Skip to main content
Evilginx AiTM: Session Cookie Hijack operation cover
IntermediateSIEMXDR

Evilginx AiTM: Session Cookie Hijack

In this scenario, you will investigate a sophisticated Adversary-in-the-Middle (AitM) attack targeting a finance employee. You'll analyze cloud sign-in logs, proxy traffic, and XDR telemetry to identify session cookie theft, token replay, and post-compromise persistence. This lab focuses on the Tycoon 2FA PhaaS kit and its ability to bypass MFA by proxying live authentication sessions.

45m
8 tasks
50 points
Free

Start this operation

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Scope the Compromised Endpoint

5

The SOC was paged on an anomalous-token alert tied to a user mailbox compromise. Before tracing how the intrusion unfolded, you need to scope it: which internal workstation generated the endpoint telemetry behind this incident? Pivot through the SIEM around the suspicious automation-tool execution and identify the source host so containment can begin.

SOC{...}Hint available
2

Trace the Malicious Outbound Connection

10

Having scoped the affected workstation, follow what its browser did during the phishing session. Shortly after the user opened a downloaded file, the host reached out to attacker-controlled infrastructure over HTTPS. Work the XDR timeline and network events to identify the external destination the browser was relayed to.

SOC{...}Hint available
3

Classify the Interception Technique

5

The connection you traced ran through attacker infrastructure that sat between the user's browser and the real login service, relaying the authentication flow in real time to defeat MFA. The XDR Behaviors panel raised a detection for this interception on the affected host. Identify the MITRE ATT&CK technique ID the platform mapped to this activity.

SOC{...}Hint available
4

Pinpoint What the Proxy Stole

5

Relaying the login was only the means to an end. With the interception in place, the adversary captured the authenticated artifact that let them resume the session from their own infrastructure without re-prompting for MFA. The XDR Behaviors panel raised a second detection for this theft on the same host. Determine the MITRE technique ID the platform assigned to it.

SOC{...}Hint available
5

Name the Adversary's Objective

5

You have now mapped two related techniques on this host — the interception and the artifact theft. In the ATT&CK model, both roll up under a single tactic that describes the adversary's goal in this phase of the intrusion. Examine how the XDR Behaviors panel categorizes these two detections and report that shared tactic.

SOC{...}Hint available
6

Find the Initial-Access Lure

10

With the credential theft understood, trace back to how it started. The user's session was hijacked moments after they opened a file that had arrived by email and was launched from their Downloads folder — the redirect to the attacker proxy fired straight out of it. Correlate the inbound mail event with the process that opened the download and identify the malicious file the adversary used as the lure.

SOC{...}Hint available
7

Identify the Launching Process

5

The lure did not act alone — opening it spawned a headless-browser automation tool that the adversary used to drive the proxied session. Walk the XDR process tree on the affected host and determine which immediate parent process launched that automation binary.

SOC{...}Hint available
8

Uncover the Persistence Foothold

5

You have reconstructed how the account was taken over; now establish what the adversary left behind for the containment plan. With valid access to the mailbox, they made a server-side configuration change that quietly siphoned the victim's incoming mail to an external address — surviving any password reset. Investigate the mail-server activity in the XDR Behaviors panel and report the technique name the platform assigned to this change.

SOC{...}Hint available

8 tasks · 50 points total

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Intermediate

Requires foundational alert triage skills. Multiple data sources to correlate.

Prerequisites

  • Basic understanding of security alerts
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts

Ready to investigate?

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m25 pts
BeginnerXDRSIEM

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m25 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m25 pts