ClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identifying the Origin of Execution
15During a routine audit of corp-wks-115, an unusual script execution was detected on 2024-05-12T11:25:37.271Z involving the user l.chen. You need to determine which logging facility or source provided the visibility for this specific event to ensure our monitoring coverage is complete.
Investigating Unauthorized Connection Attempts
15An alert was triggered indicating that corp-wks-712 attempted to communicate with an external IP address associated with a known command-and-control server. You need to verify if the network security controls successfully mitigated this threat or if the traffic was permitted to pass through.
Identify Malicious File Execution via SIEM Logs
15An alert was triggered for suspicious activity on corp-wks-712 involving the user m.garcia. You need to examine the raw log content within the SIEM to find the specific malicious payload that was executed during this event.
Tracing Network Communication
15An automated alert triggered for an unusual outbound connection on corp-wks-712. You must analyze the event timeline to determine which external domain was being reached by the process during this activity.
Investigating Suspicious Execution on corp-wks-712
15An alert was triggered at 2024-05-12T11:27:06.650Z involving user m.garcia. An unknown process appears to have initiated a connection to a remote URL to fetch and execute code; you must determine which system utility was abused for this execution.
Investigating Suspicious Network Communications
15An automated alert triggered for a workstation communicating with an unverified external resource. You need to investigate the SIEM logs to determine the specific domain that was contacted during this event.
6 tasks · 90 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allPhishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.
MFA Fatigue: The Notification Flood
In this guided walkthrough, you will investigate a sophisticated identity-led intrusion. An attacker leveraged social engineering via Microsoft Teams and MFA push-bombing to 'log in' rather than 'break in'. You will analyze SIEM authentication patterns and XDR behavioral data to trace the attacker's path from a simple voice call to full environment compromise.