IR Lab Pack - Recon → Web Shell → Persistence

IR Lab Pack

Recon → Web Shell → Persistence

🚨 Incident Scenario

Over the last 24 hours our public Linux web server started showing internet reconnaissance in Apache logs (masscan, Cortex Xpanse, random crawlers). Shortly after, users reported slowness and weird spikes.

Your Mission: Work as a mini-CERT team to triage evidence, confirm/deny web compromise, find persistence mechanisms, and recommend containment + hardening strategies.

Attack Chain Visualization

Lab Deliverables

Timeline
Chronological attack sequence
IOCs
Indicators of Compromise
Root Cause
How the breach occurred
Fix Plan
1-page remediation strategy

Lab Topology

🎯 Victim Server
Ubuntu 22.04 LTS
Apache2 Web Server
Status: Compromised
Evidence: Logs, web shell artifacts
🔬 Investigator Workstation
Ubuntu 24.04 LTS
Full forensics toolkit
Status: Clean
Tools: Volatility, lnav, yara, etc.
⚠️ Safety Notice
Keep the victim VM isolated from the internet to avoid real callbacks. All "malicious" files are intentionally planted for educational purposes and are documented for instructor reference.