New CTI Lab: CVE-2025-0411 (7-ZIP MoTW bypass) – Defensive
The Zero Day Initiative (ZDI) team at Trend Micro identified the exploitation of a zero-day vulnerability in the 7-ZIP application dubbed CVE-2025-0411, which was used in a SmokeLoader malware campaign targeting eastern European entities. 7zip is used all over the world by individuals and organizations, so it's essential users understand this campaign. CVE-2025-0411 (7-ZIP MoTW bypass) – Defensive CVE-2025-0411 is a Mark-of-the-Web (MoTW) bypass vulnerability that exists within 7 ZIP installations with a version older than 24.09. This vulnerability allows attackers to bypass the MoTW protection mechanism employed by the Windows operating system, designed to warn users after downloading potentially malicious software. Bypassing MoTW for attackers increases the chances of successful phishing attempts, which is one of the largest ways attackers get into organizations. Due to MoTW being bypassed, users are not warned of potential malicious intent if they were to execute files. Because of this, attackers spend a lot of time trying to find different MoTW vulnerabilities and are often patched in Microsoft's patch Tuesdays due to their prevalence. Why should you care? Bypassing security controls is ideal for attackers. If their downloaded files do not get warned against by Windows, then the chances of successful attack chain execution is much higher! Therefore, we created a lab to identify what this attack process looks like for defensive teams and how to identify each stage. The lab teaches you what to look out for when this vulnerability is exploited and how campaigns have used it in the real world. Who is it for? Incident responders SOC analyst Malware reverse engineers CTI Analysts Threat Hunters Here is the link to the 7zip lab: https://immersivelabs.com/labs/cve-2025-0411-7-zip-motw-bypass-defensive Related Labs, designed to give you similar skills: https://immersivelabs.online/series/elasticsearch-threat-hunting-apt29/labs https://immersivelabs.online/series/introduction-to-elastic/labsNew CTI Labs: Zero-day Behaviour: PDF Samples & UAC-0063 Intrusion: SIEM Analysis
Based on the report released by NCSC's CTO, a number of important cyber security developments occurred throughout the past week. We have created two labs on what we thought were interesting parts of the report to align with what NCSC is seeing out in the wild. Zero-day Behaviour: PDF Samples PDFs are used by everyone, and a researcher has found that you can embed commands that will communicate out to attacker-controlled servers – depending on which PDF reader a company has, you can exfiltrate NTLM data to aid in further attacks. PDFs can be used to initial access an attack, such as sending a malicious one via email. Therefore, we have created a lab for defensive teams to analyze what these PDFs look like under the hood and how to identify this newly found behavior. UAC-0063 Intrusion: SIEM Analysis It has been observed that the threat group UAC-0063 has been sending malicious documents around the world, targeting Asia and Eastern Europe in their latest operation. Their aim is cyber espionage and to gather information about governments, NGOs, defense, and academia. With their malware dubbed HATVIBE, they have been seen to use legitimate diplomatic documents with their malicious code embedded inside them. The lab provides an analysis of the attack chain, where our customers will understand what happens when one of the malicious documents is clicked on and what detections can be put in place to detect the attack. Why should our customers care? These two labs are based on information that the NCSC has thought the industry needs to know. Understanding the updated attack techniques of threat groups and new ways to execute commands in PDFs is incredibly important because social engineering is still one of the highest methods of initial access. Therefore, our customers will be able to analyze both these threats to develop detections early or to gain familiarity with how these threats work. Who is it for? Incident responders SOC analyst Malware reverse engineers CTI Analysts Threat Hunters Here is the link to the PDF lab: https://immersivelabs.online/labs/zero-day-behaviour-pdf-samples Here is the link to the UAC-0063 lab: https://immersivelabs.online/labs/uac-0063-siem-analysisNew Team Sim Content: (Defensive) Operation Vulpes
