OSI 7-Layer Stack
Click a layer to explore protocols, PDUs, and security relevance.
Key Concept
Encapsulation: Each layer wraps data from the layer above by adding its own header. At Layer 2 a trailer is also added. This is called a PDU (Protocol Data Unit).
← Select a layer to see details
TCP/IP vs OSI Mapping
| TCP/IP Layer | OSI Layers | Example Protocols | Ficsit Context |
|---|---|---|---|
| Application | 5, 6, 7 | HTTP/S, SMTP, DNS, TLS, SMB | OWA (Exchange), FIC-WEB-01, DNS via FIC-DC-01 |
| Transport | 4 | TCP, UDP | Port 443 (OWA), 445 (SMB), 389 (LDAP) |
| Internet | 3 | IP, ICMP, BGP, OSPF | 192.168.x.x internal, 10.0.1.x AWS cloud |
| Link | 1, 2 | Ethernet, ARP, 802.1Q, Wi-Fi | VLANs separating Server/Workstation/DMZ subnets |
Analyst Tip
When triaging an alert, identify which OSI layer the attack targets. ARP poisoning = Layer 2. IP spoofing = Layer 3. SYN flood = Layer 4. SQL injection = Layer 7. This tells you which controls can detect or prevent it.
Exercise
RESEARCH-STATION-01 (192.168.3.45) made an outbound TCP connection to 185.220.101.42:4444. Which OSI layers are relevant to detecting this? Hint: think about what each tool sees — firewall (L3/L4), IDS (L4/L7), endpoint (L7).
OSI Model — Instructor Notes
The OSI model is the foundation analysts use to reason about where in the stack an attack occurs and which tools can see it. Walk through each layer by clicking it — emphasize that most modern attacks operate at Layer 7 (Application) because it's the hardest to inspect at scale. The TCP/IP model is what's actually implemented, but OSI gives us the vocabulary for precise troubleshooting and security analysis.
Analyst Note
The Ficsit incident starts at Layer 7 (email attachment / macro), uses Layer 4 TCP to establish C2 on port 4444, and the ARP poisoning detected in Section 8 is a Layer 2 attack. Having students map attack techniques to OSI layers is a high-value exercise for SOC training.
Ficsit Inc. IP Scheme
192.168.0.0/24
Perimeter / Security
FIC-VPN-01 .1 · FIC-FW-01 .2
192.168.1.0/24
Server Infrastructure
FIC-DC-01 .2 · FIC-EXCH-01 .3 · FIC-FILE-01 .4
FIC-WEB-01 .10 · FIC-DB-01 .11 · FIC-DB-02 .12
FIC-SHAREPOINT-01 .20 · FIC-BACKUP-01 .30
FIC-WEB-01 .10 · FIC-DB-01 .11 · FIC-DB-02 .12
FIC-SHAREPOINT-01 .20 · FIC-BACKUP-01 .30
192.168.2.0/24
DevOps
FIC-JENKINS-01 .10
192.168.3.0/24
Workstations
RESEARCH-STATION-01 .45 ← compromised
ENGINEER-WS-01 .22 · ANALYST-LT-02 .78
FINANCE-WS-01 .91
ENGINEER-WS-01 .22 · ANALYST-LT-02 .78
FINANCE-WS-01 .91
10.0.1.0/24
Cloud — AWS Production
FICSIT-PROD-WEB-01 .100 · FICSIT-PROD-APP-01 .101
FICSIT-PROD-DB-01 .200
FICSIT-PROD-DB-01 .200
Incident Context
192.168.3.45 (RESEARCH-STATION-01, marcus.chen) shows active C2 traffic to 185.220.101.42. Network segmentation between this subnet and Server Infrastructure is critical.
Subnet Calculator
Network Address
192.168.1.0
Broadcast Address
192.168.1.255
Subnet Mask
255.255.255.0
Usable Hosts
254
First Usable IP
192.168.1.1
Last Usable IP
192.168.1.254
Key Concept
A /24 subnet has 256 addresses: 1 network address, 1 broadcast, and 254 usable hosts. A /25 gives you 2 subnets of 126 hosts each — useful for splitting server vs. management traffic on the same physical range.
