Skip to main content
Black Basta: Email Bomb to Encryption operation cover
AdvancedSIEMXDRFirewallPRO

Black Basta: Email Bomb to Encryption

Investigate a Black Basta-style ransomware intrusion that begins with email bombing and Microsoft Teams impersonation, escalates through Quick Assist remote control, establishes BackConnect-style command and control through OneDrive DLL side-loading, exfiltrates data with WinSCP, and ends in ransomware encryption. Correlate SIEM, XDR, and firewall telemetry carefully: external C2 IPs identify adversary infrastructure, while internal srcIp values identify compromised hosts. Note: there is no separate email console in this operation - all mail-gateway telemetry for the email-bombing wave lives in the SIEM logs (source: email-gateway), alongside Windows, IDS, EDR, and Azure AD events.

1h 35m
10 tasks
150 points
Pro

Start this operation

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Scope the Lateral Spread from the File Server

10

Black Basta operators detonated their encryptor across the estate, and the compromised file server sits at the centre of the blast radius. Before you can contain, you need to know how far the operator reached from it. Working from the firewall record, determine the internal host the file server reached over server-to-server file-sharing traffic as the intrusion moved deeper into the network. Submit that destination host's IP.

SOC{...}Hint available
2

Pinpoint the Internal Host Used to Stage Exfiltration

10

Encryption is the last act; before it, the operators stole data. Telemetry shows a WinSCP SFTP session pushing an archive out to attacker-controlled infrastructure earlier in the intrusion. To understand which assets were exposed, identify the internal system that initiated that outbound transfer. Submit its IP.

SOC{...}Hint available
3

Recover the Tunneling Tool the Operator Planted

10

Moving between the file server and the rest of the estate took more than stolen credentials — the operator stood up a relay to tunnel traffic through a compromised host. Triage of the activity around the Quick Assist session points to a binary dropped to disk to proxy connections deeper into the network. Examine the process and file-system artifacts and submit the exact name of that file.

SOC{...}Hint available
4

Attribute the Adversary's Command-and-Control Domain

10

The same infrastructure that received the stolen archive was reachable from inside long before exfiltration — it traces back to the social-engineering lure that opened the intrusion, a Teams approach from an external Microsoft tenant impersonating IT support. Correlate the early external-tenant contact with the later beaconing and submit the external domain the operators used as their command-and-control and exfiltration channel.

SOC{...}Hint available
5

Map the Adversary's External C2 Infrastructure

10

With the control domain established, you need IP-level indicators to feed containment and threat intel. Early in the intrusion the firewall recorded a spike of outbound traffic from a compromised internal system to an external host that does not belong to any sanctioned service. Identify the external destination address the internal host was reaching out to and submit it.

SOC{...}Hint available
6

Tie a C2 Callback Back to the Victim Workstation

10

You now want to prove the command-and-control activity originated on the workstation where the remote-assist session ran, not somewhere downstream. Shortly after that session, the workstation began reaching out to attacker infrastructure. Examine the outbound activity from that host following the Quick Assist session and submit the external command-and-control IP it contacted.

SOC{...}Hint available
7

Fingerprint the Side-Loaded Persistence DLL

10

The callbacks you traced did not come from an obviously malicious process — they rode inside a signed, trusted updater. The operators achieved durable execution by placing a malicious library alongside that updater so it would be loaded in place of the legitimate one (DLL search-order hijack). On the victim workstation, identify the planted library that the OneDrive updater loaded and submit its cryptographic hash so it can be blocked fleet-wide.

SOC{...}Hint available
8

Identify the Payload Binary at the End of the Quick Assist Chain

10

The planted library could only load because a process the operators controlled invoked it. Reconstruct the execution chain that began when the analyst was talked through the Quick Assist session: it spawns a command interpreter that ultimately launches the binary which side-loads that library. Walk the process tree to its final payload and submit the cryptographic hash of that executable.

SOC{...}Hint available
9

Locate the Source of the Stolen-Token Authentication

10

Stepping back to how the operators first authenticated as the user: the social-engineering session let them harvest a session token, which they then replayed from their own infrastructure. The authentication telemetry early in the intrusion holds the external address behind that abuse. Inspect the early failed and anomalous logon activity and submit the external source network address tied to the credential/token replay.

SOC{...}Hint available
10

Confirm Patient Zero: the Original Foothold

10

Every thread you have pulled — the side-loaded library, the C2 callbacks, the stolen token — converges on a single endpoint: the workstation where an analyst was socially engineered into starting a Quick Assist session that handed the operators their first foothold. Close the investigation by identifying that originally compromised workstation from the network evidence and submit its internal IP so it can be isolated.

SOC{...}Hint available

10 tasks · 100 points total

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
Firewall log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Advanced

Complex multi-stage investigations. Realistic noise, ambiguous indicators, lateral movement.

Prerequisites

  • Basic understanding of security alerts
  • Experience with log analysis tools
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts
  • Familiarity with Firewall concepts

Ready to investigate?

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m25 pts
BeginnerXDRSIEM

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m25 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m25 pts