Operation Vulpes is a defensive scenario and marks a return of using Splunk as the SIEM solution. This scenario sees Orchid Corporation reeling from the aftermath of a ransomware attack. Defenders will need to determine the attacker's path to compromise and infect the network and use information provided by a law enforcement agency to attempt to recover files. Users will need to use a variety of tools and defensive disciplines to solve the scenario – not just the SIEM solution. This sim also utilizes our new user noise generation framework to simulate user web browsing activity on end-user devices. This spawns the Edge browser as a domain user and visits internal and external websites to add additional noise to logs collected by Splunk. Why have we created this content? This Team Sim adds a level of complexity and realism by introducing actual ransomware. So you and your teams can exercise and prepare for the worst-case scenario. (Please be aware that Immersive Labs created the ransomware for exercise purposes only and includes failsafes to control its execution.) In addition, the sim uses popular tools within security stacks, so the simulation is true to life. What are we publishing? A new Team Sim exercise, Operation Vulpes, which will be viewable in the Team Sim catalog for all Team Sim customers. Who is this content for? This Team Sim is primarily focused on testing the defensive and technical capabilities of the following roles: SOC analysts Incident responders Threat hunters Check it out now!New CTI Lab: Xworm: Analysis
Xworm is a piece of malware that was first discovered in 2022 being used by threat actors like NullBulge and TA558. Xworm is a remote access trojan (RAT). Attackers deploy it onto compromised machines to steal data, facilitate remote code execution through shell access, and tamper with native security solutions like Microsoft Windows Defender, ready for other malware to be dropped and executed on a machine. Why have we created this content? Xworm is a commodity piece of malware that has been observed in the wild and has previously been observed being sold on hacker forums to opportunistic cybercriminals. Recently, cracked versions of this malware have been leaked to VirusTotal, GitHub, and other repositories. This content provides a unique look into commodity malware, how it's designed, and what to look out for when coming across it. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. Xworm: Analysis Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Malware Analysts Reverse Engineers SOC Analysts Cyber Threat Intelligence Analysts We are also hosting a webinar! Come and see what we do as a CTI team and how we help cyber teams with their real-world threat preparedness!New CTI Labs: CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive and Defensive
Today, we’ve released two brand-new labs focusing on defending against and exploiting two new vulnerabilities in Palo Alto Firewalls! Learn how to attack a Palo Alto Firewall by exploiting these vulnerabilities, as well as how to identify attack remnants and detect them effectively.New CTI Lab: CRON#TRAP – Linux Environment Emulation
On November 4, 2024, Securonix published research and identified a novel attack chain where attackers deploy a custom Linux machine using the QEMU emulation service to persist on endpoints, allowing them to run commands and deliver malware. Why have we created this content? Given that this technique is quite new and novel, this content was created to educate users on how legitimate tooling, like virtual environments, can be abused by attackers. When the user is tricked into opening a .lnk file, the virtual machine starts and mounts to the host, giving backdoor access to an endpoint that almost acts as a proxy. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. CRON#TRAP – Linux Environment Emulation Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Threat Hunters Malware AnalystsNew CTI Labs: Cobalt Strike Host Forensics and SIEM Analysis
Cobalt Strike is an adversary simulation tool developed by Fortra. Cobalt Strike was designed to be used by professional red teams to perform post-exploitation actions such as enumerating file systems, elevating privileges, and deploying malware. Despite being designed for red teams, threat actors often use both licensed and unlicensed (cracked) versions of Cobalt Strike for malicious intentions. Why have we created this content? A recent report again stated that Cobalt Strike is the C2 framework of choice by hackers around the world. We previously had no labs covering how to identify and defend against this C2 framework. Therefore, as we have with Havoc and Sliver, we have released labs based on analysis of its activities in networks and on a host and created and released volatility plugins to help defensive teams in their own analysis. What are we publishing? All customers on a CyberPro License have immediate access to two new labs. Threat Research: Cobalt Strike C2 – Host Forensics Threat Research: Cobalt Strike C2 – SIEM Analysis Who is this content for? These labs are focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Threat Hunters Malware AnalystsFace Your Fears this Halloween and Return to Haunted Hollow
