QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR Phishing) attack that bypassed traditional email filters. You will analyze how attackers exploit complex mail routing and misconfigured spoofing protections to deliver malicious lures that appear to originate from within the organization. Your investigation will cover the initial delivery, the bypass of security controls, and the subsequent unauthorized access following a successful credential harvest via a Tycoon2FA intermediary page.
Start this operation
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Investigating Unauthorized PHP-FPM Network Activity
15An alert triggered regarding unusual process behavior on SRV-WEB-PROD-01 involving php-fpm. You need to examine the network logs to determine which specific internal host was identified as compromised during this incident.
Identifying the Compromised Internal Endpoint
15An alert triggered on 2026-03-02T14:25:05Z indicating a suspicious php-fpm process on the SRV-WEB-PROD-01 host. You need to examine the network logs to identify which internal host was targeted and successfully breached by the attacker.
Identify Malicious External Connection
15An alert triggered on SRV-WEB-PROD-01 involving the php-fpm process at 2026-03-07T12:56:53.492Z. You need to examine the firewall traffic to determine which remote server the compromised host attempted to communicate with during this incident.
Identifying C2 Communications from Compromised Web Server
15The production server SRV-WEB-PROD-01 showed unusual activity involving the php-fpm process, suggesting a potential web shell or remote execution. You need to determine where the outbound network traffic was directed during the initial stage of the breach.
Investigating Outbound Network Traffic
15An alert was triggered for an unauthorized php-fpm process execution on a production web server. Analyze the SIEM logs to determine if the malware attempted to communicate with an external Command and Control (C2) server.
Investigating Suspicious PHP-FPM Network Connections
15An alert was triggered on 2026-03-05T08:09:58.375Z indicating that the php-fpm process on SRV-WEB-PROD-01 initiated an unauthorized outbound connection. Review the log messages to determine which domain the malware attempted to reach for command and control.
6 tasks · 90 points total
Start investigationTraining Tools
Skills You'll Build
Ideal for newcomers to SOC operations. Guided investigation with clear indicators.
Prerequisites
- No prior experience required
- Familiarity with SIEM concepts
Ready to investigate?
Create your free account and begin immediately.
Get Early Access — FreeFree forever — no credit card required
More Operations
View allScattered Spider: Identity-First Attack Chain
Investigate a high-sophistication intrusion by UNC3944 (Scattered Spider). This scenario simulates a multi-stage attack starting from social engineering and MFA fatigue, progressing through the exploitation of unmanaged edge devices, and culminating in a 'Bring Your Own Vulnerable Driver' (BYOVD) technique to blind kernel-level security agents. Analysts must correlate identity providers, cloud sign-ins, and deep endpoint forensics to reconstruct the timeline and identify the breakout speed of this financially motivated threat actor.
Fake Zoom to Ransomware: The Social Engineering Pipeline
In this advanced SOC simulation, you will investigate a multi-stage intrusion that began with a drive-by download of a trojanized Zoom installer. The attack progressed through several stages of loader execution, including d3f@ckloader and IDAT loader, eventually leading to the deployment of high-end C2 frameworks like Cobalt Strike and Brute Ratel. You must trace the attacker's path from the initial web-based compromise, through lateral movement via RDP tunneling and proxy tools, to the final mass-deployment of BlackSuit ransomware via enterprise management software. This scenario is based on real-world 2025 threat intelligence and requires deep analysis of SIEM, XDR, and Firewall telemetry to reconstruct the full kill chain.
Black Basta: Email Bomb to Encryption
Investigate a sophisticated Ransomware-as-a-Service (RaaS) campaign involving Black Basta and Cactus TTPs. This scenario tracks a multi-stage attack from initial social engineering via Microsoft Teams and Quick Assist to advanced persistence using DLL side-loading in OneDrive. You will analyze how attackers move from identity-based initial access to full domain compromise and ESXi virtualization host encryption. The investigation requires correlating evidence across SIEM logs, XDR process trees, and firewall traffic to uncover hidden C2 channels and data exfiltration patterns occurring during off-hours.