Purpose:
Create a persistent simulation lab environment. It will expand and grow, like a real small company might, introducing new opportunities for practice.
- Practice settings up a virtual machine in VMWare Learning setup settings, VM version control (snapshots)
- Practice Windows user account setup, system settings, command prompt commands Learn lab setup and preparation step
- Practice documentation of both – the lab and the scenario IR triage
- Determine knowledge gap, record findings, create a Lab environment that can be built on later on.
Lab specs: VMWare Workstation Pro
VM: Win11 Home 25H2, 8GB RAM, 64GB HDD, CD/DVD (SATA), Network adapter (Host-only), connect on power up (for now), USB controller 3.2 (present), Sound card (Auto-detect), Display (Auto-detect), TPM (present)
Lab Setting:
A small startup LLC (WeDoPlants), with a VERY small budget and a college student sysadmin. WeDoPlants, LLC is a group of plant-lovers who sell their whimsical plant creations on local farmer markets and craft shows. They use laptops to engage with social media, create marketing materials, and design their products. There are no IT policies, compliance audits, no formal procedures or documentation. Admin was hired to “help out with computers”. There’s no EDR/SIEM – sysadmin is a college student who’s learning about the basics of Cybersecurity, networking, DFIR, GRC. Budget: 0$ and duct tape. Tools: whatever is built-in with Windows and whatever open-source she can find. There’s no Office – everyone works from home.
Admin – me
User 1 – Miss Moneybags (accounting)
User 2 – tbd
User 3 -tbd
Scenario:
11/30/2025 10:20am Miss Moneybags from accounting texted: “OMG!! My laptop is running weird. I think I’m hacked!!Can you help me???” Miss Moneybags is WFH today, so I called to ask her more info about the issue:
Symptoms:
- laptop is running slower than normal at certain times
- a “weird black box” pops up and disappears when user logs on
- browser once opened to a weird page they didn’t recognize
- browsing sluggish as random intervals
- laptop’s fan runs loud occasionally while user is not working on it
- No one else used the laptop besides her
- she “didn’t click on any suspicious emails or links/popups, absolutely not!”
I tell her that I’ll be there soon, leave her computer running and ask her to not use it for the time being, if possible.
Notes:
- Clean VMWare machine, Win 11×64 .iso, selected Win 11 Home environment.
- TPM password is required with this .iso installation, be sure to write down the password, as you won’t be able to do certain higher-level things during investigation. Can this be bypassed?
- yes, but for this lab, I’m keeping everything as simple as possible.
- No Microsoft account login (keeping this very simplistic for now), will create one for the future labs
- Created local account “Miss Moneybags”
- Leave default Windows settings on.
- Took clean snapshot of the system
Next Step: Will be planting artifacts for me to find. Something that could be used to quickly determine if a machine has potential malware presence, identifying IOCs (indicators of compromise), and documenting my finds. No actual malware will be used. Dual-purpose – learn basic cmd/powershell commands, Windows Event logs, persistence indicators.