Dashboard

Incidents by Sector
Detailed breakdown of incidents across different sectors. Select one to learn more.

Dark Web Intelligence
Simulated chatter from dark web marketplaces regarding the breach.

> Fresh dump: Queen Elizabeth Central Hospital (Malawi) patient records. 50k+ entries. Full names, DOB, medical history. Perfect for identity theft. DM for sample.

> Selling exclusive access to Malawi hospital database. Contains PII and sensitive health info. Auction starts at 10 BTC.

> Just acquired a large dataset from a Malawian hospital breach. Includes records of government officials. High value.

IOC to Log Correlation Exercise
Select an IOC to see how it appears in the network logs and understand its significance.

Relevant Network Logs

TimestampSource IPDestination IPProtocolLengthInfoThreat Type
10.10.150.82185.220.101.35HTTPS2104TLSv1.3 Handshake, SNI: university-login.portal-mal.com
Initial Access
185.220.101.3510.10.150.82TCP980HTTP POST /login with user credentials (charlie.dean)
198.51.100.23172.16.1.15RDP1500RDP Connection Request to RTD-APP-01
Lateral Movement
172.16.1.15198.51.100.23TCP180SMB2 Create Request, File: \\172.16.1.15\C$\Windows\Temp\payload.dll
Lateral Movement
172.16.1.15198.51.100.23DNS78Standard query 0x1234 A IN c2.lockbit.internal
C2 Beacon
172.16.1.15198.51.100.23HTTPS256Encrypted C2 Beacon
C2 Beacon
172.16.1.15172.16.1.20SMB2048SMB Enumeration of shares on RTD-DB-01
Reconnaissance
172.16.1.15172.16.1.20TCP102Ransomware key exchange
C2 Beacon
10.10.150.82172.18.1.10Kerberos312AS-REQ, User: qeh_admin@qech.med.mw
Lateral Movement
10.10.150.82172.18.1.10DCERPC250NetrServerReqChallenge (Zerologon attempt)
Lateral Movement
10.10.150.82172.18.5.21ICMP64Ping to EHR-DB-02
Reconnaissance
198.51.100.23192.168.100.10S7COMM112S7 Communication: Stop CPU command
Command & Control
192.168.100.10198.51.100.23TCP74C2 Beacon from PLC
C2 Beacon
172.18.5.218.8.8.8DNS82Standard query 0x5678 A IN pastebin.com
Reconnaissance
172.18.5.21198.51.100.23HTTPS1500TLSv1.3, large packet size, potential data staging
Data Exfiltration
172.18.5.21198.51.100.23HTTPS1048576Continuous large data upload to C2 server
Data Exfiltration
104.26.10.188192.0.2.100HTTP750HTTP POST /node/add (Drupal CMS)
Command & Control
203.0.113.8810.100.1.5SIP650SIP INVITE (Initiating deepfake video call)
Initial Access
10.10.150.82172.18.1.10DCERPC128SAMR Query, EnumUsers
Reconnaissance
198.51.100.23172.18.1.10LDAP210LDAP searchRequest, filter=(userPrincipalName=charlie.dean)
Reconnaissance
172.16.1.15172.16.1.20SMB4096SMB Write Request, file: \\RTD-DB-01\C$\...\README.lockbit
Command & Control
172.16.1.15198.51.100.23HTTPS310C2 Beacon: Encryption complete on RTD-APP-01
C2 Beacon
192.168.100.5192.168.100.10S7COMM120S7 Communication: Write Variable (manipulating setpoint)
Command & Control
172.18.5.21198.51.100.23HTTPS2097152Sustained data upload, total >1GB
Data Exfiltration
104.26.10.188192.0.2.100HTTP1204HTTP POST /admin/config/media/file-system (Drupal file upload)
Command & Control
10.10.150.82172.17.20.5SMB512Accessing share \\UNI-FILE-SVR\research$
Lateral Movement
172.16.1.15172.16.1.1DCERPC188SAMR query against RTD Domain Controller
Reconnaissance
198.51.100.23192.168.100.10S7COMM98S7 Communication: Read Variable (verifying manipulation)
Reconnaissance
198.51.100.23172.17.20.5SMB22048Accessing file \\UNI-FILE-SVR\research$\ProjectX.zip
Lateral Movement
172.16.1.15198.51.100.23HTTPS1024C2 Heartbeat, sending ransomware status
C2 Beacon
Phishing Attack Simulator
Generate a sample phishing email based on the current scenario.