Skip to main content
Malware Investigation: NetSupport RAT Pokemon Phishing Campaign operation cover
IntermediateSIEMXDRFirewallPRO

Malware Investigation: NetSupport RAT Pokemon Phishing Campaign

Investigate a sophisticated phishing campaign where threat actors distributed the NetSupport Remote Administration Tool (RAT) by disguising it as a popular Pokemon card game. You will analyze the infection chain from the initial web download through persistence mechanisms and command-and-control configuration using SIEM, XDR, and Firewall logs.

45m
5 tasks
160 points
Pro

Start this operation

Requires a Pro subscription.

View Pro Plans

Free forever — no credit card required

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Identify the Initial Phishing Domain

20
SOC{domain.name}Hint available
2

Analyze the Dropper Execution

30
SOC{md5_hash}Hint available
3

Investigate Brute Force Origin

35

Identify the source IP address used by the attacker to successfully breach the executive workstation via RDP after multiple failed attempts.

SOC{...}Hint available
4

Extract C2 Configuration

40
SOC{c2_domain}Hint available
5

Identify Masquerading Binaries

35
SOC{filename.exe}Hint available

5 tasks · 160 points total

Start investigation

Training Tools

SIEM Console

Log analysis & SPL queries

XDR Console

Endpoint detection & response

Firewall Console

Network traffic analysis

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
Firewall log analysis
MITRE ATT&CK technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Intermediate

Requires foundational alert triage skills. Multiple data sources to correlate.

Prerequisites

  • Basic understanding of security alerts
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts
  • Familiarity with Firewall concepts

Ready to investigate?

This operation requires a Pro subscription.

View Pro Plans

Free forever — no credit card required

More Operations

View all
BeginnerSIEMXDR

ClickFix: The Fake CAPTCHA Trap

Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.

30m20 pts
BeginnerSIEMXDR

Phishing Investigation: ZipLine Supply Chain Campaign

Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.

45m75 pts
BeginnerSIEM

Credential Harvesting: The Lookalike Login

An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.

30m20 pts

We use cookies to improve your experience and measure usage. Learn more