009
EXH-0092008Fictional reconstruction
Tuesday Patch, Wednesday Storm
November 2008. MS08-067 ships for a critical Server service RPC hole. Conficker spreads anyway, through patched gaps, weak passwords, and USB autoplay.
Type
Classic
Difficulty
Intermediate
Era
2000s
Time
9 min
Briefing
No live SMB on this terminal, this is the workbook version CERT used for tabletop exercises. Read the bulletin excerpt and grep the synthetic `netlog` for anonymous share attempts.
Your role
Incident handler reconstructing the first enterprise outbreak in your region.
Objective
Connect the KB patch bulletin to the observable IPC$ / autorun indicators in the stub logs.
Terminal environment
- user
- handler
- host
- ren-isac-lab
- cwd
- /incident/conficker-practice
- steps
- 3
Enter the terminalAbout 9 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.