The VaultBreak lab simulates a complex, multi-stage attack against a financial services firm that begins with a successful phishing attempt in May 2025. The compromise is initiated when an unsuspecting employee opens a malicious macro-enabled Word document, which triggers the execution of obfuscated scripts designed to download and launch malware. From this point forward, the attacker leverages a series of well-coordinated tactics aimed at maintaining access, elevating privileges, and ensuring persistence while evading detection.
Participants are provided with a triage image and forensic artifacts to examine using tools such as Event Logs Explorer, PECmd, Timeline Explorer, Notepad++, and CyberChef. The lab leads analysts through each phase of the attack, from the initial infection vector to the deployment of disguised executables and the establishment of command and control (C2) over HTTPS. A critical focus of this lab is on persistence mechanisms, particularly the use of Windows Management Instrumentation (WMI). The attacker sets up a permanent WMI event subscription that triggers malicious payload execution based on system uptime—a subtle but highly effective method for ensuring persistence across reboots.
Importantly, this WMI-based persistence aligns with the MITRE ATT&CK technique T1546.003, categorized under Event Triggered Execution: Windows Management Instrumentation Event Subscription. This technique provides adversaries with a stealthy foothold, allowing them to execute code in response to system events without creating traditional startup entries or scheduled tasks that might be flagged by basic security tools.
Through this lab, learners gain