BeginnerSIEMXDRFirewall

Phishing Investigation: ZipLine Supply Chain Campaign

Investigate a sophisticated social engineering campaign targeting manufacturing supply chains. You will analyze a 'reversed' phishing flow where attackers use 'Contact Us' forms to trick employees into initiating email conversations, leading to the deployment of the custom MixShell in-memory implant via DNS tunneling.

45m

8 tasks

85 points

Free

Start this operation

Create your free account and begin immediately.

Get Early Access — Free

Free forever — no credit card required

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

The First Contact

SOC{ip_address} - The IP address that submitted the contact formHint available

The Payload Delivery

SOC{domain_name} - The full Herokuapp subdomain used for the downloadHint available

Execution via LNK

SOC{process_name} - The binary executed by the malicious LNK fileHint available

Blinding the Defense

SOC{variable_name} - The PowerShell variable set to 'true' to bypass AMSIHint available

Brute Force Source Identification

Identify the external IP address that repeatedly attempted to brute force the 'admin' account using Remote Interactive logons as seen in the Windows Security logs.

SOC{...}Hint available

The Persistence Scriptlet

SOC{filename} - The .sct file dropped for persistenceHint available

DNS Tunneling Detection

SOC{domain_name} - The C2 domain used for DNS TXT tunnelingHint available

Resolution and Debrief

SOC{technique_id} - The MITRE technique ID for the DNS-based C2 communicationHint available

8 tasks · 85 points total

Start investigation

Training Tools

SIEM Console

Log analysis & SPL queries

XDR Console

Endpoint detection & response

Firewall Console

Network traffic analysis

Skills You'll Build

Investigate realistic security alerts

SIEM log analysis

XDR log analysis

Firewall log analysis

MITRE ATT&CK technique identification

Triage decisions: escalate, investigate, or close

Evidence collection and documentation

Job-ready incident response methodology

Beginner

Ideal for newcomers to SOC operations. Guided investigation with clear indicators.

Prerequisites

No prior experience required
Familiarity with SIEM concepts
Familiarity with XDR concepts
Familiarity with Firewall concepts

Ready to investigate?

Create your free account and begin immediately.

Get Early Access — Free

Free forever — no credit card required

More Operations

View all

BeginnerSIEMXDR

ClickFix: The Fake CAPTCHA Trap

Investigate a modern 'ClickFix' social engineering attack where a user was tricked into executing a malicious PowerShell command via a fake CAPTCHA interface. You will analyze SIEM and XDR telemetry to trace the infection from the initial web lure to the deployment of an infostealer.

30m20 pts

BeginnerSIEM

Credential Harvesting: The Lookalike Login

An investigation into a modern phishing campaign targeting critical infrastructure. You will analyze email headers for domain spoofing, identify 'Paste and Run' execution chains, and track the delivery of the LummaC2 information stealer through SIEM logs.

30m20 pts

BeginnerSIEMXDR

MFA Fatigue: The Notification Flood

In this guided walkthrough, you will investigate a sophisticated identity-led intrusion. An attacker leveraged social engineering via Microsoft Teams and MFA push-bombing to 'log in' rather than 'break in'. You will analyze SIEM authentication patterns and XDR behavioral data to trace the attacker's path from a simple voice call to full environment compromise.

30m20 pts