incident-response-trainer
Mock scenarios · Rule-based grading
CatalogOverviewSnapshot
← Back to catalog
Cybersecurityextremely-hardLiving-off-the-Land PersistenceHigh asset
Scenario

Fileless persistence on a jump host — WMI event subscription + scheduled tasks driving signed system binaries, ambiguous admin-vs-attacker, ~30-day dwell

A extremely-hard Cybersecurity scenario on Living-off-the-Land Persistence.

Practice this scenario

Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.

Launches this exact scenario. One of 5 templates in this Track + Difficulty pool.

catalog id · lotl-persistence-wmi-scheduled-task

Training alignment

What this scenario practices, mapped to recognized frameworks.

Educational mapping only. Not a compliance attestation.

What this trains
  • Fileless WMI/LOLBin persistence triage
  • Memory-first evidence under ambiguity
MITRE ATT&CKmitre-attack
  • Event Triggered Execution: WMI Event Subscription · PersistenceT1546 · TA0003
    MappedHigh confidence

    Trains triage of WMI permanent event subscription persistence.

  • Command and Scripting Interpreter · ExecutionT1059 · TA0002
    MappedMedium confidence

    Trains analysis of encoded PowerShell driven by signed binaries.

MITRE D3FENDmitre-d3fend
  • Process Activity AnalysisD3-PAU
    MappedHigh confidence

    Trains process-lineage analysis of living-off-the-land activity.

  • File AnalysisD3-FA
    PartialLow confidence

    Trains recovery of a memory-only artifact when nothing is left on disk.

NIST CSF 2.0nist-csf-2
  • Continuous Monitoring · DetectDE.CM · DE
    MappedHigh confidence

    Trains detection of fileless persistence under partial EDR.

  • Analysis · RespondRS.AN · RS
    MappedHigh confidence

    Trains the admin-vs-attacker disambiguation analysis.

NIST SP 800-61r3nist-sp-800-61r3
  • IR lifecycle phaseDetection & Analysis
    MappedHigh confidence

    Trains memory-first triage of ambiguous, signed-binary persistence.

  • IR lifecycle phaseContainment, Eradication & Recovery
    MappedMedium confidence

    Trains preserve-then-isolate of a privileged jump host.

CISA Cybersecurity Performance Goalscisa-cpg
  • Detecting Relevant Threats and TTPs3.A
    MappedHigh confidence

    Trains detection-engineering for WMI/LOLBin tradecraft.

  • Mitigating Known Vulnerabilities1.E
    PartialLow confidence

    Trains closing the EDR and patch gaps that hid the dwell.

CIS Controls v8cis-controls
  • Audit Log ManagementControl 8
    MappedHigh confidence

    Trains the logging the fileless investigation depends on.

  • Account ManagementControl 5
    MappedMedium confidence

    Trains retiring the shared admin account that broke attribution.