Infrastructure Scenario Tests

A critical scheduled task that triggers a chain of dependent tasks fails silently. The initial task (database export) fails due to credential expiry, causing downstream tasks (report generation, file transfer, client notification) to all fail in sequence.

The WSUS server fails to synchronize with Microsoft Update for 14 days due to a corrupt content database. All managed workstations and servers are missing critical security patches, creating a significant vulnerability window.

The Windows DNS server's conditional forwarder for a partner domain stops resolving after the partner changes their DNS server IPs. All lookups for the partner domain fail, breaking the federated application integration.

The Local Security Authority Subsystem Service (LSASS) on a domain controller develops a memory leak after a security update, consuming increasing amounts of RAM until the server becomes unresponsive. Authentication requests fail as memory pressure increases.

The RDP certificate on a critical terminal server has expired, preventing all remote desktop connections. Users receive certificate warnings and connections are rejected by Group Policy enforcing NLA.

A Windows Defender signature update incorrectly identifies a critical production DLL as malware and quarantines it. The affected application fails to start, impacting all users of the ERP system.

The IIS application pool for a critical internal web application enters a crash loop after a .NET runtime update. The worker process (w3wp.exe) crashes within seconds of starting, and IIS rapid-fail protection disables the pool after 5 crashes in 5 minutes.

A 3-node Windows Server Failover Cluster loses quorum when two nodes simultaneously fail due to a shared storage controller issue. The remaining node cannot form quorum alone, and all clustered services go offline including SQL Server Always On Availability Groups.

A production Windows Server experiences repeated Blue Screen of Death (BSOD) with IRQL_NOT_LESS_OR_EQUAL stop code, generating core dumps. The server crashes every 10-15 minutes after boot, caused by a faulty network driver update.

A cumulative Windows Update (KB5034441) fails to install on a production file server, causing a crash loop where the server continuously reboots attempting to apply the update. The server never reaches a healthy state, and all SMB shares are offline.

An attacker deploys cryptocurrency mining malware on 5 production servers after exploiting an unpatched vulnerability in a web management interface. The miners consume 90%+ CPU across all affected servers, causing severe performance degradation for production workloads. The mining pool connections are obfuscated through DNS-over-HTTPS to avoid detection.

A senior database administrator who submitted their resignation 2 weeks ago is systematically exfiltrating customer data. The DBA is running bulk SELECT queries during off-hours, compressing the results, and uploading them to a personal cloud storage account via HTTPS. DLP sensors detect the anomalous data transfer patterns.

A zero-day remote code execution vulnerability in the Apache Struts framework is being actively exploited against the organization's public-facing Java applications. The EDR detects suspicious process execution patterns consistent with the exploit. CISA has not yet issued an advisory but threat intel feeds show active exploitation in the wild.

A popular NPM package used across the organization's Node.js microservices is compromised via a maintainer account takeover. The malicious version exfiltrates environment variables (including database credentials and API keys) to an attacker-controlled endpoint. The compromised package was automatically pulled in during a routine CI/CD build.

An attacker performs a SIM swap attack on the CEO's mobile carrier to intercept SMS-based MFA codes. Using previously phished credentials and the intercepted MFA codes, the attacker gains access to the CEO's email, financial systems, and wire transfer approval authority. The attacker initiates a fraudulent wire transfer for $2.4M.

An attacker with a low-privilege shell exploits a misconfigured sudoers entry that allows NOPASSWD execution of a text editor (vim). The attacker uses vim's shell escape to gain root access on 4 production servers. The misconfiguration was deployed via Ansible to all servers in the 'webservers' group.

A distributed botnet launches a coordinated brute force SSH attack against the organization's public-facing servers. Over 50,000 login attempts per hour from 2,000+ unique IP addresses. Several service accounts with weak passwords are compromised. The attackers establish reverse shells on 3 servers.

A Helm chart upgrade fails partway through due to a resource conflict, and the automatic rollback also fails because the previous release's CRDs are incompatible with the current cluster state. The release is stuck in a 'pending-rollback' state. Kubernetes resources are in a mixed state between the old and new versions.

An automated Kubernetes secret rotation job fails silently, leaving database credentials expired in 15 Kubernetes Secrets across 3 namespaces. Pods that restart or scale up pick up the expired credentials and cannot connect to databases. Running pods with cached credentials continue working until their connection pools recycle.

The Docker daemon on a production host becomes unresponsive due to a deadlock in the containerd shim layer. All container operations (start, stop, exec, logs) hang indefinitely. Running containers continue to operate but cannot be managed. New deployments and health checks fail.