Skip to main content
Cloud Token Theft: Identity Under Siege operation cover
IntermediateSIEMXDRFirewallCloud

Cloud Token Theft: Identity Under Siege

Analyze a sophisticated attack targeting Azure Blob Storage and Entra ID. This scenario covers the transition from initial OAuth phishing to token replay and persistent cloud access. You will investigate impossible travel alerts, rogue application consent, and unauthorized storage enumeration using real-world cloud telemetry.

1h
8 tasks
50 points
Free

Start this operation

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Establishing the Baseline for Successful Authentication

5

Before you can separate the attacker's token-replay sessions from normal activity, you need a reliable signal for what a clean, successful interactive logon looks like in the Windows security log. Examine marcus.aurelius's early sign-ins on corp-wks-8821 from the period before any cloud enumeration began, and determine the numeric Windows event identifier that records a successful logon. Every malicious sign-in later in this intrusion produces the same identifier, so pinning it down now is what lets you triage the rest.

SOC{...}Hint available
2

Tracing the Source of the Inbound Pivot

5

With a trustworthy logon signal established, start walking the intrusion forward from the workstation into the cloud estate. Azure network telemetry flagged an unusual inbound connection reaching the production application server srv-app-prod-01 that does not match its normal traffic profile. Examine the cloud NSG flow event for that connection and identify the internal source IP that originated the pivot, so you can confirm which foothold the attacker is operating from.

SOC{...}Hint available
3

Locating the Internal Origin of the Break-Glass Sign-In

5

Having confirmed the attacker's foothold, look for how they escalated. The Azure AD sign-in logs show a successful authentication on the emergency break-glass admin account against production infrastructure — an account that should almost never be used. This is not an external-C2 lead: the sign-in came from inside the environment. Examine the relevant SIEM / Azure AD sign-in record and identify the internal source address the break-glass login originated from.

SOC{...}Hint available
4

Identifying the Utility Used Against the Kubernetes Cluster

5

From the compromised foothold, the attacker turned their attention to the container platform. Process monitoring on the Kubernetes node k8s-node-primary-01 recorded a command-line tool reaching out to the cluster's API server — activity that does not match the node's normal control-plane processes. Review the SIEM process and network-connection events for that host and determine which executable the attacker used to interact with the orchestration layer.

SOC{...}Hint available
5

Locating the AzureHound Enumeration Output

10

With cluster access and a foothold confirmed, the attacker began harvesting cloud identity data. An AzureHound Microsoft Graph enumeration run by the dev_ops_automation service account redirected its results to a local staging file so it could be exfiltrated later. Working from the process-creation and file-creation telemetry on corp-wks-8821, recover the full output path the attacker wrote that enumeration data to.

SOC{...}Hint available
6

Recovering the Staged Kubernetes Secrets Dump

5

Days after the AzureHound harvest, endpoint telemetry flagged the attacker — operating as marcus.aurelius — dumping sensitive Kubernetes cluster material to disk on corp-wks-8821. The contents were written to a local temporary directory ahead of exfiltration. Find the file-creation telemetry for this event and recover the full path the attacker staged the cluster secrets to.

SOC{...}Hint available
7

Identifying the Staged Web-Application Secrets File

10

Continuing the harvest, the attacker mapped the cloud estate with AzureHound on corp-wks-8821 and went hunting for application credentials that would unlock the srv-app-prod-01 server. Endpoint telemetry then caught a small configuration file — the kind that typically holds a web app's secrets and environment variables — being copied off the app server and staged in a local Temp directory. Examine the file-creation telemetry and identify the exact artifact the attacker staged.

SOC{...}Hint available
8

Determining the Fate of the Exfiltration Egress

5

Everything so far points to one outcome: the attacker staged cloud identity data, cluster secrets, and application credentials for removal. The final question for the incident report is whether the perimeter stopped them. After the Goblob enumeration tool ran on the compromised workstation corp-wks-8821 (10.0.1.134), outbound connections were observed heading to an external destination. Inspect the firewall record for that egress and report the verdict the perimeter applied to it.

SOC{...}Hint available

8 tasks · 50 points total

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
Firewall log analysis
Cloud log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Intermediate

Requires foundational alert triage skills. Multiple data sources to correlate.

Prerequisites

  • Basic understanding of security alerts
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts
  • Familiarity with Firewall concepts
  • Familiarity with Cloud concepts

Ready to investigate?

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m25 pts
BeginnerXDRSIEM

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m25 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m25 pts