Threat Hunt · APT · Threat Hunt
Cobalt Strike Malleable C2 · undetected for 4 months · investment holding
An investment holding's SOC analyst noticed an anomalous jitter pattern in HTTPS traffic. A Cobalt Strike Malleable C2 profile (Amazon mimicking) was used. Inside for 4 months · 23 endpoints infected. APT41 TTP match. You will make 11 critical decisions in sequence.
Before you start the scenario
- You are the decision-maker in this incident · every choice leaves time/cost/reputation behind
- There are no wrong answers · just like in real life · but some paths are more expensive
- You can restart it anytime · try different paths
- At the end, a 3-axis score + alternative routes are shown