You've seen the incident unfold across four environments in ninety minutes (Section 0.1), learned the five-step reasoning chain that separates investigators from tool operators (Section 0.2), understood the NIST Rev 3 framework vocabulary (Section 0.3), and mapped the six tool categories (Section 0.4). This section shows you what a properly executed investigation of that same incident produces — the timeline, the findings, the containment decisions, and the report. This is the destination. The rest of the course builds the skills to get here.
Scenario
Same incident as Section 0.1 — the AiTM phishing, the session replay, the inbox rule, the BEC email, the endpoint loader, the credential theft, the lateral movement to the file server. But this time the responder investigates all four environments, applies the five-step chain to every finding, contains across both planes simultaneously, and produces a report the CISO can hand to the insurer without revision. What does that investigation actually look like? Not the theory — the output. The timeline. The findings. The containment sequence. The report structure. This section shows you the finished product so every module from IR1 onward connects to a concrete destination.
Section 0.1 showed you the attacker's ninety minutes. This section shows you the investigator's four hours — the investigation that would have caught the full scope, contained both planes, and produced the evidence package that closes the case. You haven't learned the skills yet. That's the point. You're seeing the destination before you build the route.
Estimated time: 30 minutes.
Figure IR0.5 — A properly executed investigation of the same incident from Section 0.1. Four hours, four environments, eight findings, five containment actions. The one-sided investigations from Section 0.1 each found fewer than half the findings. The unified investigation found all eight and contained across both planes.
What the investigator did differently
The critical difference is not skill with tools — it's the decision to investigate all four environments from the start. The responder who receives the Entra ID Protection alert at 16:42 doesn't begin with "let me check the sign-in logs." They begin with the hypothesis from the five-step chain: "An AiTM attack captures both credentials and session tokens. If the session was replayed, the attacker had mailbox access. If the attacker had mailbox access, they may have established persistence and initiated BEC. If the phishing page included a secondary payload, the endpoint may also be compromised." Four environments, four hypotheses, tested in parallel — not sequentially.
That initial framing changes everything. The cloud-only investigator from Section 0.1 started and finished in the cloud because they never formed the endpoint hypothesis. The endpoint-only investigator started and finished on the endpoint because they never formed the cloud hypothesis. The complete investigator formed all four hypotheses in the first five minutes and allocated investigation time across all four environments.
The eight findings, in order of discovery
Each finding was produced by applying the five-step chain from Section 0.2. Notice how each finding's "next step" points to the next finding — the chain drives the investigation forward.
SigninLogs shows a sign-in from a Bucharest residential IP with a token replay pattern. RiskLevelDuring was Low — residential IPs pass reputation checks. Conditional access evaluation shows MFA was satisfied by token, not by interactive challenge.
Proves
Session obtained through token replay, not interactive authentication.
Doesn't prove
What the attacker did with the session.
Next step
Check OfficeActivity for mailbox actions after 14:36.
Source:SigninLogs | Tool: KQL in Advanced Hunting | Course module:IR8
UnifiedAuditLog shows a New-InboxRule operation ten minutes after the session replay. The rule forwards emails containing "invoice," "payment," and "PO" to RSS Feeds and marks them as read.
Proves
Attacker established mailbox persistence through an inbox rule.
Doesn't prove
Whether the attacker sent any emails.
Next step
Check MessageTrace for outbound emails after 14:46.
MessageTrace shows an outbound email to a known supplier contact, requesting updated bank details. Sent from Claire's mailbox through Exchange Online's normal infrastructure.
Proves
Attacker used the compromised session to send a fraudulent email about a real transaction.
Doesn't prove
Whether the supplier acted on the email.
Next step
Notify supplier immediately. Pivot to endpoint — did the phishing page deliver a payload?
KAPE triage collection. PECmd shows Payment_Confirmation_Q4.exe in Prefetch with a first-execution timestamp of 15:09 and run count 1. AmcacheParser confirms the file hash and path.
Proves
File executed once at 15:09 from C:\Users\Claire\Downloads\.
Doesn't prove
What the file did when it ran — Prefetch records execution, not behavior.
WinPMem capture analyzed with Volatility 3. The malfind plugin identifies a private, executable memory region inside explorer.exe not mapped from any file on disk. Contains shellcode consistent with Cobalt Strike. The netscan plugin shows an active outbound connection to a domain-fronted endpoint.
Proves
Reflective loader injected a beacon into explorer.exe that is actively communicating with attacker infrastructure.
Doesn't prove
What commands the attacker sent through the beacon.
Next step
Check whether the beacon performed credential access.
Volatility 3 handles plugin shows explorer.exe holding handles to LSASS — handles a normal Explorer instance would never hold. Security Event ID 4663 confirms explorer.exe accessed LSASS at 15:14 with PROCESS_VM_READ.
Proves
Beacon accessed LSASS memory — the standard mechanism for extracting cached credentials.
Doesn't prove
Which specific credentials were extracted.
Next step
Identify accounts with cached credentials via recent 4624 logon events.
Finding 7 — Lateral Movement to File ServerEnvironment: Lateral | Time: 15:28
Domain controller Security log shows two 4624 events at 15:28 — the two service accounts cached on Claire's workstation. Logon type 3 (network), source is Claire's IP, destination is the file server. Share audit logs confirm access to \\FILESERVER\Projects\Q4-Financials\.
Proves
Attacker used harvested credentials to authenticate to the file server and access financial data.
Doesn't prove
Whether the data was exfiltrated.
Next step
Check for data staging and exfiltration artifacts.
Finding 8 — Data ExfiltrationEnvironment: Lateral | Time: 15:52–16:01
MFTECmd shows forecast-archive.rar (12 MB) created at 15:52 in a temp directory. Proxy logs show an HTTPS POST of ~12 MB from Claire's IP to a cloud storage endpoint at 16:01.
Proves
Attacker staged and exfiltrated data from the file server through Claire's workstation.
Doesn't prove
Full contents of the archive — requires recovery and analysis.
Next step
Recover archive. Determine full data exposure for GDPR notification assessment.
Persistence mechanisms removed — both survive a password reset. Suspicious OAuth app consent at 15:18 identified and revoked. Justified by: Finding 2 confirmed inbox rule persistence.
17:45
After F4
Isolate endpoint via Defender for Endpoint
Beacon's C2 communication severed. Evidence preserved on device for continued analysis. Isolation is reversible — low-risk containment. Justified by: Finding 4 confirmed loader execution.
18:15
After F6
Rotate Claire's + 2 service account passwords
All stolen credential material invalidated before the attacker could re-enter from a different host. Justified by: Finding 6 confirmed LSASS credential theft.
18:30
After F3
Notify supplier by phone — not email
Supplier confirmed they had not yet processed the bank detail change. The $247,000 payment was not lost. Justified by: Finding 3 confirmed BEC reply sent.
Each containment action was justified by a specific finding and documented in the investigation record. No containment was speculative. No containment was delayed waiting for the complete picture. The responder contained what the evidence supported, when the evidence supported it.
What the incomplete investigations from Section 0.1 missed
The cloud-only investigation found Findings 1, 2, and 3. It missed 4 through 8. Containment: sessions revoked, inbox rule removed, password reset. The endpoint beacon continued operating. Three weeks later, the attacker used a service account hash — unrotated because the endpoint was never investigated — to re-enter the network from a different compromised host. The incident recurred. The post-mortem blamed "incomplete credential rotation" when the real failure was investigating only one plane of a cross-plane attack. The endpoint-only investigation found Findings 4, 5, 6, and 7. It missed 1, 2, and 3. Containment: endpoint isolated, credentials rotated. The inbox rule continued forwarding invoice emails to the attacker. The BEC fraud completed. The $247,000 was lost.
What the report contained
The investigation report — the deliverable that IR17 teaches you to produce — answered five questions that leadership, legal, and the insurer always ask.
NE-INC-2026-0047 — Incident Report Summary
Classification: Confidential | Date: 15 May 2026 | Lead investigator: [Analyst] | Status: Closed
1. What happened?
AiTM credential phishing led to session theft, mailbox access, BEC fraud, and concurrent endpoint compromise with credential theft and data exfiltration. The attacker operated across four environments in ninety minutes. Attack chain: phishing email → AiTM proxy → token capture → session replay → mailbox persistence → BEC → endpoint loader → reflective beacon → LSASS access → lateral movement → data staging → exfiltration.
2. How far did it go?
One user account compromised (Claire Thornton, Finance). Two service account credentials stolen (svc-backup, svc-print). One endpoint compromised with active C2 beacon. One file server accessed. 12 MB financial forecast data exfiltrated. One fraudulent BEC email sent to supplier.
3. What was the impact?
Attempted financial fraud: $247,000 — prevented by timely supplier notification. Data exposure: Q4 financial forecasts (GDPR Article 33 notification assessment required). No ransomware deployment. No additional lateral movement beyond the file server confirmed.
4. What did we do about it?
Five containment actions executed between 17:00 and 18:30, each documented with timestamp, justifying finding, and verification. Full credential rotation for all affected accounts. Endpoint rebuilt from clean image. Inbox rule and OAuth persistence removed. Supplier notified by phone.
5. What do we change?
Four recommendations: (1) Deploy phishing-resistant MFA (FIDO2) for all finance users. (2) Conditional Access policies requiring compliant devices for sensitive applications. (3) Detection rules for inbox rule creation after risky sign-ins and LSASS access by non-security processes. (4) File server share audit logging to capture access events.
Investigation Principle
A properly executed investigation produces eight things: a complete timeline across every environment the attacker touched, defensible findings where each one states what it proves and what it doesn't, staged containment driven by findings rather than delayed for completeness, credential scope that identifies every compromised account and rotates them all, a report that answers the five questions leadership always asks, recommendations that prevent recurrence of the specific attack class, evidence that meets chain-of-custody requirements, and a case file another responder could pick up and continue. This course builds every one of those capabilities.
This is what the course builds
Every module from IR1 onward teaches a specific piece of what you just saw.
IR1Sets up the toolkit that collected the evidence.
IR2Teaches the acquisition methodology that preserved it.
IR3–IR5Teach the endpoint analysis that produced Findings 4, 6, and 7.
IR6Teaches the memory forensics that produced Finding 5.
IR8–IR11Teach the cloud investigation that produced Findings 1, 2, and 3.
IR13–IR16Put it all together in four complete investigation scenarios.
You now know what the destination looks like. The rest of the course is the route.
Next
You've completed Module 0. You have the incident shape, the reasoning chain, the framework vocabulary, the toolkit map, and the picture of what a properly executed investigation produces. Go to IR1 — Toolkit Setup to install and configure every tool the course uses.
