Dynamic Threat Range is a strategic evolution of our range capability designed to improve the flexibility, realism, and accessibility of technical exercising.
Orchid Emporium – Lazarus Group Supply Chain Attack
This scenario simulates a sophisticated supply chain attack by a DPRK-aligned threat actor, Lazarus Group. This lab recreates a high-stakes scenario where a retail ecommerce company's development infrastructure is compromised. You'll navigate a complex attack chain that begins with a trojanized npm package and scales through CI/CD pipeline exploitation, ultimately leading to the destruction of cloud data. The release includes two distinct paths:
• Threat Hunting Exercise: You’ll start with Indicators of Compromise (IOCs) like suspicious DNS domains to trace the full attack chain using SIEM data.
• Incident Response Exercise: You'll work from triggered alerts, such as anomalous port scanning and AWS CLI usage, to perform process ancestry analysis and reconstruct the attack timeline.
Targeted Roles: ecurity operations center (SOC) analysts, threat hunters, and incident responders who need to defend against advanced persistent threats (APTs).
Orchid Corp — Akira
Orchid Corp is a financial services organization with an Active Directory environment. The Akira ransomware group targets the organization through spear-phishing, escalating through credential theft and lateral movement across web and database servers before deploying ransomware.
Targeted Roles: Incident Response, Threat Hunting, SOC Analyst
Orchid Corp — Mustang Panda
Orchid Corp is a financial services organization with an Active Directory environment. The Mustang Panda APT group gains access through a phishing campaign with DLL sideloading, then moves laterally across workstations, database servers, and the domain controller to steal credentials and establish persistence.
The exercise includes two specializations, each containing 19 guided tasks:
Digital Forensics and Incident Response (DFIR): An alert-driven investigation where you respond to triggered alerts and trace the attacker's path
Threat Hunting: An intel-driven exercise where you start from Mustang Panda threat intelligence to proactively hunt for indicators of compromise (IOC)
The attack chain covers eight phases across 20+ MITRE ATT&CK techniques, such as:
Initial Access: Spearphishing via a malicious ZIP containing a DLL side-loading payload
Execution and Evasion: Process injection into wmiprvse.exe and unmanaged PowerShell execution
Credential Access: LSASS memory dumping and NTDS.dit extraction via Volume Shadow Copy
Lateral Movement: WMI-based pivoting from workstations to the domain controller
Defense Evasion: Event log clearing across Security, System, and WMI logs
Targeted Roles: Incident Response, Threat Hunting, SOC Analyst
Fusion Orchid Corp — APT33
Fusion Orchid Corp is a corporate environment with VPN remote access and mixed Linux/Windows infrastructure. APT33 compromises the network using stolen VPN credentials, then brute-forces internal hosts, harvests credentials, moves laterally across servers, and exfiltrates sensitive data.
The exercise ships with two specialisations, each containing 17 investigation tasks:
- DFIR (Incident Response): An alert-driven investigation. Participants respond to triggered alerts and trace the attacker's path chronologically through the kill chain.
- Threat Hunting: An intel-driven exercise. Participants start from APT33 threat intelligence and proactively hunt for indicators of compromise across the environment, testing hypotheses against live telemetry.
Targeted Roles: Incident Response, Threat Hunting, SOC Analyst
Nebula Banking - Event Horizon
This scenario covers AI chatbot exploitation via prompt injection, container escape through Docker socket abuse, Active Directory certificate abuse (ESC1), and financial fraud, giving defenders hands-on experience tracing a realistic attack chain from initial access to objective completion.
As organisations adopt GenAI tools in customer-facing applications, the attack surface has expanded beyond traditional network exploitation. Attackers are leveraging prompt injection, function abuse, and command injection against AI interfaces to gain initial footholds, then pivoting through container infrastructure into corporate networks. This range provides up-to-date training on detecting these emerging attack paths across Elastic, Splunk, and Microsoft Sentinel SIEMs
Targeted Roles: Incident Response, Threat Hunting, SOC Analyst
Comments
0 comments
Article is closed for comments.