WGU D483 SECURITY OPERATIONS TASK GUIDE LATEST
2026/2027 | Complete Solution with Step-by-Step Task
Guidance | Aligned with CompTIA CySA+ CS0-003
Performance-Based Standards | Pass Guaranteed - A+
Graded
TASK 1: Threat Detection and Analysis
Task Overview
This task evaluates your ability to perform threat hunting, identify indicators of
compromise (IoCs), analyze malicious activity patterns, and construct SIEM queries to
detect anomalous behavior. You will demonstrate competency in security data analysis,
threat intelligence application, and detection engineering fundamentals aligned with
CySA+ Domain 1 (Security Operations) and Domain 2 (Vulnerability Management).
Scenario
You are a Security Operations Center (SOC) Analyst at a mid-sized financial services
firm. Your SIEM (Splunk Enterprise Security) has generated an alert for suspicious
lateral movement activity. Initial indicators show:
● Source IP: 192.168.1.45 (Finance Department workstation)
● Destination IPs: Multiple internal servers (192.168.10.0/24 subnet)
● Timeframe: 02:00-04:30 hours (outside business hours)
● Initial Alert: Unusual SMB protocol usage (port 445) with failed authentication
attempts followed by successful access
● User Account: FINANCE\jsmith (legitimate user, but account shows impossible
travel patterns)
, ● Additional Context: Threat intelligence indicates APT29 (Cozy Bear) recently
targeting financial sector with similar TTPs
Available Tools:
● Splunk Enterprise Security (SIEM)
● Wireshark (packet analysis)
● VirusTotal (threat intelligence)
● MITRE ATT&CK Navigator
● Sysmon logs (Windows Event Logs)
Required Deliverables
1. Threat Analysis Report (500-750 words) documenting attack timeline, TTPs
mapped to MITRE ATT&CK, and confidence assessment
2. IoC Documentation (structured format) including network, host, and behavioral
indicators with context
3. SIEM Detection Rules (SPL queries) for ongoing monitoring and future detection
4. Recommended Actions (immediate containment and long-term strategic
recommendations)
Step-by-Step Procedures
1. Initial Data Collection
Step 1.1: SIEM Data Extraction
● Access Splunk Enterprise Security dashboard
● Navigate to Incident Review → Select alert "Suspicious Lateral Movement - SMB"
● Extract the following search parameters:
● plainCopy
index=windows
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
OR sourcetype=XmlWinEventLog:Microsoft-Windows-Security-Auditing
earliest=-24h@h latest=now
● (src_ip=192.168.1.45 OR dst_ip=192.168.10.0/24) OR user=jsmith
Step 1.2: Timeline Reconstruction
, ● Identify first malicious activity timestamp
● Document sequence: Initial Access → Execution → Persistence → Lateral
Movement
● Correlate with authentication logs (Event ID 4624, 4625, 4648)
● Extract process creation events (Sysmon Event ID 1)
Verification Checkpoint 1:
● [ ] Confirm temporal correlation between failed logons (4625) and successful
logons (4624)
● [ ] Verify process execution timeline shows non-standard applications (e.g.,
PSExec, Mimikatz, PowerShell with encoded commands)
● [ ] Validate impossible travel: User logged in from 192.168.1.45 while VPN logs
show simultaneous connection from foreign IP
Step 1.3: Network Traffic Analysis
● Export PCAP from SIEM or network taps for 02:00-04:30 window
● Open in Wireshark: File → Open → Select capture file
● Apply display filter: smb2 || smb || nbss || dcerpc
● Analyze for:
○ SMB pipe creation (IPC$ shares)
○ Service creation (PSEXESVC)
○ Credential material access (LSASS memory)
2. Threat Identification
Step 2.1: TTP Mapping to MITRE ATT&CK
● Initial Access: T1078 - Valid Accounts (compromised credentials)
● Execution: T1059.001 - PowerShell (encoded commands detected)
● Persistence: T1136.001 - Local Account Creation (backdoor account
"support_388945a0")
● Credential Access: T1003.001 - LSASS Memory (Mimikatz execution)
● Lateral Movement: T1021.002 - SMB/Windows Admin Shares
● Collection: T1560 - Archive Collected Data (7z compression of sensitive files)
● Exfiltration: T1041 - Exfiltration Over C2 Channel
Step 2.2: IoC Extraction and Classification
, Network Indicators:
● Malicious IPs: 185.220.101.42 (C2 server), 192.168.1.45 (compromised internal)
● Domains: update-finance[.]com (DGA domain), cdn-analytics[.]net
● User-Agents: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" (spoofed but with
anomaly in Accept-Language header)
Host Indicators:
● File Hashes:
○ a3b8c9d2e1f4... (Mimikatz.exe - detected via VirusTotal with 45/70
detections)
○ f7e2d5c8b1a9... (PSExec.exe - legitimate tool, malicious use)
● Registry Keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsU
pdate (persistence)
● Scheduled Tasks: "MicrosoftEdgeUpdateTaskMachineCore" (masquerading
legitimate task)
Behavioral Indicators:
● Process Ancestry: winword.exe → powershell.exe → cmd.exe (unusual
parent-child relationship)
● Command Line: powershell -enc
UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== (encoded sleep
command)
● Network Behavior: SMB connections to 15+ internal servers within 30 minutes
Verification Checkpoint 2:
● [ ] Cross-reference file hashes with VirusTotal API (minimum 3+ engines
confirming malicious)
● [ ] Validate MITRE ATT&CK mapping against observed behaviors (minimum 5
techniques identified)
● [ ] Confirm behavioral anomalies exceed baseline by 3 standard deviations
3. Documentation and Reporting
2026/2027 | Complete Solution with Step-by-Step Task
Guidance | Aligned with CompTIA CySA+ CS0-003
Performance-Based Standards | Pass Guaranteed - A+
Graded
TASK 1: Threat Detection and Analysis
Task Overview
This task evaluates your ability to perform threat hunting, identify indicators of
compromise (IoCs), analyze malicious activity patterns, and construct SIEM queries to
detect anomalous behavior. You will demonstrate competency in security data analysis,
threat intelligence application, and detection engineering fundamentals aligned with
CySA+ Domain 1 (Security Operations) and Domain 2 (Vulnerability Management).
