FakeBat Beginner Scenario: Friday Deadline
FakeBat Beginner Scenario: Friday Deadline
IM Overview
- Malmon: FakeBat
- Runtime: 90-120 minutes
- Players: 4 (pre-generated team included below)
M&M has four rules that never change. Everything else is your style.
The Core Loop: You describe symptoms. Players each take one action. You describe results and evolve the threat.
Success Mechanic: Simple actions succeed automatically. Complex actions: roll d20, 5+ easy, 10+ medium, 15+ hard. (See the d20 callout in Round 1.)
Collaboration: Players assisting each other: +1 per assisting player (max +3), or roll two dice and take the higher.
The Goal: Contain the threat using your roles before the Malmon evolves.
Everything else is yours to improvise. How you voice the NPCs. Whether you use the clue prompts verbatim or paraphrase them. How much you linger on a decision point. Whether you use modifiers at all in a first session. The scenario is fully scripted – you never have to improvise. But the best sessions always go somewhere the script did not expect. Follow it. That is M&M working.
These rules are defined in the IM Quick Start Guide. The rest of this scenario teaches you the full system one mechanic at a time.
Throughout this scenario you will find collapsed “From Joe:” and “From Inver:” callouts. These are real techniques from two practicing Incident Masters – not rules, just approaches that worked for them.
- Joe – First-ever M&M Incident Master (DefCon 2025). CISO with 25+ years across defense, finance, and legal. Performance-oriented style with fully voiced NPCs, humor, and adaptive pacing.
- Inver – Privacy lawyer, professional TTRPG designer, and compliance auditor. Detail-oriented preparation with production-quality handouts. Brings regulatory expertise (GDPR, CCPA) into scenario design.
Take what resonates, ignore what does not. Full bios: Facilitation Philosophy – Learning from Real-Life IMs.
This scenario uses colour-coded callouts so you can tell at a glance what each block is for:
- 🔴 Red blocks – Things you must do or explain (tutorials, rules, action triggers)
- 🔵 Blue blocks – Reference information and navigation (dice tables, role Q&A, read-aloud text, round transitions)
- 🟢 Green blocks – Facilitation advice you can use or ignore (tips from other IMs, off-script guidance, recovery prompts)
- 🟡 Yellow blocks – NPC dialogue to read in character
All three resolution endings – contained, partial, and Stage 2 triggered – were written to be narratively interesting. The worst ending produces the richest debrief.
Before You Begin
Materials needed:
- This document (print or screen)
- Physical d20 dice – bring a handful (3-5 recommended); players can share one die but everyone rolling their own is more engaging. Digital dice apps exist as a last resort when no physical dice are available.
- Role cards for: Detective, Protector, Tracker, Communicator
- Handout A and Handout B – print before the session; see Handouts below for digital alternatives if printing is not possible
- Player tent cards (optional – printable name placards for the table)
- Player Quick Reference (optional – one per player, keeps rules in front of them)
No other preparation required. Everything – clues, NPC lines, decision points, and resolution endings – is scripted below. Read through once before running. If you have 5 extra minutes, read the Setting the Scene section aloud to yourself.
Approximate pacing: Round 1 (~30 min) + Round 2 (~25 min) + Round 3 (~20 min) + Debrief (~15 min) = ~90 min core. Expect 90-120 min with natural discussion. New groups typically take longer – that is normal.
Every path through this scenario leads somewhere useful. If players do not contain the threat, the story escalates naturally – the presentation flickers, the client sees something, and the debrief question writes itself. You do not need to improvise consequences; they are already scripted. Your only job is to keep the conversation moving. If the room goes quiet for more than 30 seconds, offer the next clue prompt.
Use one of these when a roll misses by 1-3 points. Pick whichever fits the moment.
| Situation | What to say |
|---|---|
| Investigation | “You find what you were looking for – but it raises a question you were not expecting.” |
| Technical | “It works – but slower, or with a side effect. Something had to give.” |
| Social | “They agree, but only halfway. What do you offer to get the rest?” |
| Under pressure | “You get the result – but the delay cost you. The situation moved while you worked.” |
Some players will not speak up in the first round. That is fine.
