CI/CD Pipeline Hijack: GitHub Actions Compromise
Investigate a sophisticated supply chain attack targeting GitHub Actions. A widely used utility, 'tj-actions/changed-files', has been compromised to exfiltrate secrets from CI/CD runner memory. You must analyze SIEM logs to trace the unauthorized access, identify the malicious payload execution, and determine the extent of the credential leakage. This scenario reflects real-world techniques used in the 2025 supply chain wave involving automated bot impersonation and double-encoded exfiltration.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identifying Malicious CI/CD Configuration
50At 2025-03-05T13:53:48.617Z, an unusual process execution was detected on the GitHub runner. Investigators suspect the attacker modified a workflow file to automate malicious activity. Analyze the XDR data to find the filename of the suspicious workflow configuration.
Investigating GitHub Runner Artifacts
40An unusual connection was detected originating from github-runner-linux-01. You need to examine the telemetry to identify the specific setup utility or action file that was pulled into the environment during the initialization phase of the lifecycle.
Investigating GitHub Runner Artifacts
50During the investigation of the github-runner-linux-01 host at 2025-03-10T11:05:00.409Z, several automated actions were observed. Analysts need to determine which specific GitHub Action dependency was responsible for tracking modifications to the repository during the incident.
Identifying Suspicious Service Account Activity
15An automated alert triggered on 2025-03-03T01:28:17.700Z indicating an unusual execution pattern on a build runner. Investigate the process telemetry to determine which account was responsible for spawning the suspicious activity.
Tracing the Origin of the Intrusion Alert
40At 2025-03-14T01:55:48.112Z, a potential breach was flagged on the github-api-proxy server. To understand our visibility during this incident, you must determine which security monitoring component first ingested and labeled this event within our log management system.
Identifying Suspicious Network Activity
15An automated alert triggered for the host srv-artifactory-main indicating an unusual outbound connection. Review the SIEM content messages to determine which local address was associated with this network event.
Investigating Anomalous GitHub Runner Activity
40A potential supply chain compromise was flagged on github-runner-linux-01. You need to examine the logs during the initial execution phase to determine what specific action or script was triggered during the setup process.
Identifying C2 Infrastructure in Network Logs
15An automated alert triggered for potential data exfiltration from a high-value server. You need to analyze the SIEM logs during the time of the incident to identify the destination domain mentioned in the log messages.
8 tasks · 265 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allScattered Spider: Identity-First Attack Chain
Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.
Fake Zoom to Ransomware: The Social Engineering Pipeline
In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.
Black Basta: Email Bomb to Encryption
Investigate a sophisticated Ransomware-as-a-Service (RaaS) campaign involving Black Basta and Cactus TTPs. This scenario tracks a multi-stage attack from initial social engineering via Microsoft Teams and Quick Assist to advanced persistence using DLL side-loading in OneDrive. You will analyze how attackers move from identity-based initial access to full domain compromise and ESXi virtualization host encryption. The investigation requires correlating evidence across SIEM logs, XDR process trees, and firewall traffic to uncover hidden C2 channels and data exfiltration patterns occurring during off-hours.