Project Report

Build a virtual environment to simulate the same attack in your selected incident. This environment should include all of the VMs that you believe are necessary to simulate the attack (no less than 3 target VMs). This setup includes target machines, offensive machine(s), and threat intelligent machine(s).

The next step is to simulate the attack while capturing all the necessary data (pcaps, logs, etc.) required for the threat hunting process.

Finally, you proceed to the threat hunting stage where you would analyze the incident thoroughly to generate the report needed. Please note the following about the threat hunting process:


  1. The threat should not be easily detectable with pre-existing IDS rules. Otherwise, the attack couldn’t have happened.
  2. The expected type of threat is complex enough that it requires investigation and is not a simple detectable attack (such as DoS, etc.).
  3. The IDS rules you’ll be creating are expected to be polished and professional.


This deliverable has 3 parts:

  1. Tutorial report showing the steps taken in attack simulation with appropriate screenshots and explanations.
  2. A complete incident report:
  3. Presentation Slides.


Incident Report:

Executive Summary:

  • State in simple, direct terms what happened (when, who, what).
  • What was the IP address of the infected computer?
  • What was the host name of the infected computer?
  • What was the user account names from the infected computer? (should be “name” not “names”)
  • What was the date and time the infection activity began?
  • What was the family of malware that caused this infection?
  • What was other critical information (e.g matching the email to the infected Windows/Linux host and user)
  • Breach Type (Phishing, Malware etc.), Incident Severity (Low, Medium, High etc.), Occurrence Date.


  • Log of all investigation activities including queries, dashboards and analysis of all alerts
  • Details of the victim (hostname, IP address, MAC address, user account name).
  • Detail about malware
  • Log of all collected evidences and develop evidence timeline
  • Mapping incident to ATT&CK
  • Making ATT&CK-mapped data actionable with defensive recommendations

Indicators of Compromise (IOCs):

  1. IP addresses, domains and URLs associated with the infection. SHA256 hashes if

any malware binaries can be extracted from the pcap.

Threat Hunting:



o Where are all the places we should be hunting?

o What are tell-tale signs of problem?

o How can we automate the hunt?

o How do we explain the problem and report the results?


Engineering (Implementation) — Explain your implementation:


o Tools/Scripts

o Visualization Dashboards and Discovery Queries

o Zeek rules

o Suricata rules  (Demonstration all phases from Lifecycle of vulnerability see (practical intrusion analysis))

o Playbook rules (Mandatory)

o Yara rules

o CyberChef (Mandatory )

o Wazuh (Mandatory)

o Wireshark display filters


Threat hunting demonstration


o Dashboards

o Queries



For your report preparation, you have to follow Springer templates: The report submissions not meeting these requirements or not in PDF format will be deemed incomplete and not be evaluated.


Project Presentation Slides:

You’re required to deliver a presentation slides following the rule mentioned here:

  1. Presentation slides is expected to last 15-20 minutes.
  2. Presentation slides is expected to include a small demonstration of the attack simulation. This simulation can be recorded.
  3. You’re expected to present the attack simulation in addition to The incident report findings.
  4. Presentation is expected to have three sections:
  • Brief Incident Description (2-3 minutes)
  • Incident Simulation Description (2-3 minutes)
  • Incident Simulation Demo (5 minutes)
  • Incident Report Findings (10 minutes to explain the steps of threat hunting and

report findings)