Immersive Cyber Range Exercises Scenario Catalog

Contents:

• Offensive Scenarios
• Defensive Scenarios 

The Immersive Cyber Range Exercises scenarios offer a unique and immersive way for organizations to simulate and practice their response to cyber incidents. These scenarios are designed to replicate real-world cyber threats and challenges, allowing teams to collaborate, communicate, and make critical decisions in a controlled environment. By engaging in Cyber Range Exercises scenarios, participants can enhance their incident response capabilities, test their cybersecurity procedures, and improve their overall cyber resilience. With a focus on teamwork, problem-solving, and decision-making under pressure, These scenarios provide a valuable training experience that prepares organizations to effectively respond to cyber incidents and protect their assets.

Offensive Scenarios

This section details the offensive Cyber Range Exercises available. These scenarios typically involve Red Team or Penetration Tester personas and require users to identify vulnerabilities, exploit systems, and move laterally through networks.

Artica – Offensive

Artica – Offensive is a TeamSim scenario designed for beginners that presents a Windows Active Directory environment. Acting as a mirror to its defensive counterpart, this exercise tasks users with performing the attack rather than detecting it. Users are afforded a Kali machine to launch attacks or can connect via VPN to use their own testing systems against the environment.

The primary objective involves enumerating and attacking machines in succession to move laterally through the network. The ultimate goal is the compromise of the Domain Controller. This scenario serves as an excellent introduction to offensive operations within a Windows AD infrastructure.

Technically, the scenario requires the exploitation of several vulnerabilities mapped to the MITRE ATT&CK framework. Users will engage in network service discovery via Nmap, exploit public-facing applications using SQL injection, and uncover cleartext credentials in databases. Furthermore, the exercise covers advanced techniques such as Pass-the-Hash lateral movement and dumping the Security Account Manager (SAM) to obtain credentials.

Boot2Root – Offensive

The Boot2Root scenario is an offensive TeamSim exercise aimed at beginner to intermediate users. In this challenge, participants must attack five machines simultaneously to gain access, escalate privileges, and capture flags. Each machine contains two specific flags that users must obtain to complete the objectives.

The network, known as the Boot2Root Network, consists of five hosts: Foundation, Jason, Clocked, RunMeNot, and SourceOfEvil. Users are provided with a Kali machine or can utilize OpenVPN to connect their own environments. The scenario simulates a variety of real-world vulnerabilities, requiring a broad set of skills to navigate successfully.

Participants must employ techniques such as Nmap scanning, exploiting anonymous FTP access, and leveraging insecure SSH private keys for initial access. Privilege escalation tasks require abusing NOPASSWD sudo permissions, exploiting cronjobs, and manipulating SUID permissions on binaries. The scenario also covers Windows-specific vectors, including SMB password spraying and exploiting the 'savecred' admin access shortcut.

Kween – Offensive

Kween – Offensive places users in the role of penetration testers tasked with performing activities against a small network named kween.local. The scenario simulates a real-life situation where the internal network has been compromised due to easily attainable external access and a series of internal vulnerabilities.

Users begin their engagement outside the network and must find a way to breach the perimeter. Once inside, the objective is to fully compromise an Active Directory environment, pivot to a second AD environment, and ultimately disable a PLC-like system. This multi-stage attack path mimics complex, layered network intrusions.

The technical requirements for this scenario include brute-forcing proxy servers, performing SQL injection on public-facing servers, and dumping passwords. Advanced stages involve DCSync attacks, password spraying, and exploiting buffer overflows to achieve privilege escalation on the operational technology (PLC) components.

Mythical – Offensive

Targeted at Junior Security Professionals, Mythical is an offensive scenario where users perform pentest-like activities against a Linux-based network. Users are provided with a network diagram to assist in navigation and must move through the environment to compromise every single machine.

The ultimate goal is to gain access to each host and escalate privileges to root. Users are equipped with a Kali instance to facilitate their attacks against the operations network, which consists of eight distinct hosts. This scenario focuses heavily on Linux command-line proficiency and infrastructure exploitation.

