Cloud Token Theft: Identity Under Siege
Analyze a sophisticated attack targeting Azure Blob Storage and Entra ID. This scenario covers the transition from initial OAuth phishing to token replay and persistent cloud access. You will investigate impossible travel alerts, rogue application consent, and unauthorized storage enumeration using real-world cloud telemetry.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identifying Persistent Artifacts in Cloud-Connected Workstations
40After gaining initial access, the attacker utilized AzureHound on corp-wks-8821 to map out the cloud environment. Analysis suggests they were searching for local credentials and environment variables that could facilitate lateral movement to the srv-app-prod-01 server.
Investigating Data Exfiltration Artifacts on srv-app-prod-01
50At 2025-10-08T01:37:19.914Z, a suspicious execution involving Goblob and AzureHound was detected on the production application server. The attacker appears to have parsed cloud environment metadata and redirected the output to a temporary staging file for later exfiltration.
Investigating Kubernetes Cluster Persistence
50The user dev_ops_automation reported unusual activity on a production server. Initial indicators suggest a Goblob malware execution followed by an attempt to harvest sensitive cluster configuration files. Locate the telemetry associated with this event to identify the full path of the file the attacker attempted to exfiltrate.
Investigating Lateral Movement and Credential Usage
50After the deployment of AzureHound, the attacker attempted to move laterally. Analyze the logs for the user marcus.aurelius around 2025-10-06T08:59:53.923Z to determine the numeric event identifier that confirms a successful logon occurred.
Investigating Data Exfiltration Attempts
50Following the execution of Goblob on srv-app-prod-01, several outbound connections were observed at 2025-10-12T14:39:16.861Z. You need to determine if the perimeter defenses successfully blocked this egress traffic or if the communication was permitted.
Investigating Suspicious Cloud Utility Execution
50After the initial discovery of AzureHound activity, our monitoring detected an unusual command-line execution on a production application server. Analyze the message logs for srv-app-prod-01 to determine which executable was used to interact with the container orchestration layer.
Tracing the External Pivot
15After the execution of AzureHound on the internal network, our monitoring systems flagged an unusual inbound connection. Analyze the firewall traffic logs around 22:02:53.383Z to determine the origin point of this external communication.
Identifying Suspicious Inbound Connections
15At 2025-10-09T10:59:53.473Z, an unusual network event was logged involving the srv-app-prod-01 server. You need to examine the raw log message to determine which remote IP address was communicating with our production infrastructure during this timeframe.
8 tasks · 320 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allScattered Spider: Identity-First Attack Chain
Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.
Fake Zoom to Ransomware: The Social Engineering Pipeline
In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.
Black Basta: Email Bomb to Encryption
Investigate a sophisticated Ransomware-as-a-Service (RaaS) campaign involving Black Basta and Cactus TTPs. This scenario tracks a multi-stage attack from initial social engineering via Microsoft Teams and Quick Assist to advanced persistence using DLL side-loading in OneDrive. You will analyze how attackers move from identity-based initial access to full domain compromise and ESXi virtualization host encryption. The investigation requires correlating evidence across SIEM logs, XDR process trees, and firewall traffic to uncover hidden C2 channels and data exfiltration patterns occurring during off-hours.