and 10 techniques — it's a comprehensive campaign, not a smash-and-grab. Focus on the detection gap conversation: the attacker used Tor (T1090.003) throughout, so IP-based blocking was difficult. The persistence via OAuth app (T1098.001) is particularly important because it survives all identity remediation except explicit app removal.
Discussion Point
If Acme had FIDO2 MFA, T1557 and T1539 would have failed at the credential access phase. Every subsequent technique would have been impossible. Ask students: which single control has the highest impact on this attack chain?
07Log CollectionMulti-sourceCollect all sources before they roll over · preserve chain of custody
⚠ Some log sources retain for only 30 days. Collect everything before analysis — logs deleted post-incident can compromise investigations and legal proceedings.
Every log you collect should be hashed (SHA-256) immediately to prove it hasn't been tampered with. This matters if the incident goes to legal proceedings. Export to a write-once evidence store, not a shared drive.
Retention Warning
Entra ID sign-in logs have a 30-day retention at E3 licensing. If this incident is discovered 31 days later, the most critical auth evidence is gone. M365 E5 extends this to 1 year. This is a licensing gap worth flagging in your post-incident recommendations.
Log Collection — Instructor Notes
This section simulates the "evidence preservation" phase that often gets skipped in the rush to contain. In real incidents, analysts frequently start analysis before collecting — then discover that critical logs have aged out. The 30-day Entra ID retention is a genuine gotcha that catches teams who wait too long to collect. Emphasize: collect first, analyze second.
Class Exercise
Click "Collect Logs" on all 6 sources. Which one takes longest? Why would EDR logs take longer than email logs? (Hint: 14,000+ events vs 3 events.) After collecting, which source would you start your analysis with and why?
Filter by attacker IP (185.220.101.47) to isolate only attacker actions from legitimate user activity. Every event from that IP is a forensic artifact of what the attacker did under Sarah's identity.
Reconstructing Attacker Actions
Filter by the malicious session IP (185.220.101.47) to isolate only attacker actions. The OAuth app at 09:08 is critical — it persists after token revocation and must be removed separately. File access events show exactly what was read. Download events show exfil. The UAL is your forensic record of everything the attacker did inside M365 under Sarah's identity. Click "Exfil" filter to see the full exfiltration picture.
Class Exercise
Switch to the "File Access" filter. List the three most sensitive documents the attacker accessed. Which one has the highest business impact? Now switch to "App Activity" — why does the OAuth app registration matter even after you revoke the stolen token?
Select an IOC above or write a custom query to begin hunting
Key Concept — IOC vs Behavioral Hunting
IOC hunting searches for known-bad artifacts (IPs, hashes, domains). Behavioral hunting searches for suspicious patterns (browser spawning cmd.exe) regardless of known indicators. IOC hunting is fast but misses novel variants. Behavioral hunting catches the unknown.
Confirmed Findings
Hunt to populate
Exercise
Hunt all 5 IOCs. Which one reveals the most additional victims? Does the incident scope expand beyond sarah.chen?
Pivoting from One IOC
Each IOC is a jumping-off point. The phishing IP may have hit other employees. The C2 IP connects to other hosts. The encoded PowerShell pattern is a dropper signature — hunt it across all endpoints. Every additional hit expands your blast radius assessment and may change the incident from "one user" to "domain-wide." The hunt on 45.142.212.100 reveals a second C2 channel on WKSTN-0088 — the incident scope widens significantly.
Analyst Note
After hunting acme-corp-secure.com, you'll see WKSTN-0201 (tom.walker) resolved the domain but didn't click. This is important: resolve ≠ compromise. However, tom.walker's machine should be checked for any follow-up phishing attempts and his account should be monitored for the next 30 days.
10Eradication & RecoveryMulti-toolSystematically remove all attacker access · verify clean state
0/18
remediation steps complete
In Progress
Identity Remediation
Force-reset sarah.chen password
Reset and enforce change on next login. Note: this alone does not revoke active sessions — do step 2 first.
Entra ID · Users · Reset Password
Revoke all Entra refresh tokens — sarah.chen
Terminates all active sessions including the attacker's stolen token. Must happen before or simultaneously with password reset.
az ad user revoke-sign-in-sessions --id sarah.chen@acme-corp.com
Remove "Outlook Sync Helper" OAuth app
This persistence mechanism survives token revocation and password reset. Must be explicitly removed from Enterprise Applications in Entra ID.
Entra ID · Enterprise Applications · Delete
Force-reset james.liu password + revoke sessions
Second victim identified in threat hunt. Apply same remediation as sarah.chen.