To succeed, users must demonstrate skills in PHP Remote Code Execution, SSH brute-forcing, and local enumeration. Privilege escalation vectors include abusing sudoedit privileges, exploiting SUID binaries, and leveraging insecure file permissions. The scenario also tests the user's ability to perform zone transfers and decode obfuscated information.

Scion

Scion is an advanced offensive CTF-style simulation that challenges a team of users to analyse and exploit code across various services. The scenario requires a deep comprehension of both web and infrastructure-related code to write custom exploits.

Participants must possess an understanding of modern web application infrastructure, including containerisation software like Docker, as well as binary exploitation and reverse engineering of C binaries. The environment provides a shared VSCode instance in the browser, allowing teams to collaborate on code analysis alongside a GitLab repository containing the master code copies.

Techniques required for Scion include writing exploit scripts in Python, generating payloads with MSFvenom, and performing port forwarding using tools like Chisel. The attack path involves container enumeration, Docker escapes, and exploiting Python templating engines. It is a rigorous test of a user's ability to identify and exploit vulnerabilities in a complex, containerised environment.

Heist II: Aftermath   

Heist II: Aftermath is an advanced scenario where users assume the role of a junior penetration tester infiltrating a complex infrastructure. The exercise encompasses a wide variety of offensive techniques, including network discovery, web application exploitation, and lateral movement across both Windows and Linux systems.

The scenario is designed to test critical thinking and adaptation, requiring users to pivot and tunnel through multiple network segments to reach isolated systems. Guided by progressive objectives, participants must identify and exploit misconfigurations and known vulnerabilities to gain higher privileges and access restricted vaults.

Technical challenges include performing SQL injection, abusing sudo misconfigurations, and hijacking shared libraries on Linux systems. On the Windows side, users must exploit EternalBlue (MS17-010), perform Active Directory enumeration with BloodHound, and execute Pass-the-Hash attacks. The final stages involve advanced exploit development, such as buffer overflow exploitation and Return-Oriented Programming (ROP).

Nebula Bank

Nebula Bank is a beginner-level offensive scenario where users act as junior penetration testers. The unique aspect of this range is the integration of a live AI service—OpenAI ChatGPT—which is vulnerable to prompt injection attacks. Users must exploit this AI embedded in a web application to gain initial access.

The scenario guides users through a series of tasks to identify weaknesses and misconfigurations in the network. Once access is gained, users must move laterally and enumerate sensitive information from internal repositories such as GitLab.

Attacker techniques focused on in this scenario include LLM Prompt Injection and data exfiltration from AI systems. Users will also engage in traditional offensive activities such as credential stuffing, OS credential dumping from LSASS memory, and exploiting unsecure credentials found in information repositories to access SQL databases.

The Heist

The Heist casts users as bank robbers who must complete technical challenges across three distinct networks to open a vault. The scenario is focused on penetration testing skills, covering disciplines ranging from infrastructure attacks to reverse engineering. Teams must complete challenges in two concurrent networks to obtain the credentials needed for the final network.

There are 16 tokens to retrieve, with challenges often requiring one token to gain access and another to escalate privileges. The scenario utilizes a Kali VM for the attacking team and allows for the use of external tools via OpenVPN.

Techniques used in The Heist are varied. In the "Prison Network," users employ web application command injection and Java RMI exploitation. The "Bank AD Network" requires Kerberoasting, Unconstrained Delegation exploitation, and DCSync attacks. Finally, the "Bank Network" tests users on Python jail breakouts, UDP service exploitation, and reverse engineering C binaries to find vulnerabilities.

Qing – Offensive

Qing – Offensive tasks users with performing pentest-like activities against the fictional corporate network of Qing Corp. The objective is to move through three different networks—starting from an external phishing campaign—to reach the target Operational Technology (OT) network.

Attackers must successfully launch a phishing campaign to gain an initial foothold. From there, they must traverse the network layers, eventually gaining access to the OT environment where they can optionally cause damage to the machines, such as the SCADA HMI and PLC Modbus systems.

The specific techniques required include Exchange Server RCE and Jenkins exploitation to move through the corporate infrastructure. Users will need to recover credentials from email backups and .lnk files to facilitate lateral movement. The final stage involves Denial of Service (DoS) attacks against the OT components.

