
Evilginx AiTM: Session Cookie Hijack
In this scenario, you will investigate a sophisticated Adversary-in-the-Middle (AitM) attack targeting a finance employee. You'll analyze cloud sign-in logs, proxy traffic, and XDR telemetry to identify session cookie theft, token replay, and post-compromise persistence. This lab focuses on the Tycoon 2FA PhaaS kit and its ability to bypass MFA by proxying live authentication sessions.
Start this operation
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Scope the Compromised Endpoint
5The SOC was paged on an anomalous-token alert tied to a user mailbox compromise. Before tracing how the intrusion unfolded, you need to scope it: which internal workstation generated the endpoint telemetry behind this incident? Pivot through the SIEM around the suspicious automation-tool execution and identify the source host so containment can begin.
Trace the Malicious Outbound Connection
10Having scoped the affected workstation, follow what its browser did during the phishing session. Shortly after the user opened a downloaded file, the host reached out to attacker-controlled infrastructure over HTTPS. Work the XDR timeline and network events to identify the external destination the browser was relayed to.
Classify the Interception Technique
5The connection you traced ran through attacker infrastructure that sat between the user's browser and the real login service, relaying the authentication flow in real time to defeat MFA. The XDR Behaviors panel raised a detection for this interception on the affected host. Identify the MITRE ATT&CK technique ID the platform mapped to this activity.
Pinpoint What the Proxy Stole
5Relaying the login was only the means to an end. With the interception in place, the adversary captured the authenticated artifact that let them resume the session from their own infrastructure without re-prompting for MFA. The XDR Behaviors panel raised a second detection for this theft on the same host. Determine the MITRE technique ID the platform assigned to it.
Name the Adversary's Objective
5You have now mapped two related techniques on this host — the interception and the artifact theft. In the ATT&CK model, both roll up under a single tactic that describes the adversary's goal in this phase of the intrusion. Examine how the XDR Behaviors panel categorizes these two detections and report that shared tactic.
Find the Initial-Access Lure
10With the credential theft understood, trace back to how it started. The user's session was hijacked moments after they opened a file that had arrived by email and was launched from their Downloads folder — the redirect to the attacker proxy fired straight out of it. Correlate the inbound mail event with the process that opened the download and identify the malicious file the adversary used as the lure.
Identify the Launching Process
5The lure did not act alone — opening it spawned a headless-browser automation tool that the adversary used to drive the proxied session. Walk the XDR process tree on the affected host and determine which immediate parent process launched that automation binary.
Uncover the Persistence Foothold
5You have reconstructed how the account was taken over; now establish what the adversary left behind for the containment plan. With valid access to the mailbox, they made a server-side configuration change that quietly siphoned the victim's incoming mail to an external address — surviving any password reset. Investigate the mail-server activity in the XDR Behaviors panel and report the technique name the platform assigned to this change.
8 tasks · 50 points total
Training Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
Malicious npm Package: Postinstall Infostealer
A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.