Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Identifying the Origin of the Authentication Event
15Our monitoring system flagged an unusual login attempt for the user admin.bill. To determine the scope of the potential compromise, you must examine the SIEM logs to identify which specific telemetry provider captured this activity.
Identifying Suspicious Initial Execution
15An alert triggered on corp-wks-105 indicating a potential data exfiltration attempt. You need to investigate the process execution logs in the SIEM panel to determine which legitimate-looking application was used to spawn the malicious outbound request.
Identifying Suspicious Network Connections
15An alert was triggered at 2026-03-25T10:15:06.837Z indicating a potential breach on a corporate workstation. Investigate the log entries for corp-wks-105 to determine the remote source address involved in the data transfer.
Identify the Compromised Workstation
15An automated alert indicates that a workstation within the corporate network began communicating with a known malicious IP address. Review the SIEM logs to determine which specific host was involved in this suspicious outbound connection during the initial phase of the attack.
Identifying Malicious Script Execution
15At 2026-03-25T17:06:38.613Z, a suspicious behavior alert was triggered on host corp-wks-105 involving user jdoe. You must investigate the telemetry to determine the exact name of the Visual Basic script that was dropped and executed during this session.
Investigating Suspicious Script Execution
15An automated alert triggered on 2026-03-25T08:14:55.979Z indicating a suspicious process launch on a workstation. You need to analyze the logs for the user jdoe to determine the name of the script file that was executed during this event.
6 tasks · 90 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Phishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
MFA Fatigue: The Notification Flood
In this guided walkthrough, you will investigate a sophisticated identity-led intrusion. An attacker leveraged social engineering via Microsoft Teams and MFA push-bombing to 'log in' rather than 'break in'. You will analyze SIEM authentication patterns and XDR behavioral data to trace the attacker's path from a simple voice call to full environment compromise.