Operations - Offensive

Operations is an Offensive scenario in TeamSim in which a number of users are tasked to perform ‘Pentest-like’ activities against a small Active Directory (AD) environment (operations.local) and are given credentials to access two different starting machines. The flow of the scenario is to move through the environment, achieving in most cases access to and then escalating privileges on a number of separate machines with logical misconfiguration flaws to be exploited, much in the style of a real world AD assessment.

Orchid Energy: Pressure Test

Orchid Energy: Pressure Test is an offensive IT/OT range scenario in which users assume the role of an IT/OT penetration tester. This range contains three primary zones loosely aligned to the Purdue reference architecture: IT network, SCADA control, and Process control.
You need to assess the network, looking for potential security vulnerabilities in both the IT and OT infrastructure. You’ve been provided with a Kali attack machine, along with some basic information to help you get started with your assessment.
 

Defensive Scenarios

This section details the defensive Cyber Range Exercises. These scenarios place users in SOC Analyst, Threat Hunter, or Incident Responder roles, utilizing tools like Elastic, Velociraptor, and Splunk to detect and investigate simulated attacks.

APT43: Defensive

APT43: Defensive is a Team Sim exercise where users assume the role of a SOC analyst investigating a compromise. The scenario begins with a seemingly innocuous Dropbox document containing malicious code executed on a workstation. The goal is to reproduce the APT's intrusion method and understand the attack lifecycle from delivery to actions on objectives.

The scenario aims to test skills in incident response, threat hunting, and reverse engineering. Users are provided with access to Velociraptor, Elasticsearch, and Flare VM for analysis. Tasks include identifying Indicators of Compromise (IoCs) related to the attack against the Bartertowngroup domain and performing reverse-engineering tasks.

The simulated attackers employ the QuasarRAT Remote Administration Tool and Metasploit. Techniques observed include phishing, PowerShell script execution, process hollowing, and credential dumping via LSASS memory. Persistence is established via Winlogon Helper DLLs and Registry Run keys.

Operation Kobold – Defensive

Operation Kobold places users in the role of a SOC analyst protecting Somnium Technology. The scenario tasks users with uncovering IoCs related to an attack involving the popular adversary simulation tool Cobalt Strike. It tests the ability to conduct threat hunting through logs and digital forensic artifacts.

Users have access to Elastic, Velociraptor, and Flare VM to aid in their investigation. The exercise covers a chronological progression of a cyberattack, starting from the delivery of a malicious HTA file to the spawning of child processes.

Technical analysis required includes examining obfuscated command-line arguments and Base64-encoded PowerShell scripts. Users must detect persistence mechanisms such as registry key modifications and WMI process creation. Furthermore, users will extract Cobalt Strike beacon configurations to identify Command and Control (C2) infrastructure.

Operation Kaiju – Defensive

In Operation Kaiju, users act as an internal security team member at Forward Edge Corp investigating a suspicious email and subsequent computer behavior. The task is to determine the extent of the compromise by identifying IoCs related to the attack, which utilizes Cobalt Strike.

The scenario utilizes defensive tools such as Sysmon, Elastic Endpoint Security, Fleet, OSQuery, and Velociraptor. Users must analyze how attackers leverage techniques like unconstrained delegation and Kerberos ticket manipulation to achieve domain control.

Attacker techniques mapped in this scenario include phishing via spearphishing attachments, process injection into explorer.exe, and OS credential dumping. The attackers also employ lateral movement using PsExec and Rubeus for Pass-the-Ticket attacks, eventually escalating privileges to compromise the Domain Controller.

Orchid Corp: Blossom (Java & Python)

The Orchid Corp: Blossom scenarios (available in both Java and Python variants) are defensive exercises where participants take on the persona of a Developer. The goal is to address a set of security issues within the "Blossom" HR platform. Each task corresponds to a vulnerability that the team must identify and remediate.

Users are provided with a workstation containing Visual Studio Code, a Kanban board named Sprinter, and a GitLab Server with CI/CD pipelines. The scenario emphasizes collaboration, code review, and the implementation of secure coding best practices.