- Rotate the action prompt. After 2-3 players act, say: “[Name], what would you like to do? Passing is fine.”
- Use the role card. “Detective, your card says you trace what happened. Anything in the evidence catch your eye?”
- Pair them. Suggest collaboration with an active player: “Want to assist [name] on that? You would give them +1.”
Comfort matters more than participation. A player who listens carefully and speaks once is having a good session.
Pre-Generated Team
Use the Role Distributor to randomly assign roles – enter headcount and tap the button. For four players this scenario uses the standard core four.
If you prefer self-selection: hand out role cards and ask “Which of these sounds most like how you would approach a security incident?” Give players 30 seconds. In practice, most new players do not have strong preferences – that is fine. If nobody steps forward for a role, assign at your discretion. Any combination works; the roles are designed to complement each other.
When the script addresses a clue to a role – use the player’s actual name instead of the role label. Players are themselves in this scenario.
- Detective – “You always ask who had access and when. Your job is to trace what happened.”
- Situational anchor: You were brought in three weeks ago to audit the agency’s systems before the presentation. This is your first real incident.
- Play as: you ask one more question even when the team is ready to act.
- Protector – “Your instinct is to isolate first, ask questions second. You keep the threat from spreading.”
- Situational anchor: You set up this agency’s IT two years ago. If something got through, you want to know how.
- Play as: you state the action you want to take, then immediately ask who disagrees.
- Tracker – “You follow the data trail. You want logs and timestamps before anyone acts.”
- Situational anchor: You noticed the redirect behavior yesterday but were overruled when you suggested pulling the machines. This morning you were right.
- Play as: you quote a specific number from the evidence before making any recommendation.
- Communicator – “You keep stakeholders calm and the team aligned. You decide what gets communicated and when.”
- Situational anchor: Alex called you before IT because you have the client relationship. Your job is to decide what the client hears and when.
- Play as: you repeat back what you heard before responding, especially when the news is bad.
Use player names explicitly: “Susan, what would you like to be doing right now?” Adding the name transforms a general question into a personal invitation. When someone’s been quiet, a direct name-call draws them in. When someone’s been dominating, asking others by name spreads participation.
Your choice: Use explicit name-calling for structured participation, or keep questions open-ended if your group naturally self-organises.
Ask each player: “What is one thing your character cares about at this agency?” It does not need to be profound – “the deadline,” “Alex,” or “my reputation” is enough. This small investment makes the first decision feel personal.
Role Card Questions – IM Reference
Players with role cards will ask questions from the “Questions to Drive the Game” section on their card. These callouts give you the answers for this scenario. Open the relevant one if a player asks something you are not sure how to answer.
“What does the process execution history look like on the affected machine?”
The browser process spawned the fake updater from the Downloads folder. The updater immediately created a scheduled task. Process chain: browser → AdobeFlashUpdate.exe → task installer → scheduled task running every 15 minutes under the affected user account.
“Are there scheduled tasks or registry run keys I can examine?”
Yes – a scheduled task runs every 15 minutes under the affected user accounts. No registry run keys. The scheduled task is the sole persistence mechanism. It must be removed alongside the executable, or the malware reinstalls itself.
“What’s the earliest sign of compromise – can we find Patient Zero?”
PIXEL-WS-03 is Patient Zero by timestamp. The other two machines downloaded within a 4-minute window, suggesting the fake update prompt was served simultaneously to multiple browsing sessions – not three separate clicks.
“Do these indicators match anything in our threat intelligence?”
Yes. The domain pattern (legitimate-brand-update-secure.net), execution from %TEMP%, 15-minute beacon interval, and browser credential harvesting are consistent with FakeBat. Do not name the malmon here – only show the FakeBat card when players describe the attack pattern themselves (“fake software update,” “browser hijacker,” or similar), as described in the malmon card reveal trigger section in Round 2.
“What artefacts did the attacker leave behind that I can preserve?”
The executable in %TEMP%, the scheduled task definition (exportable as XML), the browser credential store, and firewall logs showing 198.51.100.42. Act before any reboot – memory contents will be lost on restart.
“What network access does the compromised system have – what can the attacker reach from here?”
The three workstations are on the same flat network segment as the file server (\\pixel-files). No VLAN separation. If the C2 instruction arrives before isolation, lateral movement to the file server requires no additional exploitation.
“Are our backups isolated from the affected segment and confirmed clean?”
No formal backup infrastructure is mentioned. Worth asking Alex – if the file server uses an attached backup drive, that drive is also reachable from the compromised workstations and should be disconnected before containment is declared complete.
“What’s the blast radius if we don’t contain right now?”
The C2 instruction has not arrived yet. The window opens again every 15 minutes. If it arrives before isolation: the file server is reachable, and the presentation files could be accessed or exfiltrated 48 hours before the client meeting.
“Which systems are most critical to protect first?”
The file server (\\pixel-files). Isolate the three workstations before the next 15-minute beacon cycle. The file server itself does not need isolation – only the compromised workstations need to be cut from the network.
“Do we have an emergency change process for immediate isolation?”
Alex is in the room and has full authority. There is no formal change management process at a 12-person agency. Her verbal authorisation is sufficient – and she has already indicated she is ready to act.
“What outbound connections has this machine made in the last 24 hours?”
Regular HTTPS connections to 198.51.100.42 every 15 minutes from all three workstations, starting from installation time yesterday afternoon. Metronomic cadence – not consistent with normal browsing. No other unusual outbound traffic.
“Are there DNS requests to unusual or newly registered domains?”
Yes – adobeupdate-secure.net, registered 6 days ago, resolves to 198.51.100.42. The actual beacon traffic goes directly to the IP, not the domain. No other suspicious DNS queries.
“Can I see the firewall logs for east-west traffic between internal segments?”
No east-west traffic. The malware is beaconing outbound but has not received a lateral movement instruction. The file server shows no inbound connection attempts from the compromised workstations.
“Is there evidence of data staging or unusually large outbound transfers?”
No large file transfers. Outbound payloads are small – consistent with credential data (browser session tokens, saved passwords). Total outbound volume under 50KB across all sessions. No file exfiltration confirmed.
“What does the network topology look like between the affected systems and our crown jewels?”
Flat segment. All three workstations can reach \\pixel-files with no firewall between them. One hop, no additional credentials required. If the C2 instruction arrives, the file server is immediately reachable.
“Who in the organisation needs to know about this right now?”
Alex – she is in the room and making the decision. The affected designers know their machines are behaving oddly but not why. The client does not need to know yet – no data has been confirmed accessed, and 48 hours remain before the presentation.
“Does the data involved trigger any regulatory notification requirements?”
Likely no. This is a creative agency with no special regulatory status. No customer PII breach has been confirmed – the credential harvest targeted browser session tokens, not client data. Exception: if the presentation files contain client PII and Stage 2 triggered, check the client contract.
“What’s the business impact in plain language – how do I explain this to the board?”
There is no board here, but for Alex: “Three machines downloaded malware disguised as a software update. It has been calling home every 15 minutes waiting for instructions. We caught it before those instructions arrived. Isolate now and the presentation is safe – two designers lose their machines for the day.”
“What should we say if journalists or customers start asking questions?”
Nothing has leaked. If the client asks: “We identified and contained a security issue during our pre-presentation checks. The presentation is not affected.” Alex should approve any external messaging before it goes out.
“Are there contractual notification obligations to customers or partners?”
Check the client contract. Some enterprise clients include security incident clauses. If the presentation files contain client confidential information and Stage 2 triggered, the contract may require notification. Alex knows the contract details.
Setting the Scene
It is Wednesday morning at Pixel and Co., a 12-person creative agency that has spent the last three months producing the campaign of their careers. Friday is the client presentation – a pitch worth more than everything else in the studio’s portfolio combined. Agency owner Alex gathered the team at 9am, but instead of the usual pre-presentation energy, several designers report that their browsers are behaving strangely: search results redirect to unfamiliar sites, ads appear inside design tools, and new toolbar icons showed up overnight. The IT consultant was called in. The team is gathered around the kitchen table. What do you do?
Most rolls succeed. At DC 10 – the default here – players succeed 55% of the time (11-20 on a d20). Partial successes (7-9) advance the story too; only 1-6 creates real friction. The clue tables below give you scripted text for every outcome band.
Use DC 15 once per round at most. At that threshold success drops to 30%. Reserve it for genuinely hard moments – cutting-edge analysis or high-stakes social pressure.
When to skip the dice entirely: Simple, clear actions succeed automatically. The dice are for genuine uncertainty only.
Round 1: What Got In (~30 min)
Players asking role-card questions? See Role Card Q&A above.
Attacker status: FakeBat is installed on 3 workstations, beaconing C2 every 15 min, harvesting browser credentials. The C2 server has a lateral movement instruction queued but not yet delivered. The file server is one hop away on a flat network with no firewall between.
Before you start, explain the three steps to your players:
- You describe what the team observes. A situation, a symptom, a piece of information.
- Each player takes one action. What does your character do? Anything realistic counts – ask a question, run a scan, check a log, call someone, isolate a machine.
- You describe what they find, then evolve the situation.
That is the whole game. Everything else builds on those three steps.
Some workstations show browser hijacking symptoms. The team has the morning. The client presentation is in 48 hours. Alex, the agency owner, is hovering near the door looking tense.
Reactive (player-driven): When a player declares an investigation action that matches a clue below, ask for a d20 roll and read the matching row. The roll determines how much they find and how cleanly.
Proactive (stuck group): If the room has genuinely worked a moment and is still stuck, offer the 10-19 row directly – no roll required. Do not narrate what it means. Describe the finding and let the team draw the conclusion.
Collaborative (question-driven): After reading any clue result, pause and ask: “What does that tell you about the attack?” Let the team connect the dots before you offer the next clue. A player’s wrong hypothesis is more valuable than your next scripted line – ask what evidence would confirm or rule it out.
Clue 1 – Download logs (proactive: ~3 min; reactive: Tracker pulls logs → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “Tracker, three workstations – same domain, same 4-minute download window. This was pushed simultaneously, not three separate clicks.” |
| 10-19 | “Tracker, the download logs show three workstations pulled an executable from adobeupdate-secure.net yesterday afternoon. Domain registered six days ago.” |
| 7-9 ◐ | “Tracker, you find the domain – registered six days ago – but timestamps on two machines were overwritten. Three machines hit; you cannot confirm when.” |
| 1-6 | “Tracker, yesterday afternoon’s logs are gone. Either the malware cleared them or someone did. The trail starts this morning.” |
After reading the result, ask: “What does that tell you?” Let the team interpret before you move on.
If a player says “I look at the download logs” and they are the Tracker with the right tools – just give them the information. The dice are for genuine uncertainty, not gatekeeping. Save rolls for moments where the outcome is actually in doubt.
Your choice: Roll for everything if your table enjoys the ritual, or skip freely when the result is obvious. Both work.
Clue 2 – Browser history (proactive: ~6 min; reactive: Detective checks sessions → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “Detective, the sequence is exact: stock imagery search, Flash prompt, download – three minutes start to finish. Two others saw the same prompt and closed it. This was targeting a specific workflow.” |
| 10-19 | “Detective, browser history shows all three affected users were sourcing stock imagery when a ‘Flash Player update required’ prompt appeared. Two others saw the same prompt but closed it.” |
| 7-9 ◐ | “Detective, one machine has intact history – stock imagery, Flash prompt, download. The other two have gaps. The pattern is visible but not complete.” |
| 1-6 | “Detective, browser history on all three machines has been cleared. You know the Flash prompt appeared – designers mentioned it – but nothing is left to verify the sequence.” |
Clue 3 – Installed file analysis (proactive: ~9 min; reactive: Protector examines the executable → DC 15)
| Roll | What you say |
|---|---|
| 20 ★ | “Protector, unsigned file, launched from Temp, scheduled task every 15 minutes – and it is currently beaconing to 198.51.100.42. Last outbound connection: 8 minutes ago.” |
| 10-19 | “Protector, the installed file is not signed by any known vendor. It launched from the Temp folder and added a scheduled task that runs every 15 minutes.” |
| 7-9 ◐ | “Protector, you find the scheduled task – 15-minute cadence – but the executable has renamed itself to something that resembles a Windows system process. You know it is there; you cannot confirm what it is doing.” |
| 1-6 | “Protector, the process is masquerading as a system component. Standard signature checks come back clean. A behavior scan is needed, not a file scan.” |
After reading the result, ask: “What does that tell you?” If they rolled low: “What would you try differently?” A failed approach is still information.
