Skip to main content
Cobalt Strike: Beacon Detection operation cover
IntermediateSIEMXDRPRO

Cobalt Strike: Beacon Detection

In this scenario, a sophisticated threat actor has gained a foothold in a corporate environment. You will serve as a SOC Analyst tasked with identifying the initial infection vector, tracing lateral movement, and uncovering the final objectives of the intrusion. This room focuses on detecting Cobalt Strike malleable C2 profiles, process injection patterns, and the deployment of LockBit ransomware. You will utilize SIEM logs and XDR telemetry to reconstruct the attack timeline and identify critical Indicators of Compromise (IOCs).

1h
8 tasks
50 points
Pro

Start this operation

Requires a Pro subscription.

View Pro Plans

Free forever — no credit card required

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Find the LOLBin That Launched the Intrusion

10

CORP-WEB-01 runs a public-facing Confluence server, and an exploitation attempt against it (CVE-2023-22527) gave the attacker code execution as SYSTEM. The first stage abused a signed, built-in Windows utility to pull down and run a remote HTA payload. Trace the process chain under the Confluence web process and identify the legitimate Microsoft binary the attacker repurposed for that initial execution.

SOC{...}Hint available
2

Pin Down the Command-and-Control Destination

10

Moments after the HTA payload ran, the compromised CORP-WEB-01 host reached out to attacker-controlled infrastructure to establish its beacon. Having confirmed how the host was initially executed, your next step is to scope the C2 channel. Review the XDR Network Events for the outbound connection that left the host right after that first-stage execution and identify the external destination it called home to.

SOC{...}Hint available
3

Fingerprint the In-Memory PowerShell Stage

5

With the C2 channel mapped, you need to characterise what the beacon actually ran. On CORP-WEB-01 the LOLBin you identified spawned a hidden PowerShell process that carried the next stage of the intrusion. To support detection-engineering and threat-intel enrichment, pivot into the XDR Process Tree, locate that PowerShell node in the chain, and record the file hash the EDR captured for it.

SOC{...}Hint available
4

Catch the Tooling Dropped to Disk

5

The in-memory stage gave the attacker hands-on access, and they began pulling additional tooling onto CORP-WEB-01. During one session the host made an outbound HTTP request to a suspicious external server, and shortly afterward an unrecognised binary appeared in a temporary directory. Work the SIEM event messages for that session and identify the name of the file that was written to the host.

SOC{...}Hint available
5

Hash the Executed Payload

5

One of the binaries the attacker staged on CORP-WEB-01 was run from the Administrator's Temp directory through cmd.exe. The same payload name shows up more than once in the logs, so you will need to isolate the specific execution that matters before you enrich it. Review the SIEM process-creation logs, pin down that execution event, and record the file hash captured for the payload.

SOC{...}Hint available
6

Trace Credential Harvesting on the Backup Server

5

After establishing their foothold, the adversary moved toward the backup infrastructure on corp-bkp-01, using a service account to hunt for administrative credentials. Backup servers are a prized target because they hold keys to the wider estate. Examine the XDR timeline for the PowerShell activity tied to that service account and identify the script that was run to extract credentials from the backup software.

SOC{...}Hint available
7

Identify the Exfiltration Tool

5

With credentials in hand, the attacker turned to moving data out of the estate and staged a third-party transfer utility to copy a sensitive file share to cloud storage. Before you can block and hunt for this tool, you need a reliable identifier for it. Work through the XDR Process Tree, locate the process responsible for the bulk copy, and record the file hash captured for that binary.

SOC{...}Hint available
8

Scope Where the Stolen Data Went

5

You have identified the transfer utility the attacker used; the final step is to determine where the data actually went so the destination can be blocked and reported. That tool, running on CORP-FILE-01, pushed a large volume of data out of the environment in a single transfer. Review the XDR Network Events for the outbound connection it opened and identify the external destination that received the unauthorised upload.

SOC{...}Hint available

8 tasks · 50 points total

Start investigation

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Intermediate

Requires foundational alert triage skills. Multiple data sources to correlate.

Prerequisites

  • Basic understanding of security alerts
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts

Ready to investigate?

This operation requires a Pro subscription.

View Pro Plans

Free forever — no credit card required

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m50 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m50 pts
BeginnerSIEMXDR

ClickFix: The Fake CAPTCHA Trap

The ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick victims into copying, pasting, and running malicious content. In this scenario, a user was targeted with a 'Verify You Are Human' CAPTCHA check that led to a significant endpoint compromise. You will analyze the 'paste-and-run' execution chain, investigate PowerShell activity initiated via the Windows Run dialog, and identify the deployment of an information stealer.

30m40 pts

We use cookies to improve your experience and measure usage. Learn more