
Cobalt Strike and SOCKS: 11 Days to LockBit
An eleven-day, hands-on-keyboard intrusion that began with a phishing message and ended in enterprise-wide LockBit ransomware. The operator hid a Cobalt Strike beacon in a trusted Windows process, ran a pair of SOCKS proxies for pivoting, dumped LSASS and the Active Directory database, and exfiltrated data to a cloud share and FTP drops before encrypting the estate. Reconstruct the full kill chain from SIEM, endpoint XDR, and perimeter firewall telemetry, and classify the key ATT&CK techniques.
Launches tomorrow
Friday, July 3, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
9 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 3, 2026, you can jump straight in.
Get Started FreeNo credit card required — free forever