Pre-Built Action Cards – Winnti: Operation Silk Harvest

8 cards for the most likely containment actions. When the IC proposes an action that matches a card: pull the card, state the difficulty, and roll – skip the 3-question framework entirely. The 3-question framework on the Action Resolution Card is only for actions with no matching pre-built card.

Print and keep face-down. Pull the matching card when the IC proposes the action.

---

Isolate HANSEN-SAP-01

Owner: Alpha (Forensics) / Bravo (Network) Medium 10+

Success (10+): Server isolated from network. Attacker’s persistence point removed. Memory image already captured – no evidence lost. HANSEN-SAP-01 moved to CONTAINED on whiteboard.

Partial (7-9): Network isolated, but HANSEN-SAP-01 has a secondary NIC on the out-of-band management VLAN that was not included in the isolation rule. Primary data path is cut, but the C2 beacon continues at reduced frequency through the backup interface. Teams must identify and block the secondary path.

Failure (6 or below): Legacy system dependency blocks isolation – CaliSyncPro sync process holds an active lock. 30-minute delay while team resolves dependency. Attacker is notified by the failed isolation attempt.

Revoke svc-rdbridge-admin Credential

Owner: Bravo (Network) Medium 10+

Success (10+): Credential revoked in Azure AD. Attacker’s primary lateral movement path through the Collaborative Bridge is closed. All active sessions terminated. Move to CONTAINED on whiteboard.

Partial (7-9): Credential revoked, but the attacker had harvested a second service account credential (svc-calibsync). New NTLM sessions appear within 15 minutes. Release threat clock T1 early if not already played.

Failure (6 or below): Revocation blocked by legacy system integration – the service account is locked to a running CaliSyncPro sync process on HANSEN-SAP-01. Must stop the CaliSyncPro service first, which requires coordination with VP R&D.

Close COLLBRIDGE-EXCL-003 Exception

Owner: Bravo (Network) Medium 10+

Success (10+): Conditional Access exception closed. Zero-trust policies restored – all NTLM authentication from the HANSEN-SAP-01 subnet now requires MFA and is blocked by CA-POLICY-NTLM-BLOCK. Move to CONTAINED on whiteboard.

Partial (7-9): Exception closed in policy, but 3 existing VPN sessions were not terminated. The attacker still has one active session through the bridge until it times out (~45 minutes). Exception is closed for new connections.

Failure (6 or below): CTO Katrine Fønsmark blocks the closure – active R&D synchronization projects depend on the Collaborative Bridge. Play CTO NPC: “I need a decision on GenixLibrary access suspension and the legacy auth exception – R&D cannot proceed without a clean baseline. But closing this without a migration path breaks 3 active projects.”

Take GenixLibrary Offline

Owner: Charlie (Threat Intel & Recovery) Medium 10+

Modifier: +2 if the IC’s approach matches Winnti’s type (patient, preservation-first response – isolate and preserve before eradicate). This is the correct response for a Bug-type malmon.

Success (10+): GenixLibrary taken offline cleanly. All exfiltration stopped. 3 active fermentation programs halted but data integrity preserved. Move to CONTAINED on whiteboard.

Partial (7-9): Primary GenixLibrary instance offline, but a read-only failover mirror activated automatically. The attacker can still access data through the backup path at reduced speed. Teams must find and disable the mirror.

Failure (6 or below): VP R&D Dr. Ida Woetmann blocks the shutdown. Play VP R&D NPC: “We lose 6 weeks of active fermentation experiment data if the shutdown is unclean. I need 2 hours to checkpoint the running processes first.” 2-hour delay before GenixLibrary can be taken offline safely.

Preserve Memory Image (HANSEN-SAP-01)

Owner: Alpha (Forensics) Medium 10+

Success (10+): Full memory image captured with hardware-assisted enumeration. Kernel driver artifact (SN 4A9F02B1C3D7E8F6) extracted with signed chain of custody. All 5 hidden PIDs documented. CFCS artifact request can be fulfilled. Move to CONTAINED on whiteboard.

Partial (7-9): Partial capture – rootkit detected the imaging process and began self-destruct sequence during capture. Kernel driver binary preserved but runtime process state (PID connections, memory hooks) is incomplete. CFCS can still analyze the driver.

Failure (6 or below): Imaging tool incompatible with HANSEN-SAP-01’s legacy OS version. 2-hour delay while team sources an alternative tool. During the delay, release threat clock T3 if not already played.

Block C2 Domain at Perimeter

Owner: Bravo (Network) Easy 5+

Success (5+): graph-api-sync.bioanalytics.net (203.0.113.44) blocked at perimeter firewall. DNS cache flushed. All outbound connections to attacker infrastructure terminated. Move C2 to CONTAINED on whiteboard.

Partial (3-4): Domain blocked at firewall, but DNS cache on GENIX-PROD-01 was not flushed. Existing cached connections persist for 15 minutes before timing out. Transfer continues at reduced rate during the window.

Failure (2 or below): Blocking the domain breaks legitimate Microsoft Graph API traffic – the attacker’s SNI spoofing means the firewall rule catches both real and fake Graph API calls. R&D cloud collaboration tools go down. Must create a more targeted rule using certificate validation or IP-based blocking.

Share IoCs with CFCS

Owner: Charlie (Threat Intel & Recovery) Easy 5+

Success (5+): CFCS confirms BioGenix indicators match the European campaign. Bulletin CB-2026-0312 updated. CFCS shares additional IoCs from European partners – including a second C2 domain (graph-telemetry-sync.bioanalytics.net) used in prior attacks. Bravo can now preemptively block this domain. Move CFCS coordination to CONTAINED on whiteboard.

Partial (3-4): IoCs shared but kernel driver artifact not included – CFCS requests it specifically. Attribution remains “potential match” until the artifact is handed over. Teams must coordinate with Alpha to ensure chain of custody is maintained during handoff.

Failure (2 or below): Legal counsel blocks sharing pending review of identifiable data in the IoC set. Concern: anonymized IoCs may still contain identifiable employee data from access logs. 24-hour delay while legal reviews. CFCS coordination stalls.

Deploy EDR to Legacy Segment

Owner: Alpha (Forensics) / Bravo (Network) Hard 15+

Success (15+): EDR agents deployed to all 7 legacy servers including HANSEN-SAP-01. Full visibility into the legacy network segment. Any additional compromised hosts immediately visible. Discovery: HANSEN-SAP-02 (also overdue for decommission) shows suspicious process activity – potential second foothold.

Partial (12-14): Partial deployment – 3 of 7 legacy servers reject the EDR agent due to incompatible OS versions. HANSEN-SAP-01 accepted the agent but 3 other legacy hosts remain unmonitored. Teams have partial visibility.

Failure (11 or below): EDR deployment triggers the rootkit’s defense mechanism. The kernel driver detects the new agent and accelerates its self-destruct sequence. If memory image wasn’t already captured, it’s now at risk. Release threat clock T3 immediately if not already played. Attacker also accelerates exfiltration – release T4 if not already played.