Skip to main content
Kerberoasting: Service Ticket to Domain Admin operation cover
IntermediateSIEMXDRPRO

Kerberoasting: Service Ticket to Domain Admin

In this scenario, you will investigate a high-speed identity-based attack. Starting from an edge device exploitation, an adversary moves laterally to a domain-joined workstation and targets Active Directory. You must analyze SIEM logs for Kerberos ticket anomalies (RC4 encryption), correlate XDR process trees for Impacket usage, and identify the 'malware-free' techniques used to escalate privileges to Domain Admin.

55m
8 tasks
50 points
Pro

Start this operation

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Clear the Baseline Noise on corp-wks-002

5

You have been paged on suspicious activity touching corp-wks-002, and the first discipline of triage is separating attacker traffic from routine business noise. Early in the day this host made an outbound DNS lookup from its email client that needs to be reviewed and cleared as expected baseline behavior before you commit time to the real intrusion. Review the network telemetry for the host and identify the exact remote server address the mail client resolved.

SOC{...}Hint available
2

Find the Interpreter at the Root of the Malicious Chain

10

With the routine traffic ruled out, turn to the real lead: EDR flagged an unusual execution chain on corp-wks-002 where a third-party command-line utility spawned a series of system shells. Somewhere at the bottom of that chain an interpreter was launched to run an attacker script — and identifying it anchors everything that follows. Reconstruct the process hierarchy on the host and name the interpreter that was spawned as a child of the command shell.

SOC{...}Hint available
3

Identify the Script the Interpreter Executed

10

Having pinned the interpreter at the root of the chain, the next question is what it actually ran. The interpreter was invoked with a command line pointing at a script staged in a temporary directory — that script is the tooling the adversary used to operate against the environment. Inspect the endpoint telemetry for the interpreter process and recover the exact filename of the script it executed.

SOC{...}Hint available
4

Pin the Final-Stage Process in the Execution Chain

5

You now know the interpreter and the script it ran, but to track this process across the rest of the telemetry you need a precise handle on it. The execution chain on corp-wks-002 runs from the third-party utility through a command shell down to the process that actually carried out the attacker's action. Reconstruct that chain in the XDR process tree and report the process identifier of the final-stage process.

SOC{...}Hint available
5

Determine Where the Tooling Moved Laterally

5

The final-stage process did not stay on corp-wks-002 — immediately after it launched, it reached out across the internal network to begin moving toward higher-value infrastructure. Establishing which system it targeted defines the scope of the breach and tells you where the attacker went next. Review the endpoint and network telemetry around the execution and identify the internal server the tooling connected to.

SOC{...}Hint available
6

Identify the Channel Used to Reach the Domain Controller

5

You have established that the tooling moved from the workstation to the internal server; now characterize how that connection was made. The protocol and service it rode in on tell you what the attacker was abusing for remote execution and credential operations, which shapes both your detection logic and your containment. Examine the single successful connection from the final-stage process to the internal server and determine the network service it used.

SOC{...}Hint available
7

Trace Where the Staged Data Was Sent

5

Days after the lateral movement, the operators returned to their objective: collection and exfiltration. Archiving activity on dc-prod-01 bundled user documents, and shortly afterward the host opened an outbound session to a system outside the corporate estate. Recovering that destination is what lets you assess data loss and feed the indicator to blocking and threat intel. Analyze the network event messages following the archiving activity and determine where the data was being sent.

SOC{...}Hint available
8

Identify the Attacker's Final Hands-on-Keyboard Action

5

The last thread to close is the attacker's most recent interactive activity on corp-wks-002. After the exfiltration, monitoring flagged hands-on-keyboard behavior under anita.garcia's account — a lightweight process the operator launched directly to read or stage files on the box. Pinning this down confirms how late the intruder was still active and completes your timeline. Analyze the SIEM process-create events for this user and host and determine which process the attacker launched.

SOC{...}Hint available

8 tasks · 50 points total

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Intermediate

Requires foundational alert triage skills. Multiple data sources to correlate.

Prerequisites

  • Basic understanding of security alerts
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts

Ready to investigate?

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m25 pts
BeginnerXDRSIEM

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m25 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m25 pts