Malware Investigation: Emotet Epoch 4 Binary Padding Evasion
Investigate a resurgence of the Emotet botnet (Epoch 4) utilizing advanced defense evasion techniques. Trace the infection from a macro-enabled document to the deployment of inflated DLL payloads designed to bypass sandbox and scan engine limitations through binary padding. Analyze process hollowing of system utilities and the deployment of modular stealer components.
Start this operation
Requires a Pro subscription.
View Pro PlansFree forever โ no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Analyze Initial Macro Execution
5Identify Payload Download Failover
5Detect File Inflation Evasion
10Investigate DLL Execution Method
5Identify Brute Force Origin
10A series of RDP logon failures followed by a successful authentication suggests a brute-force attack. Identify the external IP address responsible for these attempts on the FIN-WS-04 workstation.
Identify Loaded Stealer Modules
5Analyze Phishing Delivery Vector
5Trace OneNote Execution Tree
5Identify Evasion Patterns in Archives
5Identify Suspicious Task Creation
5Analyze WMI-Based Tasking
5Detect Hidden Tasks via Registry Deletion
10Trace Process Lineage of Persistence
5Identify Discovery Commands
5Analyze Discovery Lineage
5Detect Account Enumeration
5Inspect Environment Variable Access
10Network Device Reconnaissance
10Analyze Registry Persistence Key
5Trace Process Execution Proxy
5Investigate Encrypted C2 Traffic
5Correlate Phishing Influx
10Identify Secondary Payloads
1023 tasks ยท 150 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
- Familiarity with Firewall concepts
Ready to investigate?
This operation requires a Pro subscription.
View Pro PlansFree forever โ no credit card required
More Operations
View allClickFix: The Fake CAPTCHA Trap
Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.
Phishing Investigation: ZipLine Supply Chain Campaign
Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.
Credential Harvesting: The Lookalike Login
An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.