Training Operations

Hands-On SOC Training Operations

SOCSimulator training operations are free, browser-based cybersecurity investigation exercises. Each operation places you inside a realistic SIEM, XDR, or Firewall console to practice alert triage, threat detection, and incident response against scenarios mapped to the MITRE ATT&CK framework.

15

Operations

119

Tasks

3

Tool Types

15 operations found

Scattered Spider: Identity-First Attack Chain

Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.

Fake Zoom to Ransomware: The Social Engineering Pipeline

In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.

SIEMXDRFirewall

Black Basta: Email Bomb to Encryption

Investigate a sophisticated Ransomware-as-a-Service (RaaS) campaign involving Black Basta and Cactus TTPs. This scenario tracks a multi-stage attack from initial social engineering via Microsoft Teams and Quick Assist to advanced persistence using DLL side-loading in OneDrive. You will analyze how attackers move from identity-based initial access to full domain compromise and ESXi virtualization host encryption. The investigation requires correlating evidence across SIEM logs, XDR process trees, and firewall traffic to uncover hidden C2 channels and data exfiltration patterns occurring during off-hours.

SIEMXDRFirewall

Akira Ransomware: Full Kill Chain IR

The intrusion began with a search engine advertisement and ended with the deployment of Akira ransomware. This scenario covers the full 2025 threat landscape, emphasizing identity-based compromise, MFA bypass via AiTM kits, and rapid lateral movement toward Active Directory. Analysts must navigate a complex environment of Windows workstations, Domain Controllers, and Cisco VPN infrastructure to reconstruct the timeline from initial access to data exfiltration and final encryption.

SIEMXDRFirewall

Edge Device Exploitation: VPN Zero-Day

Investigate a sophisticated breach targeting edge security appliances. In this scenario, an advanced persistent threat (APT) actor leverages unauthenticated remote code execution vulnerabilities in SSL-VPN gateways to gain initial access. You will analyze SIEM logs, XDR process trees, and firewall traffic to identify the exploitation of CVE-2025-22457 and CVE-2024-21762, track the rapid 'breakout' to cloud environments, and uncover malware-free persistence mechanisms generated by AI-driven automation.

SIEMXDRFirewall

Bumblebee to Akira: Search Engine Poisoning Pipeline

Investigate a high-stakes 2025 intrusion where a simple search engine result led to a full-scale Akira ransomware deployment. This scenario tracks the transition from initial access via Bumblebee to post-exploitation via AdaptixC2, culminating in domain-wide encryption. You will analyze the browser-to-endpoint execution chain, identify lateral movement via administrative tools, and uncover the specific techniques used by the Howling Scorpius group to evade modern EDR solutions.

CI/CD Pipeline Hijack: GitHub Actions Compromise

Investigate a sophisticated supply chain attack targeting GitHub Actions. A widely used utility, 'tj-actions/changed-files', has been compromised to exfiltrate secrets from CI/CD runner memory. You must analyze SIEM logs to trace the unauthorized access, identify the malicious payload execution, and determine the extent of the credential leakage. This scenario reflects real-world techniques used in the 2025 supply chain wave involving automated bot impersonation and double-encoded exfiltration.

Cloud Token Theft: Identity Under Siege

Analyze a sophisticated attack targeting Azure Blob Storage and Entra ID. This scenario covers the transition from initial OAuth phishing to token replay and persistent cloud access. You will investigate impossible travel alerts, rogue application consent, and unauthorized storage enumeration using real-world cloud telemetry.

Kerberoasting: Service Ticket to Domain Admin

In this scenario, you will investigate a high-speed identity-based attack. Starting from an edge device exploitation, an adversary moves laterally to a domain-joined workstation and targets Active Directory. You must analyze SIEM logs for Kerberos ticket anomalies (RC4 encryption), correlate XDR process trees for Impacket usage, and identify the 'malware-free' techniques used to escalate privileges to Domain Admin.

Evilginx AiTM: Session Cookie Hijack

In this scenario, you will investigate a sophisticated Adversary-in-the-Middle (AitM) attack targeting a finance employee. You'll analyze cloud sign-in logs, proxy traffic, and XDR telemetry to identify session cookie theft, token replay, and post-compromise persistence. This lab focuses on the Tycoon 2FA PhaaS kit and its ability to bypass MFA by proxying live authentication sessions.

Cobalt Strike: Beacon Detection

In this scenario, a sophisticated threat actor has gained a foothold in a corporate environment. You will serve as a SOC Analyst tasked with identifying the initial infection vector, tracing lateral movement, and uncovering the final objectives of the intrusion. This room focuses on detecting Cobalt Strike malleable C2 profiles, process injection patterns, and the deployment of LockBit ransomware. You will utilize SIEM logs and XDR telemetry to reconstruct the attack timeline and identify critical Indicators of Compromise (IOCs).

MFA Fatigue: The Notification Flood

In this guided walkthrough, you will step into the shoes of a SOC analyst investigating a modern identity-based attack. The threat landscape in 2025 has shifted: adversaries are no longer just 'breaking in'—they are logging in. You will analyze real-time identity signals, correlate disparate log sources across a hybrid cloud environment, and identify the markers of an MFA fatigue attack used by the FlowerStorm phishing kit. This scenario highlights the critical importance of behavioral analysis over simple IOC matching in an era of malware-free intrusions and compromised human identities.

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR Phishing) attack that bypassed traditional email filters. You will analyze how attackers exploit complex mail routing and misconfigured spoofing protections to deliver malicious lures that appear to originate from within the organization. Your investigation will cover the initial delivery, the bypass of security controls, and the subsequent unauthorized access following a successful credential harvest via a Tycoon2FA intermediary page.

Credential Harvesting: The Lookalike Login

Investigate a sophisticated Tycoon2FA phishing campaign that successfully bypassed standard email security filters. You will analyze Microsoft 365 email headers, identify domain spoofing techniques using 'Reason 905' indicators, and trace the redirection chain to a phishing-as-a-service (PhaaS) landing page. This scenario provides foundational skills for SOC analysts in identifying advanced credential harvesting infrastructure.

ClickFix: The Fake CAPTCHA Trap

The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick victims into copying, pasting, and running malicious content. In this scenario, a user was targeted with a 'Verify You Are Human' CAPTCHA check that led to a significant endpoint compromise. You will analyze the 'paste-and-run' execution chain, investigate PowerShell activity initiated via the Windows Run dialog, and identify the deployment of an information stealer.

Start Training — Free Forever

Create your free account and start investigating real-world attack scenarios. No credit card required. Track your progress, earn points, and build job-ready SOC analyst skills.

Get Started Free

We use cookies to improve your experience and measure usage. Learn more