Entra ID · Bulk actions
Re-enroll affected users with FIDO2 hardware keys
After resetting, users must re-enroll with phishing-resistant MFA before restoring M365 access. This breaks the AiTM attack vector for future campaigns.
Entra ID · Authentication Methods · FIDO2
Endpoint Remediation
Reimage WKSTN-0112 (do not restore from recent backup)
Full wipe and reimage. Do not restore from backup taken after 08:47 — it may include the dropper and registry persistence. Restore from pre-incident image.
SentinelOne · Endpoint Actions · Wipe
Reimage WKSTN-0088 (james.liu — second C2 confirmed)
Second host with confirmed dropper and active C2. Same procedure as WKSTN-0112.
SentinelOne · Endpoint Actions · Wipe
Check SRVR-DC01 for lateral movement artifacts
Attacker accessed ADMIN$ share. Check for new accounts, modified GPO, scheduled tasks, or ntds.dit access events. DC may require special handling if domain credentials are at risk.
AiTM phishing infrastructure / Tor exit node. Block outbound AND inbound. Add to threat intel blocklist.
Foyl NGFW · Security Policy · Block rule
Block 45.142.212.100 at perimeter firewall
C2 server (Tor exit node, port 4444). Block outbound to this IP on all ports.
Foyl NGFW · Security Policy · Block rule
Block acme-corp-secure.com and dropbox-cdn.io at DNS / proxy
Prevents other potential victims from reaching the phishing site and exfil destination. Add both to DNS sinkhole and web proxy blocklist.
DNS Sinkhole · Web Proxy
M365 Application Remediation
Audit all OAuth app consents in the last 30 days
Look for other users who may have been tricked into consenting malicious apps. Review all apps with Mail.Read or Files.Read permissions granted by users (not admins).
Entra ID · Enterprise Applications · Filter: User Consent · Last 30d
Review and restrict Finance SharePoint permissions
Determine if sarah.chen's access to Finance Q4 data was appropriate. Apply need-to-know access model. Add sensitivity labels to M&A and financial documents.
SharePoint Admin · Permissions · Microsoft Purview
Enable Continuous Access Evaluation (CAE)
CAE forces immediate re-authentication when risk signals change (e.g., new IP, revoked token). Would have cut attacker access in seconds instead of 57 minutes.
Entra ID · Conditional Access · Session Controls · CAE
This is the process gap that let this email reach Sarah. Restrict quarantine release to security team only. Users can request review but cannot self-release.
Microsoft 365 Defender · Policies · Quarantine Policies
Verification
Hunt: powershell -enc across all endpoints
Confirm no other hosts have the dropper. Look for the same Base64-encoded PowerShell command line pattern across the full fleet.
SentinelOne Deep Visibility · foyl SIEM EDR Source
Verify no C2 beaconing from any host
Check perimeter firewall for any remaining connections to 45.142.212.100:4444. If any host other than the two reimaged endpoints appears, widen the incident scope.
M&A acquisition data and Q4 financials were confirmed exfiltrated. Regulatory notification may be required under GDPR / state breach notification laws. DPO determines obligation and timeline.
Legal / Compliance · Data Privacy Officer
Eradication — Instructor Notes
The most common eradication mistakes: (1) resetting the password before revoking tokens — the attacker's session survives; (2) forgetting the OAuth app — it persists through all identity remediation; (3) restoring from a backup that includes the dropper. Walk through the checklist in category order: identity first, then endpoint, then network, then application. Verification last — don't declare victory without confirming clean state.
Discussion Point
Which of these 18 steps is most often skipped in real incidents? The answer is typically step 12 (OAuth app audit) and step 15 (quarantine policy change). These require cross-team coordination — security team finds the gap, but IT or compliance has to fix the policy.
11Root Cause Analysis5 WhysTrace the failure chain to its root · build durable recommendations
5 Whys Analysis — INC-2024-0847
Why #1
Why was 847 MB of Finance data exfiltrated?
The attacker maintained access to sarah.chen's M365 account for 57 minutes without triggering an automatic session revocation.
Detection gap: impossible travel fired at 09:44 — 57 minutes after initial token replay at 08:51. UEBA behavioral baselines would have flagged bulk file access at 09:02.
↓
Why #2
Why did the session remain valid for 57 minutes from a foreign IP?
M365 default 90-day refresh token TTL and absence of Continuous Access Evaluation (CAE) meant sign-in from a Russian Tor exit node required no re-authentication.
With CAE enabled and a Conditional Access policy requiring re-auth on IP change, the attacker's session would have been terminated within seconds of connecting from 185.220.101.47.
↓
Why #3
Why could the attacker obtain a valid M365 session token?
