
Bumblebee to Akira: Search Engine Poisoning Pipeline
Investigate a high-stakes 2025 intrusion where a simple search engine result led to a full-scale Akira ransomware deployment. This scenario tracks the transition from initial access via Bumblebee to post-exploitation via AdaptixC2, culminating in domain-wide encryption. You will analyze the browser-to-endpoint execution chain, identify lateral movement via administrative tools, and uncover the specific techniques used by the Howling Scorpius group to evade modern EDR solutions.
Start this operation
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Trace the SEO Ad to Its Callback Domain
5amanda.garcia's shift began with a click on a sponsored "Software Update" search result, and within seconds her browser started reaching out to an external host. Before anything was downloaded, this is the channel the operator used to stage delivery and later beacon back. Working in the SIEM and XDR timeline at the very start of the incident, determine the external domain the workstation contacted as the entry point of this intrusion.
Find What the Fake Update Page Actually Delivered
5Having established the callback domain that opened this intrusion, follow what arrived next on corp-wks-442. Shortly after the browser reached that host, a file landed in amanda.garcia's profile and was mounted as if it were a routine maintenance package — the classic SEO-poisoning lure. Using the XDR timeline's file-download and mount events in the opening minutes of the incident, identify the delivered artifact that kicked off execution.
Identify the Loader Run from the Mounted Image
10The mounted maintenance image you found did not run on its own — opening it triggered a hidden shortcut that handed control to a signed Windows utility, which in turn side-loaded the attacker's first-stage loader from a temporary directory. This is the Bumblebee step of the chain. Walk the execution tree spawned by the shell on corp-wks-442 and name the loader module that the LOLBin executed.
Fingerprint the First Dropped Executable
10Once the loader was resident, it dropped and ran a second-stage executable from amanda.garcia's Temp directory later the same day on corp-wks-442. To confirm scope and check the sample against threat intelligence, the team needs a durable identifier for that binary rather than just its (generic) name. Pivot to the process-creation events in the SIEM for that workstation and recover the file hash recorded for this first dropped payload.
Spot the Masqueraded File Dropped During Staging
5With code execution established on corp-wks-442, the operator began staging on disk. The next day, a file with an innocuous text extension was written into amanda.garcia's Temp folder and then launched as a process — an extension that does not match its behavior, a common masquerading trick. Review the XDR file-system artifacts and the SIEM process activity for this host and name the suspicious file created during this staging step.
Confirm a Second, Distinct Payload Variant
5The intrusion did not stop at one binary. A short time after the staging activity, the same Temp-folder execution pattern reappeared on corp-wks-442 — another run of a generically named executable under amanda.garcia's account. To prove this is a separate sample rather than a repeat of the earlier one, recover its file hash from the SIEM and compare it to the fingerprint you established earlier.
Attribute the Credential-Theft Activity to an Account
5As the intrusion matured, the telemetry shifts from amanda.garcia's browser-driven infection to deliberate, hands-on-keyboard tradecraft: a signed Windows utility abused to dump credential material from memory, service enumeration via PowerShell, and an outbound HTTPS POST back to the callback domain from the start of this case. These are not the workstation user's actions. Investigate the SIEM and determine which account was driving this credential-theft phase.
Isolate the Odd Binary in the Final Execution Burst
5In the closing stage of the intrusion, corp-wks-442 produced a dense burst of process executions. Almost all of them are legitimate Windows and office binaries — but one entry is an attacker-supplied program whose name fits no standard system or business application, the kind of oddly branded tool that rides in on SEO-poisoning campaigns. Review the XDR timeline for this final burst and identify the single non-standard executable that does not belong.
8 tasks · 50 points total
Training Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
Malicious npm Package: Postinstall Infostealer
A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.