Edge Device Exploitation: VPN Zero-Day
Investigate a sophisticated breach targeting edge security appliances. In this scenario, an advanced persistent threat (APT) actor leverages unauthenticated remote code execution vulnerabilities in SSL-VPN gateways to gain initial access. You will analyze SIEM logs, XDR process trees, and firewall traffic to identify the exploitation of CVE-2025-22457 and CVE-2024-21762, track the rapid 'breakout' to cloud environments, and uncover malware-free persistence mechanisms generated by AI-driven automation.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Tracing the PowerShell Execution Chain
50On 2025-04-01T07:59:58.747Z, a suspicious sequence of events was triggered on a finance workstation. You must investigate the process ancestry to determine the exact filename of the script that was launched via powershell.
Investigating Anomalous Shell Execution on VPN Gateway
100At 2025-04-01T07:59:58.747Z, an alert was triggered on corp-ivnt-gw-01 indicating a potential command injection via the VPN service. Analyze the process hierarchy to determine which specific child process was spawned during this suspicious event.
Investigating Outbound C2 Communications
15An alert was triggered for potential command-and-control activity originating from the internal network. You need to inspect the raw message logs in the SIEM panel to determine which external domain the compromised host was attempting to reach during the incident.
Investigating Anomalous Gatekeeper Execution
50An alert triggered at 2025-04-01T14:00:05.211Z indicating potential post-exploitation activity on the edge gateway. Evidence suggests an attacker may be leveraging existing system binaries to maintain a foothold; analyze the process hierarchy to find the binary involved in this execution chain.
Tracing the Log Source of the Initial Intrusion
35An alert was triggered involving a suspicious bash process execution on srv-noc-monitor. You need to pivot to the SIEM panel to determine which internal logging system was responsible for feeding this specific security event into our central monitoring platform.
Identifying Suspicious Domain Communication
15During an ioc-hunting exercise, an analyst flagged unusual outbound traffic originating from a critical server. Investigate the message content within the SIEM panel to pinpoint the specific domain name involved in this network event.
Identifying Defensive Actions on the Perimeter Gateway
45During the investigation of the corp-ivnt-gw-01 appliance, suspicious outbound traffic was detected originating from the sslvpnd process. You need to determine which automated defensive policy was enacted by the firewall to terminate this connection and prevent further data exfiltration.
Investigating Anomalous Process Persistence on Perimeter Gateway
50An alert triggered for potential persistence on the corp-ivnt-gw-01 perimeter gateway. Initial telemetry suggests a system process spawned an unusual shell or service; investigate the process hierarchy to find the exact command string used to maintain this session.
8 tasks · 360 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
- Familiarity with Firewall concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allScattered Spider: Identity-First Attack Chain
Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.
Fake Zoom to Ransomware: The Social Engineering Pipeline
In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.
Black Basta: Email Bomb to Encryption
Investigate a sophisticated Ransomware-as-a-Service (RaaS) campaign involving Black Basta and Cactus TTPs. This scenario tracks a multi-stage attack from initial social engineering via Microsoft Teams and Quick Assist to advanced persistence using DLL side-loading in OneDrive. You will analyze how attackers move from identity-based initial access to full domain compromise and ESXi virtualization host encryption. The investigation requires correlating evidence across SIEM logs, XDR process trees, and firewall traffic to uncover hidden C2 channels and data exfiltration patterns occurring during off-hours.