When a player attempts something with uncertain outcome – scanning a system for malware, convincing a skeptical colleague to let them isolate a machine, pulling logs that might have been cleared – ask for a d20 roll.
Target numbers:
- Easy (5+): Standard procedures with the right tools – succeed most of the time
- Medium (10+): Complex analysis, uncertain coordination, or working under pressure
- Hard (15+): Cutting-edge techniques, high-stakes decisions, or significant obstacles
Degrees of success:
- Critical (natural 20): Exceptional result – extra information, bonus, or advantage in the next action
- Full success (meets or beats target): Complete achievement
- Partial success (within 3 below target): Useful result with a complication or cost – the story still advances
- Failure (4+ below target): Does not achieve the goal; may create a new complication
Automatic success: Skip the dice entirely when a player’s expertise, the right tools, and a clear plan all line up. The dice are for genuine uncertainty, not a control mechanism.
For most first-session actions, set the target at 10. Only push to 15 when the stakes genuinely warrant it.
From Joe: “I gotta tell you, this may be a cursed die.” When a player rolled a natural 1 on disclosure verification, I said: “You accidentally posted it to Facebook.” The whole team laughed. Failure became a memorable moment instead of a frustrating one.
From Inver: A nat 1 is a gift, not a punishment. “With your nat one, you have estimated that the vibes are indeed bad currently.” Find the absurdist reading. Or open a help action so a teammate can bail them out – now it is a team moment.
Your choice: Use humor or open collaboration assists. The point is that low rolls stay fun and the player stays engaged.
NPC interruption:
“I need to know before lunch whether the presentation files are safe. The client is flying in from Copenhagen. If I have to reschedule, it is not just the account – it is the relationship. Tell me what we are dealing with.”
She taps her notebook twice before speaking – a habit the team has learned means she has already made a decision and is waiting for permission to act on it.
- “Can we just reimage all three machines right now?” – Yes. This jumps to Round 3’s Option A. Skip Round 2 investigation and go straight to remediation. The debrief will be thinner but the decision was sound.
- “I want to call the client directly.” – Alex intercepts: “Let me handle the client. You handle the machines.” Redirect to the team’s technical scope.
- “What if we unplug the network switch?” – This works but is overkill. All machines lose access, not just the compromised ones. Treat as Option A with a broader blast radius.
- Players are silent. – Ask: “What is the first thing you would check?” If still stuck, offer Clue 1 proactively.
- Zoom out to story: “Let’s step back – what is the impact on Pixel and Co. right now?”
- Character perspective: “What would Alex be thinking right now?”
- Time pressure: “Meanwhile, the client presentation deadline has not moved…”
- Ask the quiet player: “[Name], what is your gut telling you here?”
Round 1 Decision Point:
Alex needs an answer. The team must decide how to respond:
- Option A: Isolate the three affected machines immediately. Take the workstations off the network now. Stop the spread before investigating further.
- Outcome: The affected machines are contained. Two designers are without workstations for the rest of the day. The presentation files on those machines are inaccessible until cleared. But the threat cannot reach the file server – yet.
- Signal the win: “Good call – you cut off the C2 channel before the next beacon cycle.”
- Alex nods quickly: “Good. I will call the client now. What do I tell them?”
- Option B: Monitor but do not isolate yet. Keep investigating to understand the full scope before any disruption.
- Outcome: The team gathers better evidence. But during Round 2, FakeBat phones home and receives an instruction to probe the file server. The threat has a 20-minute window to reach the presentation files.
Alex looks at the Tracker: “How long do you need? I have to know before 11.”
- Option C: Tell Alex everything now. The Communicator informs Alex of the full situation before any technical decision is made.