Exercise
Ficsit's security team wants to split the Workstation subnet (192.168.3.0/24) into two — one for Engineering and one for Finance. What /25 subnets would you create? Use the calculator: try 192.168.3.0/25 and 192.168.3.128/25.
Analyst Tip
When you see an IP in an alert, first determine which subnet it belongs to. This tells you the asset category (workstation, server, cloud) and which firewall rules apply. 192.168.3.45 in a workstation subnet making connections to 192.168.1.11 (DB server) on port 1433 is immediately suspicious.
IP Addressing — Instructor Notes
Subnetting is often the most anxiety-inducing topic in networking courses. The subnet calculator here removes the math anxiety and lets students focus on the security implications — specifically, why we segment networks. Walk through the Ficsit IP scheme from top to bottom. Ask: "Why would you put servers and workstations on different subnets?" The answer is firewall control and containment.
Analyst Note
The Ficsit architecture has five subnets but only enforces segmentation at the perimeter firewall. Internal East-West traffic between subnets flows through the core switch without inspection — this is exactly why RESEARCH-STATION-01 was able to reach FIC-DB-01:1433 and FIC-FILE-01:445 during the lateral movement phase in Section 11.
DNS Resolution Chain
Query: exch01.ficsit-pioneer.corp
1
Client — RESEARCH-STATION-01
192.168.3.45 → 192.168.1.2:53
↓
2
Recursive Resolver — FIC-DC-01
192.168.1.2 → 8.8.8.8:53
Cache miss — forwarding upstream
↓
3
Root Nameserver (.)
8.8.8.8 → a.root-servers.net
+2ms
↓
4
TLD — .corp Nameserver
8.8.8.8 → .corp TLD server
+5ms
↓
5
Authoritative NS — FIC-DC-01
ns1.ficsit-pioneer.corp
+8ms total — Answer returned
↓
✓ Answer: exch01.ficsit-pioneer.corp → 192.168.1.3
DNS Record Types
AIPv4 address record — maps hostname to IP
AAAAIPv6 address record
MXMail exchange — where to send email
CNAMECanonical name — DNS alias
TXTText record — SPF, DKIM, domain verification
PTRReverse lookup — IP to hostname
NSNameserver — authoritative DNS servers
SOAStart of Authority — zone metadata
Simulated dig Output
; <<>> DiG 9.18 <<>> ficsit-pioneer.corp A
;; QUESTION SECTION:
;ficsit-pioneer.corp. IN A
;; ANSWER SECTION:
ficsit-pioneer.corp. 3600 IN A 192.168.1.2
;; Query time: 2 msec
;; SERVER: 192.168.1.2#53(FIC-DC-01)
;; WHEN: 2026-05-28 14:22:01 UTC
Security Note — DNS Tunneling
During the Ficsit incident, RESEARCH-STATION-01 made a TXT query to d3adbeef123456789.update.microsoft-cdn-verify.net — a DGA-like domain. Attackers encode data in DNS queries to exfiltrate data through firewalls that allow DNS traffic. TXT queries with unusually long subdomains are a key indicator.
DNS Resolution — Instructor Notes
DNS is the single most important protocol for threat hunting. Nearly every attack uses DNS — for C2 resolution, for domain generation algorithms, and for data exfiltration via DNS tunneling. Walk through the resolution chain step by step, clicking each hop. Emphasize that FIC-DC-01 is both the corporate DNS server AND the domain controller — this is common in Windows environments and means DNS logs on the DC are gold for analysts.
Analyst Note
The DGA domain in the security note (d3adbeef123456789.update.microsoft-cdn-verify.net) is exactly what analysts saw in the SIEM during the Ficsit incident. The subdomain is 21 hex characters — consistent with algorithmically generated names. A PTR reverse lookup for 185.220.101.42 from RESEARCH-STATION-01 (visible in Section 10 DNS logs) is another indicator — why would a workstation try to resolve a Tor exit node?
