Scenario:-

On the morning of March 27, 2026, the Ministry of Defense Security Operations Center received multiple critical alerts. Several employees reported that their workstations were locked, displaying a ransom note demanding payment in cryptocurrency. Simultaneously, the cloud infrastructure team reported that highly classified project files stored in AWS S3 buckets and Azure Blob Storage had been encrypted and appended with an unfamiliar file extension. Initial triage suggests that a sophisticated threat actor, tracked internally as Grizzly Strike, managed to breach the perimeter through the DMZ, move laterally into the core production network, compromise critical identity infrastructure, and deploying a coordinated ransomware payload across the entire estate. As the lead incident responder, your mission is to reconstruct the complete attack chain from initial compromise to final impact. You must analyze the provided forensic evidence to determine how the attacker gained their initial foothold, what tools and techniques they used to move through the network, how they escalated privileges and established persistence, what data was accessed and exfiltrated from both cloud platforms, and how the ransomware was ultimately deployed. Every answer lies within the evidence. Correlate across multiple log sources, leave no artifact unexamined, and good luck.


Threat Hunting

Q1: The attack began when an analyst downloaded a malicious AI agent skill from a public repository. What is the full URL of the GitHub repository that hosted this skill?

Unlock Your Full Learning Experience with BlueYard Labs

Sign up to track your progress, unlock exclusive labs, and showcase
your achievements—begin your journey now!
Join for Free