Handout B: Network Traffic Log
IM NOTE β SELECT ONE VERSION ONLY
Distribute one version only based on Round 1 outcome. Print or display only the selected version β do not show players the other.
- Version 1 (Contained): Use if players chose Option A (isolate machines) or Option C (full disclosure to Alex, who then ordered isolation)
- Version 2 (Compromised): Use if players chose Option B (monitor but do not isolate)
Outbound Network Traffic β Pixel & Co. Workstations
Log window: Wednesday 07:00 β 12:00 UTC Extracted from firewall and endpoint logs, Wednesday morning.
Timestamp Src Host Dst IP Dst Port Protocol Notes
----------- ------------------ ------------------ -------- -------- -----
07:14:02 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
07:29:01 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
07:44:00 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
07:58:59 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
08:13:58 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
[machine isolated -- no further connections from PIXEL-WS-03]
C2 status: BEACONING -- No inbound instruction received
File server: No unauthorized access events detected
Credential data transmitted: browser session tokens only (no inbound response)Version 1 IM Notes:
The malware was beaconing out every 15 minutes waiting for a C2 instruction, but containment cut the connection before an instruction arrived. The file server is clean.
Key discussion questions for this version:
- βWhat was the malware waiting for?β (A C2 instruction β without it, it could not move laterally)
- βEven though the file server is safe, what still needs to happen?β (Credential reset β the session tokens sent during beaconing may have been captured)
Outbound Network Traffic β Pixel & Co. Workstations
Log window: Wednesday 07:00 β 13:15 UTC Extracted from firewall and endpoint logs, Wednesday morning.
Timestamp Src Host Dst IP Dst Port Protocol Notes
----------- ------------------ ------------------ -------- -------- -----
07:14:02 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
07:29:01 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
07:44:00 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
07:58:59 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
08:13:58 PIXEL-WS-03 198.51.100.42 443 HTTPS Outbound beacon
12:47:33 198.51.100.42 PIXEL-WS-03 INBOUND HTTPS C2 INSTRUCTION RECEIVED
13:01:04 PIXEL-WS-03 \\pixel-files\presentations -- SMB FILE SERVER PROBE -- folder opened
13:01:22 PIXEL-WS-03 \\pixel-files\presentations -- SMB File listing retrieved
C2 status: ACTIVE -- Instruction received 12:47
File server: UNAUTHORIZED ACCESS at 13:01 -- presentations folder opened
Files appear intact but cannot be confirmed clean without inspectionVersion 2 IM Notes:
The machine was not isolated, so when the C2 server sent an instruction at 12:47pm, the malware acted on it β probing the file server 14 minutes later.
Key discussion questions for this version:
- βWhat changed at 12:47?β (The malware received an instruction and shifted from passive beaconing to active lateral movement)
- βWhat does βfiles appear intactβ actually mean for Friday?β (The presentation folder was accessed and listed. Files were not confirmed modified, but they cannot be confirmed clean without inspection β and there are 36 hours until the client arrives)
- βWhat does this change about your remediation plan?β (File server verification is now required alongside endpoint cleanup)
IM Facilitation Notes
- Release this handout at the start of Round 2.
- Choose your version before showing players anything. The wrong version directly contradicts the Round 1 narrative.
- Use this artifact to anchor the malmon card reveal moment β when players see the C2 beacon pattern, they have enough to identify FakeBat.
- C2 address
198.51.100.42is a TEST-NET address (RFC 5737) β safe for simulation use. File server path uses the fictionalpixel-fileshostname.