Evilginx AiTM: Session Cookie Hijack
In this scenario, you will investigate a sophisticated Adversary-in-the-Middle (AitM) attack targeting a finance employee. You'll analyze cloud sign-in logs, proxy traffic, and XDR telemetry to identify session cookie theft, token replay, and post-compromise persistence. This lab focuses on the Tycoon 2FA PhaaS kit and its ability to bypass MFA by proxying live authentication sessions.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Tracing Malicious C2 Communication
15After the initial execution of phantomjs.exe on user amanda.garcia's workstation, the process initiated several network connections. Review the XDR Timeline for the host CORP-WKS-082 around 2025-04-20T08:59:56.496Z to determine the destination address of this suspicious traffic.
Investigating Suspicious PhantomJS Execution
50Alerts indicate that at 2025-04-20T08:59:57.660Z, an instance of phantomjs.exe was spawned on corp-wks-082. You need to investigate the process tree to determine what malicious file was being processed or targeted by this scriptable headless browser.
Investigating PhantomJS Post-Exploitation Activity
35At 2025-04-25T13:09:59.618Z, an alert triggered for suspicious execution on corp-wks-082 involving the user marcus.vance. Analyze the log entries to determine which native Windows binary was initially used to spawn the phantomjs.exe process.
Adversary-in-the-Middle Detection
50At 2025-04-20T10:16:05Z, a suspicious process named phantomjs.exe was observed interacting with domain1.com. Analysts suspect an interception attack was used to harvest credentials. Review the XDR Behaviors panel to find the technique ID mapped to this activity.
Post-Exploitation Persistence Analysis
50After the initial execution of phantomjs.exe on corp-wks-115 at 2025-04-21T14:00:00Z, the adversary targeted the mail server srv-az-mail-01. You need to investigate the XDR behaviors to determine what specific configuration change was made to the victim's inbox to exfiltrate data.
Stealing the Crown Jewels: Identifying the Exfiltration Technique
50At 2025-04-20T10:18:45Z, a suspicious instance of phantomjs.exe was observed interacting with msedge.exe on robert.chen's workstation. The attacker appears to have targeted browser data to bypass multi-factor authentication; you must determine which MITRE technique the XDR platform mapped to this activity.
Identifying the Compromised Host
15An alert was triggered at 2025-04-19T09:11:54.989Z indicating a suspicious process execution involving phantomjs.exe. You need to determine which internal workstation was the source of this malicious activity to begin the containment process.
Mapping the PhantomJS Adversary Strategy
35An alert was triggered when phantomjs.exe was executed on a workstation belonging to amanda.garcia. You need to examine the XDR Behaviors panel to determine the primary objective of the attacker during this phase of the intrusion.
8 tasks · 300 points total
Start investigationTraining Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allScattered Spider: Identity-First Attack Chain
Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.
Fake Zoom to Ransomware: The Social Engineering Pipeline
In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.
Black Basta: Email Bomb to Encryption
Investigate a sophisticated Ransomware-as-a-Service (RaaS) campaign involving Black Basta and Cactus TTPs. This scenario tracks a multi-stage attack from initial social engineering via Microsoft Teams and Quick Assist to advanced persistence using DLL side-loading in OneDrive. You will analyze how attackers move from identity-based initial access to full domain compromise and ESXi virtualization host encryption. The investigation requires correlating evidence across SIEM logs, XDR process trees, and firewall traffic to uncover hidden C2 channels and data exfiltration patterns occurring during off-hours.