3-Way Handshake
RESEARCH-STATION-01 → FIC-EXCH-01:443
→
SYN
Client → Server
←
SYN-ACK
Server → Client
→
ACK
Client → Server
→ State: ESTABLISHED
4-Way Teardown
SYN Flood Attack
An attacker sends thousands of SYN packets without completing the handshake. The server allocates memory for each half-open connection. When the table fills, the server can't accept new connections — this is a Layer 4 denial of service attack.
Port Lookup
Port: 443 Service: HTTPS Protocol: TCP
Description: HTTP over TLS — web traffic encrypted with SSL/TLS
Ficsit use: FIC-WEB-01, FIC-EXCH-01 (OWA), FICSIT-PROD-WEB-01
Risk: Low on servers; HTTPS from workstations to unknown IPs warrants inspection
Description: HTTP over TLS — web traffic encrypted with SSL/TLS
Ficsit use: FIC-WEB-01, FIC-EXCH-01 (OWA), FICSIT-PROD-WEB-01
Risk: Low on servers; HTTPS from workstations to unknown IPs warrants inspection
Active Connections — RESEARCH-STATION-01 (192.168.3.45) — netstat -an
| Local Address | Remote Address | State | PID | Process |
|---|---|---|---|---|
| 192.168.3.45:52341 | 192.168.1.2:389 | ESTABLISHED | 824 | lsass.exe |
| 192.168.3.45:49221 | 192.168.1.3:443 | ESTABLISHED | 4820 | OUTLOOK.EXE |
| 192.168.3.45:51009 | 192.168.1.2:88 | ESTABLISHED | 824 | lsass.exe |
| 192.168.3.45:50122 | 192.168.1.4:445 | TIME_WAIT | — | — |
| 0.0.0.0:445 | 0.0.0.0:* | LISTEN | 4 | System |
| 0.0.0.0:139 | 0.0.0.0:* | LISTEN | 4 | System |
| 192.168.3.45:49800 | 185.220.101.42:4444 | ESTABLISHED | 7132 | svc32.exe ⚠ |
| 192.168.3.45:49710 | 192.168.1.2:636 | ESTABLISHED | 824 | lsass.exe |
Suspicious Finding
svc32.exe (PID 7132) has an ESTABLISHED connection to 185.220.101.42:4444 — a known Tor exit node and C2 address. Port 4444 is not a standard service port. This is the active C2 callback from RESEARCH-STATION-01.
TCP Connections — Instructor Notes
The connection table is one of the most valuable artifacts during incident response — it shows exactly what a host is talking to right now. Walk through the normal connections (LDAP to DC, HTTPS to Exchange, Kerberos) and then stop at svc32.exe:4444. Ask: "What's wrong with this picture?" The process name, the non-standard port, and the external IP all scream C2.
Analyst Note
The netstat output is a live artifact — if you collect it during an incident, it tells you which connections are active at that exact moment. Unlike log files, it can't be deleted retroactively. Always capture netstat output before isolating a compromised host — isolation kills the connections and you lose this data. In the Ficsit case, svc32.exe at PID 7132 is the persistence mechanism — kill the process and remediate the run key.
| No. | Time | Source | Destination | Protocol | Len | Info |
|---|
Click a packet row to inspect layers
Packet Capture — Instructor Notes
Have students apply the filter
tcp.port==4444 first — this immediately highlights the suspicious packet. Then clear the filter and ask them to find it without guidance. The key indicators are: non-standard port, external IP (185.220.101.42 is not in the 192.168.x.x range), and the source being RESEARCH-STATION-01 which we've already identified as compromised.Analyst Note
In a real Wireshark capture, you'd apply
ip.addr == 185.220.101.42 to isolate all traffic to/from the C2 server. You can then use "Follow TCP Stream" to see the full conversation — if it's unencrypted C2, you might see commands. If it's TLS-wrapped (common in modern C2 frameworks), you'd look at certificate metadata for the domain, which often uses self-signed certs or expired certificates.FIC-FW-01 — NGFW Rulebase (evaluated top-down, first match wins)
| # | Action | Proto | Source | Destination | Port(s) | Description |
|---|
Traffic Tester
Source IP
Destination IP
Destination Port
Protocol
First Match Wins
Firewall rules are evaluated from top to bottom. The first rule that matches the traffic determines the outcome. Rules below it are never evaluated. This is why an ALLOW rule above a BLOCK rule will always win.
