Module 13: Incident Response Challenge Labs

IR-200 Challenge Lab 1

Lab Environment

Megacorp One Network Topology

  • DEV - Development Machine for Defensive Teams

  • SPLUNK - Splunk SIEM

  • FILE1 - SMB Shares for departmental file storage

  • INTERNAL1 - Enterprise Applications

  • DC1 - Domain Controller for the Megacorp One Active Directory Domain

  • WK1 - h.jones (IT and Domain Admin)

  • WK2 - e.brown (Human Resources)

  • WK3 - n.harris (Sales)

  • WK4 - c.davis (Finance)

Incident Information

Phase 1 begins when the SOC team notices that several Splunk alerts have been triggered. They escalate the situation to you, a member of the Incident Response team. Your task is to review the triggered alerts, determine which are false positives, and identify the one(s) requiring detailed investigation.

Phase 2 involves performing a forensic analysis on a disk image provided by a colleague from another branch of the company's Incident Response team. Based on their analysis, the disk image may contain the key to decrypt all files affected by a ransomware attack in their branch.

Scoring Mechanism

Enter required information via the flags.exe to get a hash. If it matches one of their provided 10, enter it as the answer.

Next Steps

Do the Challenge Lab and take the exam.

PreviousModule 12: Post-Mortem ReportingNextPEN-103

Last updated