Challenge Library

Incident: Web Server Compromise

Briefing: A web server has been attacked. We have captured the access logs.

Objective: Analyze the logs to find the attacker's IP, the vulnerability exploited, and the files accessed.

Intel Report: We received a threatening PDF from "Legion Raven". We suspect an insider threat.

Objective: Analyze the document metadata and hidden layers to identify the mole.

A covert intrusion was hidden within high-volume outbound traffic to evade detection.

03:00 UTC Alert

Security sensors detected a spike in outbound traffic. Automated analysis suggests a traffic generator was used to mask a targeted intrusion on a legacy server.

Mission Objectives:

• Filter the noise to identify the intrusion protocol
• Assess impact by recovering compromised credentials
• Hunt for data exfiltration via covert channels

Alert: Application Error Spike

"ShopNext", our e-commerce frontend, experienced a momentary performance degradation. The automated monitoring system flagged a series of 500 Internal Server Errors originating from the React Server Components (RSC) endpoint.

Your SOC Manager suspects an exploitation of the new React Flight Protocol vulnerability (CVE-2025-55182).

Mission Objectives:

• Filter through customer traffic
• Identify the threat actor
• Reconstruct the "Kill Chain"

An automated web scan generated thousands of 404 errors while probing for hidden resources.

Incident Report #8821
Severity: Low → High

Briefing:
Our SOC dashboard triggered an alert at 12:53 PM. The internal web server ("ShopNext") began generating an unusually high volume of 404 errors.

We suspect a script kiddie is performing automated directory brute-forcing.

Your Mission:

• Filter through the noise to identify the attacker
• Determine which hacking tool was used
• Discover whether any sensitive files were successfully accessed

A legacy API was exploited via SQL injection to dump sensitive customer data.

Incident Report #9920
Severity: Critical

Briefing:
A confidential list of VIP clients has been found for sale on a dark web forum. We believe the data was stolen from our legacy "Product Search API".

The web server logs have been secured. The attacker was noisy, running a fuzzer before manually crafting the final exploit to dump the database.

Your Mission:

• Identify the attacker's IP address
• Decode the malicious URL payloads
• Identify exactly which database table was accessed
• Confirm data exfiltration by analyzing the response size

A suspected brute-force attack is targeting a privileged account on Auth Service V2.

Incident Report #2049
Severity: High

Briefing:
Our SIEM has flagged a potential brute-force attack against "Auth Service V2". While internal employees (10.10.10.x subnet) frequently mistype passwords, we believe an external threat actor is systematically targeting a privileged account.

Debug logging was accidentally left enabled, capturing credentials submitted during login attempts.

Your Mission:

• Distinguish between clumsy employees and the malicious actor
• Identify the specific account being targeted
• Determine whether the attacker successfully guessed the password

An advanced attacker bypassed WAF defenses using heavily obfuscated payloads to achieve remote code execution.

Incident Report #3399
Severity: Critical

Briefing:
Threat intelligence indicates our Confluence server was compromised by an Advanced Persistent Threat (APT) exploiting CVE-2023-22527 (Template Injection).

Logs show thousands of requests, but the WAF failed to block the attack due to heavy Unicode-based obfuscation.

Your Mission:

• Identify the malicious request hidden in the traffic
• De-obfuscate Unicode characters to reveal the Java code
• Extract the hidden Base64 string
• Decode the payload to identify the C2 IP address and port

A new YARA rule must be reviewed to understand exactly what malware behavior it detects.

Briefing:
A threat intelligence vendor has sent us a new YARA rule named detect_threat.yar. They claim it detects a dangerous new malware strain targeting e-commerce companies.

Before deploying this rule across production scanners, we need a manual review.

Your Mission:

• Open the .yar file in a text editor (Notepad, VS Code)
• Analyze the strings and condition sections
• Explain exactly what the rule is designed to detect

A Base64-encoded PowerShell task was used to maintain persistence on a high-value endpoint.

Incident Report #502

Briefing:
During a routine audit, we discovered a suspicious scheduled task named "SystemUpdater" on a CEO's laptop. The task executes a PowerShell command encoded in Base64 to evade antivirus detection.

Your Mission:

• Identify the PowerShell flags used to hide execution
• Decode the Base64 string to reveal the hidden script
• Identify the attacker's server and malware filename

A malicious Word document used a hidden VBA macro to execute malware in the background.

Incident Report #101

Briefing:
An employee in HR reported a suspicious Word document named Resume_JohnDoe.docm. When opened, nothing appeared to happen except a popup error message.

The SOC team extracted the embedded VBA macro code from the document for analysis.

Your Mission:

• Read the macro code to understand the background execution
• Identify the attacker's domain
• Locate where the malware was saved on disk
• Determine the social engineering technique used

Target: crestoption.com

Intel Report: This domain has been flagged in a phishing campaign. Your task is to investigate its public records and email infrastructure to build a profile of this potentially malicious domain.

Your Mission:

• Perform WHOIS analysis to find registration details.
• Enumerate DNS records (NS, MX, TXT).
• Investigate the email infrastructure (DMARC/IP).
• Check Threat Intelligence reputation.

Tools: Whois, Dig/Nslookup, MXToolbox, VirusTotal.