Rogue RMM: Unauthorized Remote Access
In 2025, Remote Monitoring and Management (RMM) abuse surged by 277%. Threat actors increasingly leverage legitimate tools like ScreenConnect and AnyDesk to bypass security controls and maintain persistent access. In this scenario, you will investigate a suspicious installation on an accounting department workstation. You'll need to distinguish between authorized administrative activity and a 'SilentConnect' infection that utilizes VBScript lures and PEB masquerading to hide its presence.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Tracing Persistence Mechanisms on acc-wks-042
15An alert triggered for user sarah.jones regarding an unusual file creation event in a system directory. Investigate the XDR telemetry for acc-wks-042 to determine the exact location and name of the artifact dropped during this incident.
Identifying the Compromised Internal Endpoint
15A security alert triggered on 2025-05-01T20:10:07.782Z indicating suspicious outbound activity. Investigate the network traffic to determine which internal device was communicating with an external malicious actor.
Identifying the Compromised Host
15An automated alert triggered on May 9th indicating potential unauthorized access in the accounting department network. You need to review the SIEM logs at the exact time of the alert to identify which machine was the primary source of the activity.
Identify Suspicious Management Console Activity
15An unusual administrative session was detected on the file server acc-srv-file01. Investigate the SIEM logs to determine which system utility was launched by the admin_it account to potentially modify system configurations.
Identifying Malicious Script Artifacts
15During a routine audit of workstation acc-wks-042, an unusual script execution was flagged in the logs at 2025-05-05T14:25:23.358Z. You need to examine the SIEM content to determine the exact name of the file that was identified as the primary artifact of this incident.
Identifying the Source of Anomalous Lateral Traffic
15Our monitoring system flagged an unusual connection attempt targeting our core infrastructure. You need to investigate the firewall traffic to determine which host was communicating with the sensitive server during the suspected compromise window.
6 tasks · 90 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Phishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.