Exercise
Test these traffic flows and explain the outcome:1. 192.168.3.45 → 192.168.1.2:389 TCP (RESEARCH-STATION-01 → DC LDAP)
2. 203.0.113.5 → 192.168.1.0/24:3389 TCP (External → RDP attempt)
3. 192.168.3.45 → 192.168.2.10:8080 TCP (Workstation → Jenkins)
Firewall Rules — Instructor Notes
Firewall rule analysis is a critical SOC skill. Walk through the "first match wins" principle using the tester. The BLOCK rule for external RDP (#4) and the BLOCK for workstations to DevOps (#9) are the two rules to emphasize — they represent the two access control gaps that matter most in the Ficsit architecture. The implicit deny-all at rule #11 is the safety net.
Analyst Note
Notice that rule #9 blocks workstations from reaching DevOps at the perimeter firewall — but if an attacker is already inside 192.168.3.0/24 and there's no internal enforcement on the core switch, the traffic may still reach FIC-JENKINS-01. This is the gap that Section 12 (Hardening) addresses. Internal network segmentation requires both firewall rules AND 802.1Q VLAN enforcement at the switch level.
Command: nmap -sV -sC 192.168.1.0/24 — from RESEARCH-STATION-01 (192.168.3.45)
Starting Nmap 7.94 ( https://nmap.org )
Nmap scan report for 192.168.1.2 (FIC-DC-01.ficsit-pioneer.corp)
Host is up (0.0012s latency). MAC Address: AA:BB:CC:DD:01:02
PORT STATE SERVICE VERSION
53/tcp open dns Microsoft DNS 6.1.7601
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP
445/tcp open microsoft-ds Windows Server 2022
636/tcp open ldapssl Microsoft Windows Active Directory LDAP (TLS)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (GC)
| smb-security-mode: account_used: <blank>; authentication_level: user
| smb2-security-mode: Message signing enabled and required
Nmap scan report for 192.168.1.3 (FIC-EXCH-01.ficsit-pioneer.corp)
Host is up (0.0018s latency). MAC Address: AA:BB:CC:DD:01:03
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft Exchange smtpd
443/tcp open https Microsoft HTTPAPI httpd 2.0 (Exchange OWA)
587/tcp open submission Microsoft Exchange smtpd
Nmap scan report for 192.168.1.10 (FIC-WEB-01.ficsit-pioneer.corp)
Host is up (0.0021s latency). MAC Address: AA:BB:CC:DD:01:10
PORT STATE SERVICE VERSION
80/tcp open http Apache Tomcat 9.0.56
443/tcp open https Apache Tomcat 9.0.56 (TLS)
8080/tcp open http-proxy Apache Tomcat 9.0.56 (management interface - exposed!)
| http-title: Apache Tomcat/9.0.56
| http-server-header: Apache-Coyote/1.1
Nmap done: 254 IP addresses (16 hosts up) scanned in 42.3 seconds
Port State Reference
| State | Meaning | Firewall? |
|---|---|---|
| open | Service actively listening | No block |
| closed | Port reachable, no service | No block |
| filtered | No response — firewall dropping | Blocked |
| open|filtered | UDP — can't confirm | Uncertain |
Vulnerability Finding
FIC-WEB-01 is running Apache Tomcat 9.0.56 with port 8080 (management interface) exposed. Tomcat 9.0 is in the vulnerable range for CVE-2021-44228 (Log4Shell) if Log4j is used by any deployed application. Cross-reference with the software inventory — is Log4j present? This is a critical finding for the vulnerability team.
Exercise
You've identified FIC-WEB-01 is running Tomcat 9.0.56 on port 8080 (management console). What three immediate actions would you recommend to the security team? Consider: (1) whether this port should be exposed, (2) whether Log4Shell applies, and (3) what the Tomcat management console allows an attacker to do if accessed.