- Outcome: Alex makes the call to isolate (same as Option A), but the team now has Alex as an active ally rather than an anxious presence. Alex calls the client to manage expectations – the relationship pressure drops. Containment proceeds as in Option A.
- Signal the win: “Strong move – you brought the decision-maker in early. The team is aligned and Alex is on your side.”
- Alex exhales slowly: “All right. Tell me everything. But make it fast.”
Round 2: How Far Did It Go? (~25 min)
Players asking role-card questions? See Role Card Q&A above.
Attacker status: FakeBat has been beaconing every 15 min and transmitting browser credentials. The C2 server has a lateral movement instruction queued. If the team isolated in Round 1, that instruction cannot reach the workstations. If they monitored, the instruction arrives during this round – the file server becomes reachable.
The source is identified and the decision made. Now the team needs to understand what the malware has been doing since it installed – and whether it has already reached further than the affected workstations.
When two or more players combine their actions toward the same goal:
- +1 per assisting player (maximum +3), or
- Advantage: roll two d20 dice and take the higher result
Either approach works – use advantage when it is cleaner to narrate, use the bonus when stacking precision matters.
Automatic success: When the whole team coordinates clearly with good logic and role division, skip the dice entirely. Perfect collaboration earns it.
Example: one player pulls the logs while another cross-references them against the installation timeline. That is a collaboration – +2 or advantage.
Apply these when they make a moment more real or more interesting – not mechanically:
| Situation | Modifier |
|---|---|
| Action aligns with player’s role | +2 |
| Action misaligns with role | -1 |
| Super effective response type | +2 |
| Not effective response type | -2 |
| Strong security posture supporting action | +2 |
| Significant obstacle | -2 |
| Threat actively evolving | -1 to -3 |
Stacking example: A Tracker (+2 role) pulling logs while the threat is actively evolving (-1 time pressure) rolls at +1.
For a first session: You do not need to apply modifiers at all. Use them when a player does something that should obviously be easier or harder than straight 50/50.
Clue 4 – C2 beacon (reactive: Tracker or Protector analyses outbound traffic → DC 10)
| Roll | What you say |
|---|---|
| 20 ★ | “The scheduled task calls home every 15 minutes – and there is an inbound packet queued at the C2 server. An instruction is waiting. It has not arrived yet.” |
| 10-19 | “The scheduled task calls home to a C2 server every 15 minutes. Most recent outbound connection: 12 minutes ago. It is sending browser credential data.” |
| 7-9 ◐ | “You confirm regular outbound connections every 15 minutes – something is phoning home. The connection is encrypted; you can see the cadence but not the content.” |
| 1-6 | “The beacon intervals have shifted to irregular timing. The malware detected your network monitoring and changed its pattern.” |
After reading the result, ask: “What does that tell you about the threat?” Let the team connect the beacon to the file server risk before you reveal Clue 5.
Clue 5 – File server status (no roll – factual reveal based on Round 1 outcome)
If players isolated in Round 1 (Option A or C): “The shared file server shows no signs of compromise. No unauthorized access events detected.”
If players monitored in Round 1 (Option B): “The server shows one unauthorized access event – the presentations folder was opened by the compromised machine 8 minutes ago. Files appear intact but cannot be confirmed clean without inspection.”
Malmon card reveal trigger:
When players describe “fake software update,” “browser hijacker,” “downloader,” or anything close, show them the FakeBat card and say:
“Your analysis confirms this is FakeBat – a downloader distributed through fake browser and plugin updates. It is not ransomware; it is a credential harvester and a delivery vehicle for follow-on payloads. If you do not remove it cleanly, it will reinstall itself from that scheduled task.”
If players have not named it by end of Round 2, give them this:
“Your logs confirm this is FakeBat – malware that masquerades as a legitimate software update, installs silently, and starts harvesting browser credentials while beaconing for further instructions.”
- “Let’s just tell Alex everything and let her decide.” – This is Option A. Go with it.
- “Can we contact law enforcement?” – Alex can, but it will not help before Friday. Acknowledge it as a valid long-term step and redirect to the immediate disclosure decision.
- “I want to check other machines in the office.” – Good instinct. The two designers who closed the Flash prompt are clean. Confirm this quickly and refocus on the disclosure decision.
