LOTL Campaign: Blending Into Admin Activity
In 2025, 79% of initial access is malware-free. This training scenario challenges analysts to identify sophisticated 'Living off the Land' (LotL) techniques where attackers use legitimate administrative tools like ntdsutil, netsh, and PowerShell to blend into normal network traffic. You will investigate a campaign targeting a manufacturing firm's Active Directory infrastructure, focusing on identity-based threats that have seen an 850% increase year-over-year.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Investigating Scripting Behavior on wkstn-prod-01
35An alert was triggered for an unusual process execution on wkstn-prod-01 involving user jsmith. Review the XDR telemetry to determine which specific PowerShell-related technique was mapped to this malicious activity.
Identify the Telemetry Source for Host wkstn-prod-01
50An alert was triggered for an unusual process execution on wkstn-prod-01 involving the user jsmith. To properly validate the integrity of our forensic data, you must identify the exact log source that provided the granular event details for this workstation during the incident.
Investigating Anomalous Outbound Traffic from srv-app-prod
50Our monitoring system flagged an unusual connection originating from srv-app-prod that bypassed the standard proxy. You need to determine which network port was utilized for this specific external communication to assess if it was a standard service or a potential command-and-control channel.
Investigating Service Installation on Domain Controller
50An alert was triggered indicating potential lateral movement to the ad-server-01 host. You need to analyze the security logs to determine which event record confirms the registration of a new system service during the incident window.
Identifying the Primary Log Source
50During the timeline reconstruction of the initial breach, we observed a suspicious outbound request originating from the workstation assigned to jsmith. You need to examine the SIEM event details to determine which intermediary security component captured this traffic log.
Identifying Lateral Movement Techniques
50An alert was triggered indicating that an external source bypassed standard authentication on wkstn-prod-01. You need to investigate the XDR behavioral detections to determine which specific remote service was exploited for this lateral movement.
Investigating Unauthorized Lateral Movement
15Around 2025-04-30T07:59:54.956Z, an unusual process was initiated on a production workstation. You need to analyze the telemetry to determine which local user account was responsible for triggering this activity.
Investigating Outbound Network Communication
15At 2025-05-15T01:29:54.692Z, an unusual connection was initiated from a production workstation to an external endpoint. Review the SIEM content to determine which specific domain was used for data exfiltration or command-and-control communication.
8 tasks · 315 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Phishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.