
Fake Zoom to Ransomware: The Social Engineering Pipeline
In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.
Start this operation
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Establish the Initial Access Vector
10CORP-WKS-102 (user adriana.garcia) is the first host paged in this incident. Early in the morning the user browsed to what looked like a Zoom download page, and moments later a process chain kicked off that the EDR later tied to this whole campaign. Work out exactly what was delivered to the endpoint: name the executable that landed on disk and ran, masquerading as the video-conferencing client.
Fingerprint the Delivered Installer
10You have named the fake Zoom installer that ran on CORP-WKS-102. Before that file spread any further, the IR team needs a durable indicator to push to the blocklist and to pivot across the estate. Recover the cryptographic file hash of that installer binary as the EDR and Sysmon recorded it.
Trace the Execution Chain to Its Payload Runner
10The installer did not detonate its payload directly. On CORP-WKS-102 it spawned a chain of signed, trusted Windows utilities to stay under the radar of signature-based detection. Walk that process hierarchy to its deepest link and identify the legitimate system binary the attacker ultimately abused to compile and run their in-memory code.
Surface the Command-and-Control Channel
10Once the abused build utility was running in memory on CORP-WKS-102, it reached back out to its operator. The host's outbound traffic during the initial-access window should reveal where it called home. Identify the external internet address this compromised endpoint beaconed to so the channel can be blocked at the perimeter.
Identify the Attacker's Remote Access Origin
10With a foothold and a C2 channel on CORP-WKS-102, the operator began authenticating to that workstation directly from outside the network. Within a day of the initial compromise the SIEM logged remote logon attempts against the host that did not originate from any corporate subnet. Pin down the external address the attacker was authenticating from.
Hash the Second-Stage Payload
10Days after the initial intrusion, the operator returned to CORP-WKS-102 and dropped a fresh executable into the user's temporary AppData directory, running it under adriana.garcia to advance the operation. Recover the file hash of this second-stage binary so it can be hunted for across the rest of the environment.
Expose the Backup-Credential Theft
10The campaign’s objective was ransomware, and that means neutralising recovery options first. During the post-exploitation phase, the operator pivoted to the backup infrastructure on SRV-BACKUP-01 and ran tooling aimed at the backup product’s stored credentials. Identify the script used to harvest those credentials.
Uncover the Attacker's Persistence Account
10To keep a grip on the environment independent of the original victim, the operator provisioned their own local account on SRV-CONFLUENCE-01 and granted it administrative rights. Comb the Windows Security logs on that server for the account-lifecycle and privileged-group changes the attacker made, and determine the name of the account they stood up for persistence.
Pinpoint the Ransomware Deployment Mechanism
10The operation eventually moved into its destructive phase: ransomware staging was kicked off from the domain controller and pushed outward. Rather than copying the encryptor by hand, the attacker leaned on a software-deployment service to roll it out at scale. Examine the EDR detections around the staging activity and identify the deployment service binary the attacker repurposed.
Confirm Impact and Recover the Ransom Note
10The deployment service did its job and the encryptor ran on CORP-WKS-102, closing the loop from a fake Zoom download to full ransomware impact. To attribute the activity to a specific ransomware family and complete the incident record, locate the ransom note the operator dropped on the host and report its exact filename.
10 tasks · 100 points total
Training Tools
Skills You'll Build
Complex multi-stage investigations. Realistic noise, ambiguous indicators, lateral movement.
Prerequisites
- Basic understanding of security alerts
- Experience with log analysis tools
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
- Familiarity with Firewall concepts
Ready to investigate?
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
Malicious npm Package: Postinstall Infostealer
A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.