Scenario
You are a Security Operations Center (SOC) Analyst at a mid-sized financial services
firm. Your SIEM (Splunk Enterprise Security) has generated an alert for suspicious
lateral movement activity. Initial indicators show:
● Source IP: 192.168.1.45 (Finance Department workstation)
● Destination IPs: Multiple internal servers (192.168.10.0/24 subnet)
● Timeframe: 02:00-04:30 hours (outside business hours)
● Initial Alert: Unusual SMB protocol usage (port 445) with failed authentication
attempts followed by successful access
● User Account: FINANCE\jsmith (legitimate user, but account shows impossible
travel patterns)
, ● Additional Context: Threat intelligence indicates APT29 (Cozy Bear) recently
targeting financial sector with similar TTPs
Available Tools:
● Splunk Enterprise Security (SIEM)
● Wireshark (packet analysis)
● VirusTotal (threat intelligence)
● MITRE ATT&CK Navigator
● Sysmon logs (Windows Event Logs)
Required Deliverables
1. Threat Analysis Report (500-750 words) documenting attack timeline, TTPs
mapped to MITRE ATT&CK, and confidence assessment
2. IoC Documentation (structured format) including network, host, and behavioral
indicators with context
3. SIEM Detection Rules (SPL queries) for ongoing monitoring and future detection
4. Recommended Actions (immediate containment and long-term strategic
recommendations)
Step-by-Step Procedures
1. Initial Data Collection
Step 1.1: SIEM Data Extraction
● Access Splunk Enterprise Security dashboard
● Navigate to Incident Review → Select alert "Suspicious Lateral Movement - SMB"
● Extract the following search parameters:
● plainCopy
index=windows
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
OR sourcetype=XmlWinEventLog:Microsoft-Windows-Security-Auditing
earliest=-24h@h latest=now
● (src_ip=192.168.1.45 OR dst_ip=192.168.10.0/24) OR user=jsmith
Step 1.2: Timeline Reconstruction
, ● Identify first malicious activity timestamp
● Document sequence: Initial Access → Execution → Persistence → Lateral
Movement
● Correlate with authentication logs (Event ID 4624, 4625, 4648)
● Extract process creation events (Sysmon Event ID 1)
Verification Checkpoint 1:
● [ ] Confirm temporal correlation between failed logons (4625) and successful
logons (4624)
● [ ] Verify process execution timeline shows non-standard applications (e.g.,
PSExec, Mimikatz, PowerShell with encoded commands)
● [ ] Validate impossible travel: User logged in from 192.168.1.45 while VPN logs
show simultaneous connection from foreign IP
Step 1.3: Network Traffic Analysis
● Export PCAP from SIEM or network taps for 02:00-04:30 window
● Open in Wireshark: File → Open → Select capture file
● Apply display filter: smb2 || smb || nbss || dcerpc
● Analyze for:
○ SMB pipe creation (IPC$ shares)
○ Service creation (PSEXESVC)
○ Credential material access (LSASS memory)
2. Threat Identification
Step 2.1: TTP Mapping to MITRE ATT&CK
● Initial Access: T1078 - Valid Accounts (compromised credentials)
● Execution: T1059.001 - PowerShell (encoded commands detected)
● Persistence: T1136.001 - Local Account Creation (backdoor account
"support_388945a0")
● Credential Access: T1003.001 - LSASS Memory (Mimikatz execution)
● Lateral Movement: T1021.002 - SMB/Windows Admin Shares
● Collection: T1560 - Archive Collected Data (7z compression of sensitive files)
● Exfiltration: T1041 - Exfiltration Over C2 Channel
Step 2.2: IoC Extraction and Classification
, Network Indicators:
● Malicious IPs: 185.220.101.42 (C2 server), 192.168.1.45 (compromised internal)
● Domains: update-finance[.]com (DGA domain), cdn-analytics[.]net
● User-Agents: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" (spoofed but with
anomaly in Accept-Language header)
Host Indicators:
● File Hashes:
○ a3b8c9d2e1f4... (Mimikatz.exe - detected via VirusTotal with 45/70
detections)
○ f7e2d5c8b1a9... (PSExec.exe - legitimate tool, malicious use)
● Registry Keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsU
pdate (persistence)
● Scheduled Tasks: "MicrosoftEdgeUpdateTaskMachineCore" (masquerading
legitimate task)
Behavioral Indicators:
● Process Ancestry: winword.exe → powershell.exe → cmd.exe (unusual
parent-child relationship)
● Command Line: powershell -enc
UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== (encoded sleep
command)
● Network Behavior: SMB connections to 15+ internal servers within 30 minutes
Verification Checkpoint 2:
● [ ] Cross-reference file hashes with VirusTotal API (minimum 3+ engines
confirming malicious)
● [ ] Validate MITRE ATT&CK mapping against observed behaviors (minimum 5
techniques identified)
● [ ] Confirm behavioral anomalies exceed baseline by 3 standard deviations
3. Documentation and Reporting