Attacker Perspective
From a single nmap scan, an attacker now knows: FIC-DC-01 is a Domain Controller (ports 88, 389, 3268 are AD fingerprints), FIC-EXCH-01 runs Exchange (OWA on 443), and FIC-WEB-01 has an exposed Tomcat management interface. This is enough information to plan targeted exploitation without any credentials.
Network Scanning — Instructor Notes
Network scanning is dual-use — it's what attackers do during reconnaissance, and what defenders do during vulnerability assessment. The key teaching point is that the nmap output tells an attacker everything they need to prioritize their attack. Port 8080 on FIC-WEB-01 is a common mistake — the Tomcat manager should never be exposed to the internal network without authentication, let alone to the internet.
Analyst Note
The SMB signing note on FIC-DC-01 (
Message signing enabled and required) is actually a good security configuration — it prevents NTLM relay attacks. However, FIC-WEB-01 and FIC-FILE-01 may not have signing required, making them vulnerable to credential relay attacks. RESEARCH-STATION-01 running nmap against the internal network (visible in Section 10 telemetry) is also a strong indicator of post-compromise reconnaissance by the attacker.DHCP DORA Process
FINANCE-WS-01 (FINANCE-WS-01.ficsit-pioneer.corp) boots and needs an IP address.
D
Discover
Broadcast: "I need an IP address"
↓
O
Offer
DHCP server: "Here's an available IP"
↓
R
Request
Client: "I'll take that IP, please confirm"
↓
A
Acknowledge
DHCP server: "Confirmed. IP is yours."
DHCP Snooping
DHCP snooping is a switch feature that only allows DHCP responses from trusted ports (your real DHCP server). This prevents rogue DHCP servers from handing out attacker-controlled gateway IPs — a prerequisite for MitM attacks.
ARP Table — FIC-DC-01 (arp -a)
? (192.168.1.2) at aa:bb:cc:dd:01:02 [ether] on eth0
? (192.168.1.3) at aa:bb:cc:dd:01:03 [ether] [C]
? (192.168.1.4) at aa:bb:cc:dd:01:04 [ether] [C]
? (192.168.1.10) at aa:bb:cc:dd:01:10 [ether] [C]
? (192.168.3.45) at aa:bb:cc:dd:03:45 [ether] [C] ← RESEARCH-STATION-01
? (192.168.3.22) at aa:bb:cc:dd:03:22 [ether] [C]
? (192.168.3.78) at aa:bb:cc:dd:03:78 [ether] [C]
? (192.168.3.91) at aa:bb:cc:dd:03:91 [ether] [C] ← DUPLICATE IP DETECTED ⚠
└─ ARP request for 192.168.1.2 answered by 192.168.3.91
└─ Possible ARP poisoning: FINANCE-WS-01 impersonating FIC-DC-01
ARP Poisoning Detected
192.168.3.91 (FINANCE-WS-01 — james.okafor) is responding to ARP requests for 192.168.1.2 (FIC-DC-01). This is consistent with an ARP poisoning attack. All traffic from workstations destined for the Domain Controller may be routed through FINANCE-WS-01 first, enabling Man-in-the-Middle interception of authentication traffic including NTLM hashes and LDAP credentials.
Why ARP Has No Authentication
ARP (RFC 826, 1982) was designed for simple LANs with trusted hosts. Any host can send a "gratuitous ARP" claiming any IP-to-MAC mapping — and other hosts will update their ARP tables without question. The fix is Dynamic ARP Inspection (DAI) on managed switches, which validates ARP replies against the DHCP snooping binding table.
ARP & DHCP — Instructor Notes
DHCP and ARP are foundational protocols that analysts rarely think about until something goes wrong. The ARP poisoning alert here ties directly to the james.okafor (FINANCE-WS-01) compromise narrative — if james.okafor's credentials were used to establish persistence, an attacker on FINANCE-WS-01 could use arpspoof or Bettercap to poison the ARP table and intercept authentication traffic from the workstation subnet.
