This tabletop cybersecurity exercise simulates a credential theft and lateral movement attack within a professional services organization. Participants will respond to a simulated phishing attack, investigate suspicious activity, and coordinate incident response actions.
A phishing email compromises a user's VPN credentials. The attacker leverages the credentials to gain access to internal systems and escalates privileges using Active Directory tools.
- Test and validate incident response procedures
- Enhance team coordination and communication
- Identify gaps in security tools and policies
phantom-credentials.md: Complete exercise scenario and flowartifacts/: Placeholder for injects, logs, emails (coming soon)instructions.md: (Optional) Guide for facilitators and observers
- Review the scenario and timeline in
phantom-credentials.md - Use logs, emails, or fake alerts from
artifacts/(if added) - Assign roles and walk through each phase
- Conduct a debrief using provided reflection questions
Inspired by MITRE ATT&CK techniques:
- Initial Access (T1078)
- Lateral Movement (T1021)
- Credential Access (T1003)
Built by Damian Lee | GitHub Profile