Part of my Practical SOC Analyst (PSAA) training through TCM Security involves working through realistic incident response scenarios and mapping observed attacker behaviour to the MITRE ATT&CK framework. This exercise presented a simulated compromise at Permalink Software and asked me to reconstruct the full attack kill chain from the available evidence.
This post documents my analysis of each stage.
The Scenario
The SOC team at Permalink Software detected an unusual spike in traffic from one of their endpoints communicating with a known malicious IP address. The network intrusion detection system (NIDS) flagged the activity, and threat intelligence feeds correlated it with additional indicators of compromise. The task was to use MITRE ATT&CK to identify each technique used and reconstruct the full kill chain.
The Kill Chain
T1595.002
T1190
T1059.003
T1134.001
T1543.003
T1562.001
TA0009
M1021 Mitigation
T1491.002
Stage-by-Stage Breakdown
Stage 1 - Reconnaissance: T1595.002
The NIDS flagged a large spike in inbound traffic carrying the user-agent string Mozilla/5.0 (compatible; Nmap Scripting Engine;). This is the fingerprint of Nmap’s scripting engine, which was being used to systematically probe the organisation’s external-facing services for vulnerabilities.
This maps to T1595.002 - Active Scanning: Vulnerability Scanning, a sub-technique of Active Scanning (T1595). The attacker was gathering intelligence about what was exposed and exploitable before taking any action.
Stage 2 - Initial Access: T1190
With a target identified, the attacker exploited an SQL injection vulnerability in one of Permalink Software’s external-facing web applications. The tool used was sqlmap (MITRE Software ID: S0225), which automates the discovery and exploitation of SQL injection flaws.
This maps to T1190 - Exploit Public-Facing Application. SQL injection as an initial access vector remains one of the most common and preventable entry points in real-world breaches.
Stage 3 - Execution: T1059.003
After achieving remote code execution through the SQL injection exploit, the attacker established a reverse shell by spawning a cmd.exe process on the compromised server. This gave them an interactive command-line session running on the target system, controlled from a remote machine.
This maps to T1059.003 - Command and Scripting Interpreter: Windows Command Shell.
Stage 4 - Privilege Escalation: T1134.001
With a foothold established, the attacker needed higher privileges to move further. They abused SeImpersonatePrivilege to impersonate an administrator’s security token - a well-known Windows privilege escalation path. The Windows API call DuplicateToken is one of the monitored calls associated with this technique, as it allows one process to copy another’s access token.
This maps to T1134.001 - Access Token Manipulation: Token Impersonation/Theft.
Stage 5 - Persistence: T1543.003
To survive reboots and analyst intervention, the attacker modified an existing Windows service’s image path to point to their malicious reverse shell payload. This means every time that service starts, the attacker’s payload executes automatically.
This maps to T1543.003 - Create or Modify System Process: Windows Service. Modifying an existing service is a stealthier approach than creating a new one, since existing services are less likely to trigger alerts.
Stage 6 - Defense Evasion: T1562.001
Endpoint logs in the SIEM recorded that the organisation’s EDR tool was disabled during the same timeframe as the initial compromise. Disabling the EDR removes the primary tool the SOC relies on for endpoint visibility, buying the attacker more time to operate undetected.
This maps to T1562.001 - Impair Defenses: Disable or Modify Tools. EDR tampering is a strong indicator of a deliberate, hands-on attacker rather than automated malware.
Stage 7 - Collection: TA0009
The ccf32 software was transferred to the host shortly after the initial compromise. Its purpose in this context is collection - gathering sensitive data, files, and intellectual property from the compromised system before exfiltration.
This maps to tactic TA0009 - Collection.
Stage 8 - Exfiltration
The attacker pushed staged data to a public GitHub repository. Using a legitimate, trusted external service for exfiltration is a deliberate choice - it blends into normal web traffic and bypasses basic network controls that block unknown destinations.
The mitigation that could have prevented this is M1021 - Restrict Web-Based Content: blocking or monitoring access to unauthorised external web services, including code-hosting platforms, from production environments.
Stage 9 - Impact: T1491.002
To complete the attack, the organisation’s public-facing corporate website was modified to display propaganda messages. This is the final visible action - the attacker had achieved their objectives and chose to make their presence known.
This maps to T1491.002 - Defacement: External Defacement.
Full ATT&CK Reference Table
| Stage | Tactic | Technique / Sub-technique | ID |
|---|---|---|---|
| 1 | Reconnaissance | Active Scanning: Vulnerability Scanning | T1595.002 |
| 2 | Initial Access | Exploit Public-Facing Application | T1190 |
| 2a | Software | sqlmap | S0225 |
| 3 | Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 |
| 4 | Privilege Escalation | Access Token Manipulation: Token Impersonation | T1134.001 |
| 5 | Persistence | Create or Modify System Process: Windows Service | T1543.003 |
| 6 | Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 |
| 7 | Collection | Data Collection via ccf32 | TA0009 |
| 8 | Exfiltration | Data to public GitHub (Mitigation: Restrict Web-Based Content) | M1021 |
| 9 | Impact | Defacement: External Defacement | T1491.002 |
Key Takeaways
Working through this scenario reinforced a few things that are easy to understand in theory but more concrete when applied to a realistic case:
The attacker disabled the EDR before the noisiest activity. Defense evasion (Stage 6) came before collection and exfiltration. By the time sensitive data was being staged, the primary detection tool was already off. A SOC that only relies on EDR alerts would have missed the latter stages entirely.
Persistence was quiet by design. Modifying an existing Windows service rather than creating a new one is a deliberate choice - new services get logged and noticed. Existing ones blend in.
Exfiltration via GitHub is a bypass strategy. Firewalls and DLP tools that block unknown destinations do not block GitHub by default. Restricting which external web services production systems can reach (M1021) is a control that specifically addresses this.
SQL injection as initial access is still very common. T1190 via SQL injection is not a novel technique, yet it provided the entry point in this scenario. Input validation and web application firewalls remain essential first-line controls.
This exercise is part of my ongoing preparation for the Practical SOC Analyst Associate (PSAA) certification through TCM Security. More scenarios and notes to follow.
If you are working through PSAA or studying MITRE ATT&CK, feel free to reach out.