The vulnerabilities presented map to the OWASP Top 10 and CWE classifications. These include Broken Access Control, Server-Side Request Forgery (SSRF), Command Injection, and Broken Object Property Level Authorization. Users must analyze insecure code paths and apply input validation and authorization checks to fix the bugs.

Operation Typhon

Operation Typhon tasks users with the role of a SOC analyst uncovering IoCs related to an attack against Somnium Technology. The scenario utilizes the Cobalt Strike simulation tool and guides users through threat hunting tasks using logs and digital forensic artifacts.

The toolkit provided includes Elastic, Fleet, OSQuery, and Velociraptor. Users must trace the attack from initial access via a phishing attachment through to privilege escalation and defense evasion techniques.

The attacker techniques observed include BloodHound for discovery, bypassing User Account Control (UAC), and disabling security tools. Lateral movement is achieved via DCOM and WMI, while credential access is performed using Mimikatz to dump LSASS memory. The scenario also involves DLL search order hijacking.

Detecting Sliver

Detecting Sliver is a smaller scenario built upon the Heimdall detection engineering range. It targets junior analysts and focuses on answering questions regarding the Sliver C2 framework implant. The exercise utilizes information published in Immersive Labs' blog regarding Sliver detection.

The environment includes Windows System and Security logs forwarded to Elastic Search, Sysmon, and Velociraptor. Users can access a Kali machine or an analyst machine to perform their investigation.

This scenario provides a focused opportunity to analyze a specific C2 framework that is becoming increasingly popular among threat actors. It requires users to identify the specific artifacts and behaviors associated with Sliver implants within a compromised network.

Earth Lusca – Defensive

Earth Lusca is a defensive scenario aimed at SOC and IR professionals. It mimics the techniques and tools employed by the Earth Lusca (TAG-22) APT group. Users are tasked with finding IoCs within a compromised network belonging to the "Bartertowngroup".

The scenario tests threat hunting skills, requiring users to investigate running processes, persistence techniques, and lateral movement. The toolset includes Elastic, Fleet, Velociraptor, and Flare VM for reverse engineering artifacts.

Attacker techniques include initial access via spearphishing links, persistence via Registry Run keys, and lateral tool transfer. The attackers escalate privileges using Bypass User Account Control and access token manipulation, ultimately exfiltrating data over a web service to cloud storage.

Kween – Defensive

Kween – Defensive is aimed at SOC Analysts and IR professionals investigating a compromise at Kween Industries. The client suspects a network breach and has provided access to their Splunk and Velociraptor setups for investigation.

The network environment includes various servers and workstations with Sysmon and Splunk Universal Forwarders installed. Users must navigate through event logs to detect the attack path.

Observable techniques in this scenario include password brute-forcing, RDP access using recovered credentials, and credential dumping from the registry. The investigation also covers DCSync attacks, PowerShell persistence scripts, and SSH access to operational technology components like the Kween PLC.

Oilrig: A Nation State Compromise

This scenario simulates a compromise by the suspected Iranian threat actor Oilrig / Helix Kitten. Users take on the role of a junior SOC analyst investigating an attack against Lycia Pensions. The investigation begins with a medium alert from an antivirus solution and reports of suspicious emails.

Users utilize Elastic, Fleet, Velociraptor, and Flare VM to review the imaged network. The tasks involve determining the entry point, lateral movement path, and attacker objectives.

The attacker techniques detailed include spearphishing attachments, UAC bypass, and lateral movement via PSExec and RDP using valid compromised accounts. The scenario also highlights extensive system and user discovery commands executed via the Windows command shell.

Operation Akela

Operation Akela tasks SOC analysts with uncovering IoCs related to an attack against the Lycia Pensions domain. The attackers in this scenario utilize the Sliver C2 framework. The exercise tests threat hunting and digital forensics skills, along with some reverse engineering tasks.

The environment is monitored using Elasticsearch, Sysmon, and Velociraptor, with Flare VM available for malware analysis. Users must navigate through 31 tasks to fully understand the compromise.

Techniques used by the attackers include Kerberoasting, BloodHound for discovery, and credential access from web browsers. The attack progresses to domain compromise, involving NTDS credential dumping and data exfiltration over the C2 channel.

