DJN2: Incident Response Incident Reporting Template
WGU D483 Incident Report on System
Compromise| 2026 Update with complete solutions.
Template
SECTION A: INCIDENT DETAILS
Incident number(s): HDE-1001, HDE-1050, and HDE-1072
Incident date(s): 13 DEC
Report author: Keith Abbott (000207535)
Report date: 22 September 2024
Summary of incident: The incident began when multiple engineers at Design by
Paradigm experienced severe performance issues with
their Pro-Engineer CAD application. Initially, the
application became slow and unresponsive, leading to
help desk ticket being initiated.
The Opertions team identified the fileserver was
experiencing high utilization and, following SOP, rebooted
the server.
Shortly afterwards, additional tickets were created by
additional users experiencing latency.
After investigating our SIEM tool, it appears an unverified
update from an unkown source was applied to the server
tht has led to the increased utilization on the GPU and
CPU. Additionally, there are multiple remote connections
established with the server to unkown IP addresses.
Impacted system(s): WIN-6JNN6RLT6IL
Primary function of the File storage for Pro Engineer
impacted system(s):
Impacted user(s): Maya Patel, Diego Martin, and Alex Lee
Incident timeline: • 13 Dec 10:00 am: first incident reported (HDE-
1001)
• Shortly after this ticket, operations quickly
identified the storage server was experiencing high
utilization and began remediation efforts,
unsuccessfully, following the SOP.
, DJN2: Incident Response Incident Reporting Template
• 13 DEC 03:14 pm: 2nd incident reported (HDE-
1050)
13 DEC 03:20 pm: 3rd incident reported (HDE-
1072)
• Tickets were assigned/escalated to me (Keith
Abbott)
• Remedition immediately took place by removing
mining software, blocking the port in our firewall,
and re enabling windows defender
Functional impact:
(See section: Glossary) ☐HIGH ☒MEDIUM ☐LOW ☐NONE
Incident priority:
☐ HIGH ☐MEDIUM ☒LOW
Additional notes: Categorized as a medium functional impactas the
organization has lost the ability to provide critical services
to a set of employees
Priority is low as it affects a small number of staff, has
minimal financial impaft, and caused minimal damage to
the business reputation
Incident type: (check all that apply)
☒Compromised system ☐Lost equipment/theft
☐ Compromised user credentials ☐Physical break-in
(e.g., lost password) ☐Social engineering (e.g., phishing)
☐ Network attack (e.g., DoS) ☐Law enforcement request
☒Malware (e.g., virus, worm, Trojan) ☐Policy violation (e.g., acceptable use)
☐ Reconnaissance (e.g., scanning, ☐Other: Click or tap here to enter text.
sniffing)
SECTION B: DETECT
Hostname of the WIN-6JNN6RLT6IL
impacted system(s):
IP address of the 10.10.20.10
impacted system(s):
Operating system of the MS Windows Sever 2019 v. 10.10.17763
impacted system(s):
SECTION C: INVESTIGATE
Destination port of 3333
malicious traffic:
Additional notes & the firewall logs indicate that traffic from an internal IP
observations: (10.10.10.1) to an external IP (159.203.162.18) and
(165.227.182.82) on port 3333 was allowed by a pfsense
PAGE 2
WGU D483 Incident Report on System
Compromise| 2026 Update with complete solutions.
Template
SECTION A: INCIDENT DETAILS
Incident number(s): HDE-1001, HDE-1050, and HDE-1072
Incident date(s): 13 DEC
Report author: Keith Abbott (000207535)
Report date: 22 September 2024
Summary of incident: The incident began when multiple engineers at Design by
Paradigm experienced severe performance issues with
their Pro-Engineer CAD application. Initially, the
application became slow and unresponsive, leading to
help desk ticket being initiated.
The Opertions team identified the fileserver was
experiencing high utilization and, following SOP, rebooted
the server.
Shortly afterwards, additional tickets were created by
additional users experiencing latency.
After investigating our SIEM tool, it appears an unverified
update from an unkown source was applied to the server
tht has led to the increased utilization on the GPU and
CPU. Additionally, there are multiple remote connections
established with the server to unkown IP addresses.
Impacted system(s): WIN-6JNN6RLT6IL
Primary function of the File storage for Pro Engineer
impacted system(s):
Impacted user(s): Maya Patel, Diego Martin, and Alex Lee
Incident timeline: • 13 Dec 10:00 am: first incident reported (HDE-
1001)
• Shortly after this ticket, operations quickly
identified the storage server was experiencing high
utilization and began remediation efforts,
unsuccessfully, following the SOP.
, DJN2: Incident Response Incident Reporting Template
• 13 DEC 03:14 pm: 2nd incident reported (HDE-
1050)
13 DEC 03:20 pm: 3rd incident reported (HDE-
1072)
• Tickets were assigned/escalated to me (Keith
Abbott)
• Remedition immediately took place by removing
mining software, blocking the port in our firewall,
and re enabling windows defender
Functional impact:
(See section: Glossary) ☐HIGH ☒MEDIUM ☐LOW ☐NONE
Incident priority:
☐ HIGH ☐MEDIUM ☒LOW
Additional notes: Categorized as a medium functional impactas the
organization has lost the ability to provide critical services
to a set of employees
Priority is low as it affects a small number of staff, has
minimal financial impaft, and caused minimal damage to
the business reputation
Incident type: (check all that apply)
☒Compromised system ☐Lost equipment/theft
☐ Compromised user credentials ☐Physical break-in
(e.g., lost password) ☐Social engineering (e.g., phishing)
☐ Network attack (e.g., DoS) ☐Law enforcement request
☒Malware (e.g., virus, worm, Trojan) ☐Policy violation (e.g., acceptable use)
☐ Reconnaissance (e.g., scanning, ☐Other: Click or tap here to enter text.
sniffing)
SECTION B: DETECT
Hostname of the WIN-6JNN6RLT6IL
impacted system(s):
IP address of the 10.10.20.10
impacted system(s):
Operating system of the MS Windows Sever 2019 v. 10.10.17763
impacted system(s):
SECTION C: INVESTIGATE
Destination port of 3333
malicious traffic:
Additional notes & the firewall logs indicate that traffic from an internal IP
observations: (10.10.10.1) to an external IP (159.203.162.18) and
(165.227.182.82) on port 3333 was allowed by a pfsense
PAGE 2