🧛♀️ Brace yourselves, brave souls! The haunted season has returned, and with it, an all-new cybersecurity adventure—Halloween 2024: Return to Haunted Hollow. The sinister spirits of cyberspace await you in this terrifying sequel to our 2023 Halloween collection, The Haunted Hollow. This is no mere challenge—it’s an eerie expedition through 9 haunted labs designed to test your skills and sanity alike. Whether you're a seasoned crypt keeper of the cybersecurity world or a curious newcomer, there's a fright waiting for everyone in this immersive capture-the-flag experience! 🔮 From unraveling encrypted secrets to hunting ghosts in packet captures, every lab holds the key to defeating the horrors lurking within. Can you escape the Haunted Helpdesk, break the Encryption Enigma, or uncover the Spooky, Scary, Silly Snaps? Each step you take deeper into this digital graveyard will challenge your mind and test your courage, until you can break out of the park through the Emergency Exit! 🕷️ With a difficulty ranging from approachable to spine-chillingly tough, it’s not about conquering all the horrors—just enough to emerge from the shadows with your sanity intact. Gather your wits, grab your digital lantern, and get ready to explore the most terrifying corners of cyber horror! 🧛 Release Date: October 16th ⌛ Estimated Time to Complete: 5 hours 👻 Labs: 9, each more terrifying than the last 🎃 Difficulty Range: 2-6 🧟 Collection Type: Challenge Lab details Note: These labs can be completed in any order, but we have ordered them from most accessible to most challenging. The final lab can only be completed after the other labs have been completed. The prequel collection doesn’t need to be completed before you can dive into these labs, but if you're craving some extra chills and thrills, feel free to haunt them first! Phishing for Treats Difficulty: 2 Skills required: None – this lab should be accessible to all audiences What's involved: This lab is a new phishing emails lab, with Halloween-themed emails. Users have to identify whether the email is 'safe' or 'spam' based on indicators from the emails. PCAP Pandemonium Difficulty: 4 Skills required: Packet capture analysis (Wireshark) What's involved: In this lab, users will need to analyse multiple packet captures using Wireshark to identify answers to the questions from the network traffic. Delving Deeper Difficulty: 4 Skills required: Web application enumeration What's involved: Users will need to explore a web application in order to gain access to a computer terminal within the application. From there, they'll need to interact with a simple API. Encryption Enigma Difficulty: 5 Skills required: Modern encryption/encoding techniques (Knowledge of how to use CyberChef will be useful) What's involved: Users will need to identify the correct encoding and encryption technique used to obfuscate each message in an application, before decrypting/decoding each message. Confusing Code Difficulty: 5 Skills required: Linux enumeration techniques, reverse engineering (particularly using Ghidra) What's involved: Users will need to use Linux enumeration techniques to identify a binary, before reverse engineering that binary to figure out how to exploit it. Haunted Helpdesk Difficulty: 5 Skills required: Linux enumeration and privilege escalation techniques What's involved: Users will be dropped into a restricted environment. From there, they'll need to figure out how to escape, and escalate their privileges to root. Fearsome Forensics Difficulty: 6 Skills required: OSINT, web application enumeration, modern encryption techniques, steganography What's involved: In this lab, the user will need to explore the web application and discover clues using OSINT techniques. These clues will then be used to decipher encrypted messages, finally revealing how to extract a message hidden inside an image. Spooky, Scary, Silly Snaps Difficulty: 6 Skills required: AWS capabilities (particularly S3 and AWS permissions), Python scripting What's involved: Users will need to enumerate public S3 resources to identify credentials for an AWS account. From here, they'll need to interact with the AWS console, and identify a way of escalating their privileges on AWS. Emergency Exit Difficulty: 1 Skills required: None – this lab is a culmination of the preceding labs within the collection, but no specific skills are required to complete this lab. What's involved: In each of the labs in this collection, users would have been asked to make a note of a code. In this lab, they need to submit each of these codes. Share Your Thoughts Did you escape the Haunted Hollow? We'd love to hear from you! Remember you can post in our Help & Support Forum for hints, tips & collaboration from your fellow community of experts.
