Handout A: Initial Access and Command Sequence Evidence
Captured from SOC queue 12 minutes after the first widespread outage reports at the hospital.
Phishing Email Header and EDR Process Tree
Email Header Analysis + EDR Alert Correlation
From: alerts@it-security.example [198.51.100.42]
Subject: Urgent account verification required
Reply-To: access-update@secure-portal.example
Received: from mail.secure-portal.example ([198.51.100.42]) by cvmc-mail01.cedarvalley.local; 2026-03-06 18:13:47 UTC
Attachment: AccountVerification.docm (68 KB)
EDR Alert — CLIN-WS-114 — 2026-03-06 18:16 UTC — User: clinician.a
outlook.exe NORMAL
WINWORD.exe (AccountVerification.docm) SUSPICIOUS
powershell.exe -WindowStyle Hidden -EncodedCommand [base64] MALICIOUS
[C2 connection] 203.0.113.42:443 — immediate MALICIOUS
powershell.exe [second stage, downloaded] MALICIOUS
Lateral movement from CLIN-WS-114:
18:22 UTC — CLIN-WS-201 (SMB lateral movement)
18:27 UTC — ADMIN-WS-009 (SMB lateral movement — cross-subnet)
AutoOpen macro executed without user prompt. C2 connection established within 4 seconds of document open.
IM NOTES (Do Not Show to Players):
- Header and reply-to address mismatch (
it-security.examplevssecure-portal.example) indicates credential-harvest pattern using Cedar Valley branding. - Encoded command and outbound connection to
203.0.113.42:443confirm staged remote execution triggered by the document macro. - Lateral movement to
CLIN-WS-201(same clinical subnet) andADMIN-WS-009(cross-subnet into admin VLAN) within 11 minutes indicates the attacker had pre-positioned SMB capabilities. clinician.ais a frontline ED clinician with no IT administration role – the targeting was deliberate.
IM Facilitation Notes
- Release when participants request initial technical evidence or ask how the compromise started.
- Use this handout to reinforce incident scoping and early containment decisions.