AWS IAM Key Abuse: From Leak to Takeover
An investigation into a sophisticated cloud-native attack where exposed IAM credentials led to serverless exploitation, lateral movement via SSH key injection, and large-scale data exfiltration. You will analyze CloudTrail logs, VPC Flow logs, and GuardDuty alerts to trace the attacker's path from a leaked .env file to a full environment takeover.
Start this operation
Requires a Pro subscription.
View Pro PlansFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identify the Source of Suspicious External Communication
15On 2025-05-06T09:21:27.283Z, an alert triggered indicating a high volume of traffic directed toward the known C2 infrastructure domain1.com. You need to investigate the perimeter logs to determine which internal host initiated this connection for user m.chen.
Tracing the Gateway: Identifying the Log Source
35During the investigation of user m.chen's activity, a suspicious connection to domain1.com was flagged. You need to determine which architectural component or log source captured this specific event to verify the integrity of the traffic flow.
Investigating C2 Traffic Persistence
50After m.chen's workstation was compromised, telemetry indicates a connection attempt to known C2 infrastructure. Review the network logs to determine if the perimeter security successfully blocked this connection or if the traffic was permitted to pass through.
Identifying the Authoritative Log Source
50During the investigation of the connection to domain1.com, we need to verify which telemetry provider captured the initial event. Examine the SIEM logs for the user m.chen to determine the exact log source responsible for documenting this security event.
Identifying C2 Network Communication
35During the investigation of user m.chen's activity on 2025-05-03T15:24:55.566Z, we observed suspicious outbound traffic. You must determine how the attacker's infrastructure is receiving data from our internal network.
Identifying Exfiltrated Configuration Artifacts
50After establishing a connection to domain1.com, the adversary appears to have searched for sensitive local environment variables and credentials. You need to examine the telemetry associated with m.chen's activity to determine which specific file was interacted with during this phase of the breach.
Investigating Suspicious Process Execution
50During a routine audit of the user m.chen's activity, a suspicious outbound connection was flagged. You need to analyze the execution chain in the XDR panel to determine which system process was used as the primary shell to launch the connection.
Identifying Process Creation Event IDs
50Evidence suggests that the attacker established a connection to domain1.com shortly after a new process was spawned on the workstation. You need to investigate the raw logs to determine the standard security event identifier that recorded this process creation activity.
8 tasks · 335 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
Ready to investigate?
This operation requires a Pro subscription.
View Pro PlansFree forever — no credit card required
More Operations
View allClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Phishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.