Skip to main content

Attack Playbook

📅 Published: 2026-05-03 10:14 | 🔄 Last Updated: 2026-05-21 13:51


tip

Before starting any attack step, remember to take a snapshot on all of the host to make sure all actions are reversible, and save you from any trouble

Phase 1: Initial Access, Execution & C2​

Objective: Gain a foothold on the target workstation (WS01) and establish a stable Command & Control channel.

StepPhase (Tactic)Technique IDTechnique NameLab Action (Procedure)Expected Log Source / Event ID (Splunk)
1Initial AccessT1566.002Spearphishing LinkUser "Jim" accesses a web link and downloads the Annual_Report_2026.ps1 payload.pfSense / Suricata: HTTP/HTTPS request downloading the .ps1 file.
2ExecutionT1204.002
T1059.001
User Execution
PowerShell
User executes the .ps1 file. The script downloads the agent and saves it as winupdate.exe in the TEMP directory.Sysmon EID 1: powershell.exe spawns.
Sysmon EID 11: winupdate.exe file is created.
3Command & ControlT1071.001Web ProtocolsThe Caldera agent successfully establishes C2, beaconing back to the Kali server over standard HTTP (port 80).Suricata IDS / pfSense: Continuous, regular interval traffic (beaconing).
Sysmon EID 3: winupdate.exe initiates network connections.

Phase 2: Local Enumeration & Privilege Escalation​

Objective: Establish immediate persistence, map the local system and domain, and elevate privileges on WS01.

StepPhase (Tactic)Technique IDTechnique NameLab Action (Procedure via Caldera)Expected Log Source / Event ID (Splunk)
4PersistenceT1547.001Registry Run Keys / Startup FolderWrites the path of winupdate.exe into the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key named WindowsUpdateManager.Sysmon EID 12, 13, 14: Registry value creation and modification for the Run key.
5DiscoveryT1082
T1087.001
System Information Discovery
Account Discovery: Domain
Runs OS commands (whoami, systeminfo, netstat) to map the host. Downloads PowerView via PowerShell to enumerate AD domain admins and target computers.Sysmon EID 1: Rapid execution of enumeration binaries.
WinEvent 4104 (PowerShell): Captures PowerView script block execution.
6Privilege EscalationT1548.002Bypass User Account ControlModifies ms-settings registry keys to exploit the fodhelper.exe auto-elevation mechanism, spawning a new elevated agent.Sysmon EID 13: Modification of DelegateExecute.
Sysmon EID 1: fodhelper.exe spawns a child process.

Phase 3: Credential Access & Exfiltration​

Objective: Extract high-value credentials from system memory and securely transfer them out of the network.

StepPhase (Tactic)Technique IDTechnique NameLab Action (Procedure via Caldera)Expected Log Source / Event ID (Splunk)
7Credential AccessT1003.001OS Credential Dumping: LSASS MemoryUses rundll32.exe to execute comsvcs.dll, dumping LSASS memory to a file named lsass.dmp.Sysmon EID 10: rundll32.exe requests GrantedAccess to lsass.exe.
Sysmon EID 11: lsass.dmp is created.
8ExfiltrationT1041Exfiltration Over C2 ChannelUses curl.exe to POST the lsass.dmp file out of the network over an HTTPS C2 channel to the Kali receiver.Sysmon EID 1 / 3: curl.exe execution and outbound network connection.
Suricata: Anomalous outbound data transfer (large POST).

Phase 4: Lateral Pivot & Target Acquisition​

Objective: Utilize offline-cracked credentials to pivot to the Domain Controller (DC01) and locate sensitive files.

StepPhase (Tactic)Technique IDTechnique NameLab Action (Procedure via Caldera)Expected Log Source / Event ID (Splunk)
9Lateral MovementT1570Lateral Tool TransferUploads and executes PsExec64.exe using compromised Domain Admin credentials to spawn a detached, elevated C2 agent on DC01.WinEvent 4624 (DC01): Logon Type 3 (Network).
WinEvent 7045 (DC01): PSEXESVC service installed.
10DiscoveryT1083File and Directory DiscoveryExecutes legacy command-line utilities (dir /c) on DC01 to locate sensitive data within C:\c-suite-docs.Sysmon EID 1 (DC01): cmd.exe executing directory enumeration, spawned by an unknown binary.

Phase 5: Actions on Objectives (Collection, Impact & Stealth)​

Objective: Steal sensitive documents, solidify deep persistence, disable telemetry, and execute disruptive ransom payloads.

StepPhase (Tactic)Technique IDTechnique NameLab Action (Procedure via Caldera)Expected Log Source / Event ID (Splunk)
11Collection & ExfiltrationT1560.001
T1041
Archive via Utility
Exfiltration Over C2
Uses Compress-Archive to package targeted PDFs into loot.zip, exfiltrates it via System.Net.WebClient, and deletes the archive.WinEvent 4104 (DC01): PowerShell script block logging the Compress-Archive cmdlet.
Sysmon EID 11 (DC01): loot.zip creation.
12PersistenceT1546.003WMI Event SubscriptionDeploys a stealthy WMI CommandLineEventConsumer (named "updater") that triggers payload execution based on system uptime on DC01.Sysmon EID 19, 20, 21 (DC01): WmiEventFilter, WmiEventConsumer, and WmiEventConsumerToFilter activity detected.
13Defense ImpairmentT1685Disable or Modify ToolsExecutes fltmc.exe unload SysmonDrv from an administrative command prompt to unload the Sysmon filter and halt logging on DC01.Sysmon EID 1 (DC01): fltmc.exe execution. (Note: Visibility drops immediately after this step).
14ImpactT1490Inhibit System RecoveryExecutes vssadmin.exe delete shadows /all /quiet to destroy all Volume Shadow Copies and hinder incident recovery.Blind spot (Sysmon unloaded). Alternative: WinEvent 4688 (DC01): vssadmin.exe execution if enabled.
15ImpactT1486Data Encrypted for ImpactExecutes a PowerShell loop to simulate ransomware by appending a .ransom extension to all PDF files in the target directory.Blind spot (Sysmon unloaded). Alternative: File Server Auditing (WinEvent 4663): Massive file modification events.
16StealthT1070.006Indicator Removal on Host: TimestompUses PowerShell to modify the $STANDARD_INFORMATION timestamps (CreationTime, LastWriteTime, LastAccessTime) of the payload and .ransom files to 01/01/2010.Blind spot (Sysmon unloaded).
17ImpactT1491.001Defacement: Internal DefacementDownloads ransom.jpg to the Public folder and utilizes C# SystemParametersInfo via PowerShell to change the DC01 wallpaper to a ransom note.Blind spot (Sysmon unloaded). Alternative: WinEvent 4657 (DC01): Modification of Desktop Wallpaper registry keys.