Analyst Note
ARP poisoning is typically detected by monitoring for ARP replies where the same IP appears with different MAC addresses in a short time window. Modern SIEM rules flag this as "ARP anomaly" or "Possible MitM." The Ficsit architecture has DHCP snooping on the server VLAN (Section 12, item 12) but not Dynamic ARP Inspection on edge switches — explaining why this attack wasn't automatically blocked.
Traceroute Simulator
Source: RESEARCH-STATION-01 (192.168.3.45)
Destination
Select a destination and click Run Traceroute.
Tor Exit Node Behavior
Tor exit nodes often block ICMP (ping/traceroute) to prevent discovery. If a traceroute shows * * * hops that eventually time out, the destination may be behind Tor or a network that drops ICMP. This is consistent with C2 infrastructure.
Analyst Tip
Compare traceroutes to suspicious IPs from multiple internal hosts. If only the compromised host (RESEARCH-STATION-01) has an active route established to 185.220.101.42, that confirms it's unique to the compromise rather than a shared network artifact.
FIC-FW-01 Route Table (ip route show)
default via 203.0.113.1 dev eth0 proto static metric 100
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.254
192.168.2.0/24 dev eth3 proto kernel scope link src 192.168.2.254
192.168.3.0/24 dev eth4 proto kernel scope link src 192.168.3.254
10.0.1.0/24 via 203.0.113.50 dev eth0 proto static (AWS VPC tunnel)
203.0.113.0/24 dev eth0 proto kernel scope link (ISP uplink)
blackhole 0.0.0.0/8 (RFC 1122 - this network)
blackhole 127.0.0.0/8 (loopback)
blackhole 169.254.0.0/16 (APIPA - link-local)
blackhole 224.0.0.0/4 (multicast - no external routing)
# BGP summary (ISP peering)
neighbor 203.0.113.1 remote-as 65001 (ISP upstream - AS65001)
neighbor 203.0.113.1 route-filter PREFIX-LIST-INBOUND in
neighbor 203.0.113.1 route-filter PREFIX-LIST-OUTBOUND out
# Prefix lists block bogons and RFC1918 from BGP
Routing Concepts Reference
| Term | Meaning | Security Relevance |
|---|---|---|
| Default gateway | Route for all unknown traffic | If poisoned via ARP, all external traffic rerouted |
| Static route | Manually configured path | Attackers may add static routes for persistence |
| BGP | Internet routing protocol | BGP hijacking can redirect internet traffic |
| Blackhole | Drop matching traffic silently | Used to null-route known attack sources |
| Split tunneling | VPN routes only internal traffic | Internet traffic bypasses VPN inspection |
Every Hop is a Vantage Point
Each router in a traceroute path sees the full packet headers. A malicious or compromised router can copy all traffic, modify headers, or selectively drop packets. Nation-state actors routinely compromise ISP routers for passive collection. For Ficsit, this means the ISP uplink (hop 3 in the traceroute) is outside their control.
Routing — Instructor Notes
Traceroute is both a diagnostic tool and an intelligence-gathering tool — it reveals network topology including ISP routers and transit paths. Run all four destinations in the simulator. The Tor exit node showing * * * (ICMP blocked) is particularly important — in a real investigation, this confirms the C2 is behind Tor even without direct evidence, because the network behavior is consistent with Tor exit node characteristics.
Analyst Note
The FIC-FW-01 route table shows BGP route filtering (
PREFIX-LIST-INBOUND) which blocks bogon prefixes and RFC1918 addresses from being advertised via BGP — this is a good practice (Section 12, item 14). The AWS VPC route to 10.0.1.0/24 via a static route is interesting — if this tunnel were compromised, an attacker could potentially reach the cloud production environment from the internal network without going through the public internet.NetFlow
DNS Logs
Firewall Logs
| Timestamp | Src Host | Src Port | Dst Host | Dst Port | Proto | Bytes | Pkts | Action |
|---|
SIEM Telemetry — Instructor Notes
Network telemetry in a SIEM is only useful when enriched with hostname context. Raw IP addresses in NetFlow require analysts to look up asset inventories — adding hostname resolution during ingestion dramatically speeds up triage. Walk through all three tabs. The NetFlow tab hides the C2 connection in plain sight among normal traffic. The DNS tab shows the PTR reverse lookup for 185.220.101.42 — a host trying to resolve a Tor exit node's hostname is a major red flag.
