Skip to main content
Fake Zoom to Ransomware: The Social Engineering Pipeline operation cover
AdvancedSIEMXDRFirewall

Fake Zoom to Ransomware: The Social Engineering Pipeline

In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.

1h 40m
10 tasks
150 points
Free

Start this operation

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Establish the Initial Access Vector

10

CORP-WKS-102 (user adriana.garcia) is the first host paged in this incident. Early in the morning the user browsed to what looked like a Zoom download page, and moments later a process chain kicked off that the EDR later tied to this whole campaign. Work out exactly what was delivered to the endpoint: name the executable that landed on disk and ran, masquerading as the video-conferencing client.

SOC{...}Hint available
2

Fingerprint the Delivered Installer

10

You have named the fake Zoom installer that ran on CORP-WKS-102. Before that file spread any further, the IR team needs a durable indicator to push to the blocklist and to pivot across the estate. Recover the cryptographic file hash of that installer binary as the EDR and Sysmon recorded it.

SOC{...}Hint available
3

Trace the Execution Chain to Its Payload Runner

10

The installer did not detonate its payload directly. On CORP-WKS-102 it spawned a chain of signed, trusted Windows utilities to stay under the radar of signature-based detection. Walk that process hierarchy to its deepest link and identify the legitimate system binary the attacker ultimately abused to compile and run their in-memory code.

SOC{...}Hint available
4

Surface the Command-and-Control Channel

10

Once the abused build utility was running in memory on CORP-WKS-102, it reached back out to its operator. The host's outbound traffic during the initial-access window should reveal where it called home. Identify the external internet address this compromised endpoint beaconed to so the channel can be blocked at the perimeter.

SOC{...}Hint available
5

Identify the Attacker's Remote Access Origin

10

With a foothold and a C2 channel on CORP-WKS-102, the operator began authenticating to that workstation directly from outside the network. Within a day of the initial compromise the SIEM logged remote logon attempts against the host that did not originate from any corporate subnet. Pin down the external address the attacker was authenticating from.

SOC{...}Hint available
6

Hash the Second-Stage Payload

10

Days after the initial intrusion, the operator returned to CORP-WKS-102 and dropped a fresh executable into the user's temporary AppData directory, running it under adriana.garcia to advance the operation. Recover the file hash of this second-stage binary so it can be hunted for across the rest of the environment.

SOC{...}Hint available
7

Expose the Backup-Credential Theft

10

The campaign’s objective was ransomware, and that means neutralising recovery options first. During the post-exploitation phase, the operator pivoted to the backup infrastructure on SRV-BACKUP-01 and ran tooling aimed at the backup product’s stored credentials. Identify the script used to harvest those credentials.

SOC{...}Hint available
8

Uncover the Attacker's Persistence Account

10

To keep a grip on the environment independent of the original victim, the operator provisioned their own local account on SRV-CONFLUENCE-01 and granted it administrative rights. Comb the Windows Security logs on that server for the account-lifecycle and privileged-group changes the attacker made, and determine the name of the account they stood up for persistence.

SOC{...}Hint available
9

Pinpoint the Ransomware Deployment Mechanism

10

The operation eventually moved into its destructive phase: ransomware staging was kicked off from the domain controller and pushed outward. Rather than copying the encryptor by hand, the attacker leaned on a software-deployment service to roll it out at scale. Examine the EDR detections around the staging activity and identify the deployment service binary the attacker repurposed.

SOC{...}Hint available
10

Confirm Impact and Recover the Ransom Note

10

The deployment service did its job and the encryptor ran on CORP-WKS-102, closing the loop from a fake Zoom download to full ransomware impact. To attribute the activity to a specific ransomware family and complete the incident record, locate the ransom note the operator dropped on the host and report its exact filename.

SOC{...}Hint available

10 tasks · 100 points total

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
Firewall log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Advanced

Complex multi-stage investigations. Realistic noise, ambiguous indicators, lateral movement.

Prerequisites

  • Basic understanding of security alerts
  • Experience with log analysis tools
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts
  • Familiarity with Firewall concepts

Ready to investigate?

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m25 pts
BeginnerXDRSIEM

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m25 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m25 pts