SocGholish: The Fake Browser Update
Investigate a drive-by download attack where a compromised WordPress site delivered a highly obfuscated JavaScript loader using UTF-8 homoglyphs to evade detection. Trace the execution from the browser to system reconnaissance and the deployment of a Python-based backdoor used by RansomHub affiliates.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identifying the Script Execution Engine
15An alert was triggered on corp-wks-105 involving user t.smith. Several events recorded between 10:26:26.754Z and 10:26:32.357Z indicate that a script-based execution occurred; you need to find the specific system binary that handled the script execution.
Identifying Malicious File Artifacts
15An alert was triggered on workstation corp-wks-105 involving a suspicious process executed by user t.smith. You need to investigate the XDR data to determine the specific file packaging format used by the attacker to bundle their malicious payload.
Investigating Suspicious Script Execution
15An alert was triggered indicating a suspicious script execution on a corporate workstation. You need to review the behavioral logs for corp-wks-105 to determine which file was launched during the reported event at 2025-05-01T16:54:11.590Z.
Identify Suspicious Process Execution
15An alert triggered for workstation corp-wks-105 involving the user t.smith. You need to examine the SIEM logs to determine which process was being used to execute commands during the initial discovery phase of the incident.
Identifying the Target Host
15After gaining initial access, the adversary attempted to move laterally within the corporate environment to escalate privileges. Review the centralized log data to determine the hostname of the domain controller that recorded the suspicious authentication attempt.
Identifying the Compromised Endpoint
15An automated alert triggered at 2025-05-01T08:30:05.705Z indicating a potential unauthorized login attempt. You need to access the SIEM logs to determine which specific machine in the corporate network was the target of this activity.
6 tasks · 90 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Phishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.