RSS Feed

The APT Threat Group Incident Response Challenge 👯‍♀️

Created: 18.11.2020


Below is the skeleton from SAN508 course description. I am using it to make up my study plan. For each step of this plan I estimate my current level of training and I am also collecting resourced for this topic under Resources.

🫑 - level 0. I know nothing and not even where to start. I might have some embarrassingly fundamental knowledge which is not good enough even for the start.

🥒 - level 1. I know something about the subject, but this only gives me an approximate plan and kind of things to look for.

🥗 - level 2. I know something about the subject, I’ve even read something about it. But no hands-on eperience.

🌮 - level 3. I know quite a lot about the subject, I’ve read something about it and some hands-on eperience.

🥘 - level 4. I know a lot about the subject and quite a decent experience. This one I will only use when I am done preparing and have the first mock exam. Bonus - 🍭 real-life expreience (not just labs).

🗒- Topic specific plan. 👌-done, 🚧 - in progress

🗂 - references and resources.

🎯- objectives.

🏺- artifacts

🛠 - tools to learn/use.



This incredibly rich and realistic enterprise intrusion exercise is based on a real-world advanced persistent threat (APT) group. It brings together techniques learned earlier in the course and tests your newly acquired skills in an investigation into an attack by an advanced adversary. The challenge brings it all together using a real intrusion into a complete Windows enterprise environment. You will be asked to uncover how the systems were compromised in the initial intrusion, find other compromised systems via adversary lateral movement, and identify intellectual property stolen via data exfiltration. You will walk out of the course with hands-on experience investigating a real attack, curated by a cadre of instructors with decades of experience fighting advanced threats from attackers ranging from nation-states to financial crime syndicates and hacktivist groups.

  • The Intrusion Forensic Challenge will ask each incident response team to analyze multiple systems in an enterprise network with many endpoints.
  • Learn to identify and track attacker actions across an entire network finding initial exploitation, reconnaissance, persistence, credential dumping, lateral movement, elevation to domain administrator, and data theft/exfiltration.
  • Discover evidence of some of the most common and sophisticated attacks in the wild including Cobalt Strike, Metasploit, PowerShell exploit frameworks, and custom nation-state malware.
  • During the challenge, each incident response team will be asked to answer key questions and address critical issues in the different categories listed below, just as they would during a real breach in their organizations:


  1. How and when did the APT group breach our network?

  2. List all compromised systems by IP address and specific evidence of compromise.

  3. When and how did the attackers first laterally move to each system?


  1. How and when did the attackers obtain domain administrator credentials?

  2. Once on other systems, what did the attackers look for on each system?

  3. Find exfiltrated email from executive accounts and perform damage assessment.

  4. Determine what was stolen: Recover any attacker archives, find encryption passwords, and extract the contents to verify exfiltrated data.

  5. Collect and list all malware used in the attack.

  6. Develop and present cyber threat intelligence based on host and network indicators of compromise.


  1. What level of account compromise occurred. Is a full password reset required during remediation?

  2. Based on the attacker techniques and tools discovered during the incident, what are the recommended steps to remediate and recover from this incident?

    a. What systems need to be rebuilt?

    b. What IP addresses need to be blocked?

    c. What countermeasures should we deploy to slow or stop these attackers if they come back?

    d. What recommendations would you make to detect these intruders in our network again?

Students will receive a full six-month license of F-Response Enterprise Edition, enabling them to use their workstation or the SIFT workstation to connect and script actions on hundreds or thousands of systems in the enterprise. This capability is used to benchmark, facilitate, and demonstrate new incident response and threat hunting technologies that enable a responder to look for indicators of compromise across the entire enterprise network in memory and on disk.


[1] About some APT groups

[2] Practical Malware Analysis book