Analyst Note
The firewall log tab reveals an important detail: the ALLOW for RESEARCH-STATION-01:4444 outbound before the BLOCK rule fired. This means the C2 connection succeeded at least once — the attacker had a working connection before the security team noticed. In the exercise, students should identify that the ALLOW happened because rule #8 (VPN traffic) matched before rule #11 (deny-all), and the traffic was not yet covered by a specific block rule at that moment in time.
Active Threat Hunt — Scenario
RESEARCH-STATION-01 (192.168.3.45) has been flagged by EDR with a suspicious process (svc32.exe). You are analyzing network traffic from the past 4 hours to map lateral movement. Flag all indicators of lateral movement and identify the likely exfiltration path. Users: marcus.chen (primary), credentials for james.okafor may be in use after LSASS dump.
0 / 7 flagged
| Time | Source Host | Src IP | Dest Host | Dst IP | Port | Proto | Bytes | Finding | Flag |
|---|
Kill Chain Reconstruction
14:20 Normal LDAP query — attacker enumerates AD structure via legitimate protocol.
14:22 SMB auth attempts to DC — credential testing / brute force using harvested hashes.
14:23 SMB probe to Exchange — attacker maps accessible shares after DC access.
14:24 Large SMB read from FILE-01 (45MB) — data staged for exfiltration. Most likely: email archives, HR files, or M&A documents.
14:25–14:26 SQL/PostgreSQL probes to DB servers — unsuccessful, but attacker mapped database attack surface.
14:28 2.1MB outbound to 185.220.101.42:4444 (C2) — staged files exfiltrated via C2 channel. This is the primary exfiltration path.
14:22 SMB auth attempts to DC — credential testing / brute force using harvested hashes.
14:23 SMB probe to Exchange — attacker maps accessible shares after DC access.
14:24 Large SMB read from FILE-01 (45MB) — data staged for exfiltration. Most likely: email archives, HR files, or M&A documents.
14:25–14:26 SQL/PostgreSQL probes to DB servers — unsuccessful, but attacker mapped database attack surface.
14:28 2.1MB outbound to 185.220.101.42:4444 (C2) — staged files exfiltrated via C2 channel. This is the primary exfiltration path.
Lateral Movement — Instructor Notes
This section tells the story of the attack through network telemetry alone. Have students flag all 7 rows before revealing the kill chain summary. The key insight is that lateral movement generates East-West (internal-to-internal) traffic that perimeter firewalls never see — this is why internal network monitoring (NetFlow, SIEM with internal tap points) is essential. The progression from LDAP → SMB → large file read → C2 exfiltration is a textbook data theft pattern.
Analyst Note
The 45MB SMB read from FIC-FILE-01 at 14:24 is the critical data loss event. Without East-West monitoring, this is invisible — the perimeter firewall only sees the final 2.1MB exfiltration to C2. With internal NetFlow collection (a gap identified in Section 12), analysts could have detected the staging at 14:24 before exfiltration at 14:28 — a 4-minute window to respond and block the outbound connection.
Hardening Baseline — Instructor Notes
This checklist is the culmination of the entire lab — every MISSING control here directly enabled something we saw in Sections 5-11. The ARP poisoning in Section 8 is possible because of item 11 (ARP inspection only on core switch). The lateral movement in Section 11 was invisible because of item 6 (NetFlow not in SIEM). Walk through each MISSING control and ask: "Which section showed us why this matters?"
Analyst Note
The most impactful missing control for this specific incident is item 8 (East-West IDS/IPS) — if there were an internal IPS sensor on the core switch, the 45MB SMB exfiltration staging at 14:24 would have triggered an alert. Item 13 (802.1X) is the systemic gap — without port authentication, any device plugged into a network port gets access to the workstation VLAN and can start lateral movement.