Cobalt Strike: Beacon Detection
In this scenario, a sophisticated threat actor has gained a foothold in a corporate environment. You will serve as a SOC Analyst tasked with identifying the initial infection vector, tracing lateral movement, and uncovering the final objectives of the intrusion. This room focuses on detecting Cobalt Strike malleable C2 profiles, process injection patterns, and the deployment of LockBit ransomware. You will utilize SIEM logs and XDR telemetry to reconstruct the attack timeline and identify critical Indicators of Compromise (IOCs).
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identify the Compromised Internal Host
2The security team flagged suspicious network activity originating from the internal network on 2025-01-24T03:17:55.351Z. You need to investigate the firewall traffic to determine which specific internal workstation was compromised during this incident.
Investigating Living-off-the-Land Binary Execution
4At 2025-01-16T14:31:58.025Z, user alex.garcia interacted with a suspicious email link in outlook.exe. Examine the XDR Process Tree to identify which legitimate Microsoft utility was spawned as a child process to download and run malicious code.
Investigating Suspicious Downloads on corp-wks-105
4Around 2025-01-21T20:33:24.065Z, alex.garcia's workstation, corp-wks-105, exhibited unusual network activity followed by the creation of an unrecognized binary. Analyze the SIEM event messages to determine the name of the file that was dropped during this session.
Tracing Malicious Execution on corp-wks-105
11An alert triggered on corp-wks-105 involving sarah.chen's workstation where outlook.exe spawned a series of unusual child processes. You need to investigate the XDR Process Tree to identify the final payload executed at the end of this chain.
Identify C2 Communication from Compromised Workstation
2Following the detection of rclone.exe being executed by alex.garcia, we suspect data exfiltration has occurred. Review the network logs to determine which destination IP was used for this unauthorized connection.
Investigating Execution of Unauthorized Scripts via MSHTA
11An alert triggered on corp-wks-105 involving sarah.chen where a native Windows utility was used to execute a remote payload. Analyze the process execution logs to find the hash of the file involved in this specific execution event.
Credential Harvesting on Backup Infrastructure
5After gaining access to corp-bkp-01, the adversary attempted to compromise the svc_veeam account to gain broader access to the backup environment. Analyze the XDR timeline around 2025-01-27T04:34:18.447Z to find the filename of the script used for credential extraction.
Investigating Data Exfiltration via Rclone
11At 2025-01-19T18:20:59.553Z, an unusual process execution was detected on corp-bkp-01 involving the svc_veeam account. The attacker appears to have executed a renamed rclone binary to move archives to a remote location. You must analyze the process execution logs to find the unique identifier for this specific file.
8 tasks · 50 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allScattered Spider: Identity-First Attack Chain
Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.
Fake Zoom to Ransomware: The Social Engineering Pipeline
In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.
Black Basta: Email Bomb to Encryption
Investigate a sophisticated Ransomware-as-a-Service (RaaS) campaign involving Black Basta and Cactus TTPs. This scenario tracks a multi-stage attack from initial social engineering via Microsoft Teams and Quick Assist to advanced persistence using DLL side-loading in OneDrive. You will analyze how attackers move from identity-based initial access to full domain compromise and ESXi virtualization host encryption. The investigation requires correlating evidence across SIEM logs, XDR process trees, and firewall traffic to uncover hidden C2 channels and data exfiltration patterns occurring during off-hours.