Operation Chimera

Operation Chimera involves a defensive investigation into an attack on Lycia Pensions. Users must threat hunt through logs and artifacts to uncover IoCs. The scenario focuses on a compromise that involves a vulnerable Node.js application.

Defensive tools include Elasticsearch, Fleet, Velociraptor, and Flare VM. Users are guided through 24 tasks to reconstruct the attack.

The attack vector begins with a malicious file upload and command execution in the Node.js app. Persistence is achieved via DLL Side-Loading and modifying system services. Advanced techniques include Process Injection, creating administrative PKI certificates, and executing a DCSync attack. Lateral movement is performed using Pass-the-Hash and PsExec.

Operation Lycan

Operation Lycan is a defensive Team Sim where users act as SOC analysts. The scenario requires identifying IoCs related to an attack against the Lycan domain using the PoshC2 framework. It combines incident response, threat hunting, and reverse engineering disciplines.

The range includes ElasticSearch, Velociraptor, and Flare VM. Users can connect to the range via an analyst workstation or VPN to investigate the 28 distinct tasks.

Attackers in this scenario use obfuscated files for initial access and establish persistence via WMI Event Subscriptions and DLL hijacking (specifically a Notepad++ plugin). Privilege escalation is achieved by bypassing UAC and reading LAPS passwords. Lateral movement involves SharpWSUS and lateral tool transfer.

Operation Nimrod

Operation Nimrod focuses on identifying IoCs following an incident at ForwardEdge Corporation. The attackers in this scenario utilize the Havoc Command and Control (C2) framework. Users must hunt through logs and digital forensic artifacts to detect the compromise.

The toolkit provided includes Elastic, Velociraptor, and PEStudio for inspecting Windows executables. The scenario consists of 26 tasks designed to test the user's ability to detect Havoc C2 activity.

Attacker techniques include spearphishing, System Binary Proxy Execution (Rundll32), and token impersonation. Persistence is maintained via scheduled tasks and services. The scenario also features Rubeus for stealing Kerberos tickets and PsExec for lateral movement.

Operation Bastion

Operation Bastion tasks users with identifying IoCs at Orchid Corporation following an incident involving Microsoft Exchange. Users must analyze logs to detect malicious binaries and persistence mechanisms.

Tools available include Elastic, Velociraptor, and access to the Microsoft Exchange Server via the EAC to analyze phishing emails. The scenario focuses on credential theft and the use of open-source tooling.

The attack path involves a malicious email obtained from the Exchange Server, followed by user execution of a malicious link/file. Persistence is established via scheduled tasks and creating domain accounts. The attackers perform Golden Ticket attacks and use Windows Remote Management (WinRM) for lateral movement.

Operation Palisade

Operation Palisade is a beginner-level defensive scenario set at Orchid Corporation. Users must identify IoCs in logs and forensic artifacts. While the network map alludes to Tanium, the provided tools include Elastic, Fleet, and Velociraptor.

The scenario consists of 33 tasks and focuses on identifying malicious binaries and persistence. It tests the user's ability to analyze compromised memory and system logs.

Attacker techniques include network service discovery, process injection, and subverting trust controls via code signing. Attackers perform password spraying, dump credentials (including DCSync), and move laterally using SMB/Windows Admin shares.

Operation Vulpes

Operation Vulpes sees the Orchid Corporation dealing with the aftermath of a ransomware attack. Defenders must determine the compromise path and attempt to recover files using information from law enforcement. The attackers utilize the Sliver adversary simulation tool.

Users employ Splunk, Velociraptor, and Sysmon to solve the scenario. The investigation focuses on DFIR processes following a ransomware incident.

The attack begins with exploiting a public-facing web application (Command Injection) and breaking out of a Docker container. Attackers use BYOVD (Bring Your Own Vulnerable Driver) to impair defenses and Ninjacopy to dump credentials. The scenario culminates in the deployment of ransomware from the Domain Controller.

Operation Sunder

Operation Sunder requires users to analyze logs and forensic artifacts to identify IoCs at Forward Edge Corp. The emulated attackers utilize the Metasploit framework. Users must hunt for malicious documents and analyze attack paths.

