Sign in Subscribe

Prototype Labs

These are prototypes and may be broken at anytime. They are under development. Hang tight!

PAPER TIGERS // PROVING GROUND: ROOM 01

> OPORD: THE ZERO TRUST ILLUSION

Your SIEM dashboard is showing a completely secure environment. Descend through the telemetry stack to verify the physical state.

> WARNING: Syntax highlighting disabled. Do not trust the abstractions.

# [LAYER 13: DASHBOARD // NOMINAL]

[14:01:22] ZTA_POLICY: User [J_Smith] auth success.
[14:02:12] SESSION_GRANTED: User [Admin_01] assigned to secure workspace.
[14:03:00] SYSTEM_SYNC: AD differential sync complete.
[14:04:15] ZTA_POLICY: User [T_Rogers] auth success.
[14:05:44] ZTA_POLICY: Continuous access verified. No anomalies.

# [LAYER 11: PIPELINE // RAW JSON]

{"time":"14:02:12", "user":"Admin_01", "ip":"192.168.1.50", "asn":"AS7018", "token_id":"JWT_7789A"}
{"time":"14:03:45", "user":"Admin_01", "ip":"192.168.1.50", "asn":"AS7018", "token_id":"JWT_7789A", "action":"GET /api/v1/secure/nodes"}
{"time":"14:05:44", "user":"Admin_01", "ip":"203.0.113.85", "asn":"AS4808", "token_id":"JWT_7789A", "action":"GET /api/v1/secure/vault/export"}

# [LAYER 6: MECHANISM // ETWTI KERNEL]

Time: 14:05:38 | EventID: 10 | Task: ProcessAccess | SourceId: 884 | TargetId: 8112 | Access: 0x10
Time: 14:05:40 | EventID: 10 | Task: ProcessAccess | SourceId: 4092 (svchost.exe) | TargetId: 8112 (chrome.exe) | Access: 0x10 (VirtualMemoryRead)
Time: 14:05:41 | EventID: 3 | Task: NetworkConnect | ProcessId: 4092 (svchost.exe) | DestIP: 203.0.113.85

[ STAGE 1 ]: THE ILLUSION

Identify the high-privilege account assigned to the secure workspace in L13.