Create a diagram that depicts the following scenario where Springfield Power Plant’s network has been breached by an attacker. or other software may be used to create the diagram:

1. An attacker sends a spear phishing message with the subject “Free Donuts in Cafeteria at Noon: Details in Attachment” containing a malicious Microsoft Word attachment to Homer Simpson who opens the attachment and enables Macros when prompted to view the sweet, sweet donut details. (mmmmmmmm….donuts)

2. 1). Once opened, a macro is executed which runs a PowerShell command that establishes a command and control (C2) channel to a domain which ultimately resolves to a machine controlled by the attacker (Frank Grimes) in Amazon’s EC2 cloud.

3. 2). Frank Grimes escalates his privileges on Homer Simpson’s computer (HS-CRBNBLB, 172.16.22.4) to gain administrative access and extracts password hashes using Mimi Katz.

4. 3). Frank Grimes then uses the shared local administrator password obtained from Homer Simpsons computer to move laterally on the network to Wayland Smithers’ computer (WS-ULLMAN, 192.168.58.41).

5. 4). Wayland Smithers’ computer contains an unprotected SSH private key file for an SSH jump box that grants access to the SCADA systems network within the power plant.

6. 5). Using those passwords, Frank Grimes authenticates using Putty to the jump box (SCRATCHY, 10.253.65.85) and then uses N map to scan for open ports on the SCADA network (1.1.0.0/23) for open port TCP/666 which controls the reactor.

7. 6). Frank identifies open port TCP/666 and connects to the reactor (BLINKY-90, 1.1.1.230) over Telnet without a password required.

8. 7). Frank then places malware on the system designed to alter the core temperature of the reactor in the next 30 days.

Defensive Controls Mapping

2. Note for each step which defensive toolset or process would be used to help mitigate and detect what Frank Grimes has been able to successfully do as an attacker.