- Zoom out to story: “Let’s step back – you now know how far the malware got. What matters most to Pixel and Co.?”
- Character perspective: “Alex is waiting for your call. What do you want her to hear?”
- Reveal a deeper layer: “The fake domain was registered six days ago. Someone planned this.”
- Ask the quiet player: “[Name], what would you do if this happened at your actual workplace?”
Round 2 Decision Point:
The team now knows the scope. They must decide what to tell Alex and the client:
- Option A: Full disclosure to Alex now, no client contact yet. Tell Alex exactly what happened – fake update, credential theft, contained to three workstations (or server if Option B was chosen). Let Alex decide on client communication.
- Outcome: Alex is shaken but grateful for the honest picture. The agency can prepare a professional client communication. Friday presentation proceeds with a clean story if containment holds.
- Signal the win: “Honest disclosure early is exactly what real IR teams recommend. Alex can prepare instead of being blindsided.”
- Alex: “Then I tell them we had a security incident, we caught it, and we are handling it professionally. Right?”
- Option B: Remediate first, disclose after. Complete the cleanup before telling Alex anything definitive.
- Outcome: Technical remediation succeeds. Alex gets cleaner news. But during debrief, Alex will ask why it took so long to know – a realistic tension around disclosure timing.
- Alex: “I appreciate the restraint. Just tell me the moment you know.”
Round 3: Friday (~20 min)
Players asking role-card questions? See Role Card Q&A above.
Attacker status: If contained, FakeBat is isolated and cannot beacon. Harvested credentials remain valid until reset. If not contained, the file server was accessed – presentation files may have been exfiltrated. The attacker’s next move depends entirely on the team’s Round 1-2 decisions.
It is Thursday afternoon. The file server is clean (or has been cleaned). The presentation files are confirmed intact. But the credentials harvested by FakeBat need to be dealt with, and the team must decide how to prevent reinfection.
In M&M, some responses are more effective against certain threat types than others.
FakeBat is a Downloader / Trojan type.
- Super effective: Network isolation of infected hosts + full removal of persistence artifacts (scheduled tasks, registry keys) + credential resets for all affected accounts. This combination removes the malware, cuts the C2 connection, and invalidates any harvested credentials.
- Not very effective: Antivirus scan alone. FakeBat uses legitimate-looking scheduled tasks for persistence. An antivirus that catches the initial binary will miss the reinstaller unless the task is also removed.
- Normal effectiveness: Scheduled task removal + malware scan + credential reset. Removes the installed malware and its main persistence mechanism, but leaves more room for error than a full rebuild. (This is Option B below.)
- “Can we just cancel the presentation?” – Alex would rather not, but she will if the team recommends it. Ask: “What would you need to see to feel confident the presentation can proceed?”
- “What about the two machines that were not infected?” – They are clean. Confirm quickly.
- “Should we hire an external IR firm?” – Valid for the long term. For Friday, the team is what they have. Acknowledge and refocus.
- Slow with story: “Before you decide, what would the client think if they found out later?”
- Add stakes: “Friday is tomorrow. If anything goes wrong during the presentation, everyone in the room will see it.”
- Encourage debate: “Protector, what do you think of the Tracker’s plan? Do you agree?”
Final Response Decision:
The team must choose their remediation approach before Friday’s presentation:
- Option A: Full endpoint rebuild + credential reset. Wipe and rebuild the three affected workstations from clean images. Reset all browser-stored credentials on affected accounts. Block the C2 domain at the firewall.
- Type effectiveness: Super effective
- Signal the win: “Full rebuild is the gold standard. You eliminated every persistence mechanism and invalidated the harvested credentials. That is textbook containment.”
- Outcome: Presentation day is clean. Designers work from backup machines. The threat is gone. Cost: half a day of designer downtime.
- Option B: Scheduled task removal + malware scan + credential reset. Remove the persistence mechanism manually, run a full scan, and reset credentials. Keep the machines running.