The AiTM proxy at acme-corp-secure.com proxied the real Microsoft login, capturing the post-authentication session cookie. Push-based MFA was bypassed because the token was stolen after Sarah completed MFA.
This is the key technical insight: traditional MFA (TOTP, SMS, push) cannot stop AiTM. The cookie is captured after the legitimate auth event completes. Only FIDO2 prevents this.
↓
Why #4
Why was phishing-resistant MFA not deployed?
Acme Corp deployed Microsoft Authenticator push notifications — simpler for users than hardware keys. FIDO2 was on the roadmap but not yet enforced for Finance or high-risk roles. Cost and user friction drove the decision.
This is a common organizational gap: the security team knew FIDO2 was the right answer, but change management, cost, and user pushback delayed deployment. The cost of this breach far exceeds the hardware key rollout.
↓
Root Cause
Why did the phishing email reach and convince Sarah in the first place?
Two independent failures: (1) User-controlled quarantine release allowed Sarah to self-release a DMARC-quarantined email. (2) Security awareness training had not covered AiTM phishing techniques specific to M365.
Root cause: The absence of two independent controls — phishing-resistant MFA (defense-in-depth failure) and admin-only quarantine release (process failure) — each sufficient to prevent the breach if either had been in place.
Security Control Gap Analysis
Missing Control
Consequence
Recommended Fix
FIDO2 / Passkey MFA
AiTM bypassed MFA entirely
Enforce FIDO2 for Finance, HR, Exec roles
User quarantine release
DMARC-blocked email reached user
Admin-only quarantine review workflow
Continuous Access Evaluation
57-min undetected attacker session
Enable CAE + sign-in frequency policy
UEBA behavioral baseline
Bulk download not alerted
MCAS or Defender for Cloud Apps
Cloud storage DLP
847 MB exfiltrated via HTTPS
Block non-approved cloud storage at proxy
OAuth app consent control
Persistent app survived remediation
Disable user consent; admin workflows only
5 Whys Framework
The 5 Whys technique traces a problem to its root by asking "why" repeatedly until you reach a cause that is actionable and preventable — not just a symptom.
Good RCA stops at the root — a missing technical control or process gap. It does not stop at "the user clicked a phishing link" (that's a symptom, not a root cause).
Blaming users is not a root cause. Ask why the system allowed a single user action to result in a breach — that's where the control gaps live.
Analyst Tip
A good RCA produces specific, testable recommendations. "Improve security awareness" is not a recommendation. "Enroll Finance department in AiTM phishing simulation by Q1" is.
Exercise
After revealing all 5 Whys, identify which single control change would have had the highest impact on preventing this breach. Make the argument for why.
Root Cause Analysis — Instructor Notes
Click "Reveal Next Why" to walk through the chain step-by-step. The critical insight is that there are TWO independent root causes — either one being in place would have prevented the breach. This is a defense-in-depth lesson: security is about layers. Emphasize: "The user clicked" is NEVER a root cause. The question is always "what control should have caught this even if the user clicked?"
Class Discussion
Looking at the control gap table: if Acme could only fix ONE gap this quarter, which should they prioritize? The answer (FIDO2 MFA) prevents AiTM entirely, whereas fixing quarantine release only reduces the probability of users clicking. The gap that eliminates the attack class is the higher-value fix.
12Incident ReportDocument the full incident · fill manually or autofill from investigation
Key Concept — What Makes a Good IR Report
A good incident report serves three audiences: (1) Technical — full timeline with IOCs and actions taken; (2) Executive — business impact, data exposure, regulatory risk; (3) Legal/Compliance — evidence of due diligence, breach notification assessment. This report template covers all three.
01Incident Overview
Incident ID
Severity
Date / Time Detected
Analyst
Incident Title
Executive Summary
02Affected Assets
Primary User
Department
Affected Hosts
Affected Systems
Data Exposure Assessment
03Attack Timeline
Initial Access
Credential / Token Compromise
Persistence Established
Lateral Movement
Data Exfiltration
Detection
Containment
04Indicators of Compromise
05Containment & Remediation
Immediate Actions Taken
Remediation Required
06Root Cause & Recommendations
Root Cause
Recommendations
MITRE ATT&CK Techniques
Incident Report — Instructor Notes
Have students autofill first, then review and edit. The autofill pulls data from the investigation — this mirrors real SOC workflows where ticket data pre-populates report fields. Key teaching point: the executive summary should be understandable by a CFO with no security background. The MITRE techniques section is for the technical audience and threat intel team. A good report serves both audiences simultaneously.
Class Exercise
After autofilling, edit the executive summary to remove all technical jargon. Could a CFO read it and understand the business impact and current status? Compare your summary with a partner — whose is clearer?