The toolset includes Elastic, Fleet, Velociraptor, and Olevba.exe for analyzing malicious VBA macros. The scenario focuses on detecting unconstrained delegation and Kerberos manipulation.

Techniques used include phishing, process injection, and uploading malware tools. Attackers move laterally using WinRM and PsExec. The scenario features Golden Ticket attacks and DCSync for credential access, as well as exfiltration over alternative protocols.

Qing – Defensive

Qing – Defensive is a scenario aimed at SOC Analysts investigating an attack against the Qing Corporation. The network environment is extensive, including an Operational Technology (OT) network segment with PLCs and SCADA HMIs.

Users are provided with Splunk, Fleet, and Velociraptor to aid in detection. The scenario involves investigating compromised Exchange servers, Jenkins servers, and workstations.

The attack utilizes the ProxyLogon exploit (CVE-2021-26855) for initial access on the Exchange server. Persistence is achieved via Registry Run keys. Attackers pivot to workstations using PsExec and exploit a Jenkins server to retrieve VPN credentials, ultimately targeting the OT network.

Artica - Defensive

Artica - Defensive is a small TeamSim scenario which gives users access to both Velociraptor and Splunk and asks them a series of questions in order to detect and understand an attack which runs in the background of the range using Metasploit and rudimentary automation to repeat the attack every 10-15 mins or so, with some jitter-time to add an element of randomisation.

Petal Fall - A Chrysalis Shattered 

Starts the user from an initial compromise of notepad++ downloaded and installed from a website masquerading as legitimate.
The attack path emulates a campaign attributed to the Chinese APT group Lotus Blossom.

Mint Sandstorm: Sifting Through the Phosphorus Campaign

Starts the user from an initial compromise of notepad++ downloaded and installed from a website masquerading as legitimate.
The attack path emulates a campaign attributed to the Chinese APT group Lotus Blossom.

SharePoint Under Siege: Investigating a zero day compromise

Starts the user from potential webshell activity on the SharePoint server.
Exploits the Sharepoint deserialization vulnerability CVE-2025-53770.

Project Blackstart: Dissecting the Relay Suppression

Starts the user from a malicious MS Teams binary downloaded.
Follows the intrusion from Enterprise IT systems into the OT systems.
An OT range based on a generator compromise.

Operation Skylock - Defensive

Operation Skylock – Defensive places your team in a realistic AWS incident response scenario. After a ransom email claims S3 data theft and encryption, you investigate a newly deployed Orchid Invoice web app running in AWS with Lambda and S3, where credentials are stored in a .env file. Working from an Analyst Workstation, you use Splunk to analyze CloudTrail, Linux audit, syslog, application, and ELB access logs to verify modified S3 buckets, confirm encryption activity, and reconstruct the attacker’s path.

You will trace IAM activity (user type, role assumption, session ARN, and attached policies), pivot to the compromised host to find .env access, identify failed sudo attempts, uncover privilege escalation via a misconfigured cron job, and spot persistence through new users and SSH keys. You will also attribute a reverse shell download and attacker IP, and detect reconnaissance in ELB logs. This defensive, intermediate exercise suits SOC analysts, incident responders, and cloud security practitioners.

Orchid Energy: Pipeline Panic

In Orchid Energy: Pipeline Panic, teams act as SOC analysts responding to targeted activity against a mixed IT/OT oilfield environment with pumpjacks, pipelines, Siemens-style PLCs/HMIs, and a SCADA stack. Operations are centralized via Grafana/InfluxDB and an OT VPN, with IT telemetry in Splunk and limited OT visibility through PCAPs. Participants investigate a SANDWORM-themed intrusion that progresses from IT compromise to OT impact, correlating C2 DNS activity with workstation execution and malicious changes to PLC behavior.

Learners practice SIEM hunting with Sysmon (DNS, file creation, process execution), decode PowerShell commands, identify Python-based OT interaction, and analyze Modbus traffic in Wireshark to trace register and coil writes. They compare PLC ladder logic and variables, validate effects via HMI/SCADA dashboards, and timeline events across systems. This defensive, beginner-level Team Sim benefits SOC analysts, blue teamers, and IT/OT incident responders seeking foundational ICS monitoring and IT–OT correlation skills within a realistic Purdue-aligned network.