- Type effectiveness: Normal effectiveness
- Ask the Tracker (or Protector) to roll d20 – this is the cleanup quality check (DC 10):
| Roll | Outcome |
|---|---|
| 10+ | Clean. Presentation day is clear. Read the Contained ending. |
| 7-9 ◐ | Probably clean – but one machine shows no log entry confirming task removal. Worth checking Monday. Read the Partial containment ending. |
| 1-6 | A secondary persistence artifact was missed. FakeBat reinstalls overnight. Monday morning, the Tracker finds it. Read the Partial containment ending. |
- Option C: Credential reset only, defer full remediation until after Friday. Reset all passwords now. Deal with the infected machines after the presentation.
- Type effectiveness: Not very effective
- Outcome: Credentials are safe. But the malware is still running and continues to beacon. On Friday during the presentation, one browser redirect appears on a screen visible to the client. The client notices.
Resolution:
Friday arrives. The presentation room is clean. Alex walks the client through three months of creative work on machines the team knows are safe. The client does not know there was an incident – only that the team delivered on time and professionally. After the meeting, Alex pulls the team aside: “I want a short-term retainer for whoever fixed this. We cannot have that happen again.” The agency walks away with the account and a new security conversation started.
Friday’s presentation goes well. Monday morning, the Tracker notices the scheduled task is back on one machine. FakeBat reinstalled from a secondary persistence artifact that was missed. The credential harvest has resumed – but only for three days. Credential resets will need to happen again. The good news: the client account is won. The bad news: the cleanup job is not finished yet.
During the presentation, a browser redirect flickers across the screen for three seconds before a designer closes it. The client sees it. The meeting goes quiet. After a pause, the client says: “We will need to talk about security before we sign anything.” The account is not lost – but it is not won either. The team has a second meeting scheduled, and a real story to tell about what they have learned and what they have changed.
Handouts
Print both handouts before the session and keep them face-down until the release point. One copy per handout is enough – players can pass it around or lean in.
- Handout A: Fake Browser Update Prompt – Release at the start of Round 1
- Handout B: Network Traffic Log – Select version and release at the start of Round 2
The handouts add tangibility and a “document handling” moment that grounds the scenario, but the investigation works without them. If printing is not possible:
- Project on screen – Open the handout link on a laptop or tablet and display it to the group. Give players a moment to read before discussion starts.
- Share the link – Send the handout URL to players before the session (or via chat at the release point) and ask them to open it on their own devices.
- Read aloud – For Handout A, reading the visible symptoms aloud takes under a minute. For Handout B, calling out 4-5 log lines is sufficient; players do not need to see every entry to reach the right conclusions.
Whichever method you use, treat the handout release as a deliberate pause – stop talking, let them absorb it, then ask what they notice.
I ended my LockBit session at the “pay ransom or not” decision point – even though we had time remaining. That decision was the emotional peak. Continuing past it would have diluted the impact.
If your team hits a moment of genuine weight during Round 3 – a debate about disclosure, a hard call about rebuilding vs. patching – that might be your natural ending. You do not have to finish every scripted beat. End where the energy is highest.
Your choice: Push through to full resolution if your group wants closure, or end on the decision if they are energised by the dilemma.
Debrief Guide (~15 min)
Standard closing questions (ask all 4):
- “What was the first moment you suspected something was wrong?”
- “Which decision felt hardest, and why?”
- “What would you do differently if this happened at your actual organization?”
- “What is one thing you will remember from today’s session?”
Scenario-specific question:
“The fake update prompt looked legitimate to experienced designers under deadline pressure. What would make you stop and verify a software update prompt before clicking, even when you are in a hurry?”
What’s Next
Your group has completed their first M&M session. Ready to pick your own scenario? IM Quick Start Guide – Path 2: Picking Your Own Scenario walks you through threat type, audience, difficulty, and format selection.
More FakeBat scenarios:
- FakeBat: Small Business – Professional services firm, client deliverables, governance and regulatory layer added
- FakeBat: Gaming Cafe – Public-access machines, faster scope, different containment trade-offs
- FakeBat: Nonprofit Organization – Volunteer org, limited IT resources, budget pressure
Try GaboonGrabber:
- GaboonGrabber Beginner Scenario: The Fundraiser Email – Phishing via fake password reset, same beginner format, different threat type