Skip to main content
Scattered Spider: Identity-First Attack Chain operation cover
AdvancedSIEMXDRPRO

Scattered Spider: Identity-First Attack Chain

Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.

1h 30m
10 tasks
150 points
Pro

Start this operation

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Investigating Lateral Movement and Credential Dumping

10

The actor used service-based access to reach corp-srv-ad01 and run credential-dumping tooling against the domain database. Review the XDR timeline around Domain Controller access and identify the Impacket script responsible for the credential dump.

SOC{...}Hint available
2

Fingerprinting the Vulnerable Driver (BYOVD)

10

kdmapper.exe was used to manually map an unsigned, vulnerable driver into the kernel — a Bring-Your-Own-Vulnerable-Driver (BYOVD) technique to bypass Driver Signature Enforcement. On corp-wks-8821, identify the SHA-256 hash of the vulnerable driver file that was dropped to disk and loaded.

SOC{...}Hint available
3

Uncovering Kernel-Level Persistence Artifacts

10

A mapper process on corp-wks-8821 is loading a driver into kernel memory. Review the command line and resulting file artifacts in the driver-loading phase to identify the driver being manually mapped.

SOC{...}Hint available
4

Investigating Execution Anomalies on corp-wks-8821

10

A high-severity alert was triggered when a user account, claudia.vance, executed a process that attempted to bypass local security controls. Analysts must review the event descriptions within the XDR Timeline to determine which interpreter was invoked to facilitate this activity.

SOC{...}Hint available
5

Investigating Kernel-Level Persistence on corp-wks-8821

10

An alert triggered for potential driver manual mapping on corp-wks-8821. Review the process tree for services.exe to find the malicious binary executed by the SYSTEM account that attempted to bypass security controls.

SOC{...}Hint available
6

Investigating Kernel-Level Persistence via Driver Loading

10

The adversary successfully executed kdmapper.exe on the corp-wks-8821 workstation to bypass driver signature enforcement. You must determine the exact name of the malicious driver file that was dropped and executed during this sequence to establish the extent of kernel-level compromise.

SOC{...}Hint available
7

Tracing the Origin of the Kernel-Mode Driver Load

10

During later driver-mapper activity on corp-wks-8821, SIEM records include the telemetry provider that reported the process start. Examine the event metadata and determine which source or log provider reported the activity.

SOC{...}Hint available
8

Unusual DNS Resolution on corp-wks-8821

10

The workstation generated a DNS query tied to driver-mapper activity. Review SIEM DNS events from that phase and determine the queried domain.

SOC{...}Hint available
9

Investigating Suspicious Beaconing Activity

10

Shortly after suspicious execution on corp-wks-8821, the host opened outbound traffic to unauthorized infrastructure. Analyze endpoint network activity to determine the destination used for command-and-control or exfiltration staging.

SOC{...}Hint available
10

Phishing Reconstruction: Identifying the Initial Entry Document

10

An alert triggered for suspicious driver loading via kdmapper.exe, but we need to trace the execution chain back to the start. Analyze the SIEM event messages for host corp-wks-8821 to find which productivity application was used to launch the initial stage of the attack.

SOC{...}Hint available

10 tasks · 100 points total

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Advanced

Complex multi-stage investigations. Realistic noise, ambiguous indicators, lateral movement.

Prerequisites

  • Basic understanding of security alerts
  • Experience with log analysis tools
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts

Ready to investigate?

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m25 pts
BeginnerXDRSIEM

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m25 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m25 pts