Handout A: Initial Access and Command Sequence Evidence
Captured from SOC queue 12 minutes after the first widespread outage reports at the hospital.
Email Header and Endpoint Alert Correlation
From: alerts@it-security.example
To: admin.group@hospital.example
Subject: Urgent account verification required
Received: from mx1.it-security.example (198.51.100.42)
Reply-To: access-update@secure-portal.example
---
EDR Alert Summary
Timestamp: 2026-03-06 18:14 local
Host: CLIN-WS-114
User: clinician.a
Process: powershell.exe -EncodedCommand <redacted>
Outbound: 203.0.113.42:443
Follow-on Host Activity: CLIN-WS-201, ADMIN-WS-009IM NOTES (Do Not Show to Players):
- Header and reply address mismatch indicates credential-harvest pattern.
- Encoded command and outbound TEST-NET destination align with staged execution.
- Alert cluster across clinical and administrative hosts indicates broad foothold before detonation.
Key Discovery Questions
- What evidence suggests this was not a random outage?
The same execution pattern appears on multiple hosts with coordinated timing and external command retrieval behavior.
- Why is the reply-to mismatch important?
It suggests social engineering with credential redirection, which informs identity and email control remediation steps.
IM Facilitation Notes
- Release when participants request initial technical evidence or ask how compromise started.
- Use this handout to reinforce incident scoping and early containment decisions.