TestDrive

Wear A Hat As A Victim: Lab Instruction

Updated on

In this section, you will go through the and experience the attack as a victim.


This attack is a phishing email turned into a ransomware.

1. Brief Overview

  1. Set up outlook without an email account.
  2. Open & Export, Import from another program or file
  3. Import Outlook Data File (.pst) located C:\Users\Public\Desktop\Carter.Hale
    • Note: Please be sure to import pst file from the given location.
  4. Open the Word document attachment in the email from Jeremy Jones ([email protected])

2. Open Outlook

On the desktop, double click the shortcut named "Outlook No Account" to launch Outlook.

3. Click on the File tab

After Outlook is launched, click on the File tab in the Outlook window.

4. Import/Export

Select Open & Export then select Import/Export

5. Import from another program or file

Select Import from another program or file then click on Next

6. Select Outlook Data File

Select Outlook Data File (.pst)

Click Next

7. Click on Browse

Note: Don't click anywhere other than Browse

Click on Browse...

8. Type in the Windows explorer browser

Type in the Windows explorer browser:

C:\Users\Public\Desktop\

Note: It is important that you type the exact location.

Tip: If you are using Horizon client (not browser), you can copy/paste this location from this guide to TestDrive user experience environment.

Select Carter.Hale (This is the outlook pst file)

Click on Open

9. Select the Outlook pst File

Note: Verify that you are importing the right pst file such as Carter.Hale.pst

Click on Next

10. Confirm Selection

Click on Finish

11. Open Attachment

Click on Inbox

Open the most recent email from Jeremy Jones (Note: The date and time may differ from your local date and time)

12. Enable Editing

Optional: Read the email from Jeremy Jones ([email protected])

Click and open attachment, the Word document

Click on Enable Editing

13. View Content

Click on Enable Content

14. Open README file

You will see Google Chrome and notepad opened up automatically and a file called README.27xxxxx is created on the desktop (there is a delay in download, so you may need to wait 1 min). The users files have been encrypted.

Open README.XXXXXXX

Previous Article Attack Stages
Next Article Wear A Hat As A Security Operations Center (SOC) Analyst: Lab Instruction