Skip to main content
Building a Backdoor operation cover
COMING SOONIntermediatePRO

Building a Backdoor

Velodraft Systems runs its release pipeline on a self-hosted TeamCity server that was left accessible from the internet on an unpatched build. An attacker exploited an authentication-bypass flaw to create a rogue administrator without credentials, harvested stored VCS secrets and cloud keys, then planted a malicious build step in the production release pipeline. When the next scheduled build fired, both CI build agents pulled and executed an implant that beaconed out to an attacker-controlled domain. Reconstruct the intrusion chain from the TeamCity audit trail and the build-agent XDR data.

50m
7 tasks
50 points
Pro

Launches in 5 days

Jul 14, 2026

Tuesday, July 14, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDR

What you'll investigate

7 objectives unlock when this operation goes live.

1Identify the entry point
2Trace the rogue account
3Locate the pipeline modification
4Find where the implant was staged
5Identify the implant on disk
6Map the persistence method to MITRE
7Trace the C2 beacon destination

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 14, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever