Skip to main content
Cobalt Strike and SOCKS: 11 Days to LockBit operation cover
COMING SOONAdvancedPRO

Cobalt Strike and SOCKS: 11 Days to LockBit

An eleven-day, hands-on-keyboard intrusion that began with a phishing message and ended in enterprise-wide LockBit ransomware. The operator hid a Cobalt Strike beacon in a trusted Windows process, ran a pair of SOCKS proxies for pivoting, dumped LSASS and the Active Directory database, and exfiltrated data to a cloud share and FTP drops before encrypting the estate. Reconstruct the full kill chain from SIEM, endpoint XDR, and perimeter firewall telemetry, and classify the key ATT&CK techniques.

1h 40m
9 tasks
150 points
Pro

Launches tomorrow

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDRFirewall

What you'll investigate

9 objectives unlock when this operation goes live.

1Incident brief
2Find the initial payload
3Classify the beacon's hiding technique
4Separate the pivots from the command channel
5Recover the harvested administrator
6Classify the domain controller credential theft
7Trace the cloud exfiltration
8Recover the encryptor indicator
9Classify the encryptor deployment

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever