An infostealer-stolen cloud key, replayed through a firewall hole, reading prod secrets and minting a second key
A hard Cyber × Network Fusion scenario on Tri-Domain: Stolen Key → Egress Gap → Cloud Exfil.
Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.
Launches this exact scenario. One of 6 templates in this Track + Difficulty pool.
catalog id · fusion-tri-domain-stolen-key-egress-cloud-exfil
What this scenario practices, mapped to recognized frameworks.
Educational mapping only. Not a compliance attestation.
- Endpoint to firewall to cloud correlated triage
- Cross-domain containment without a branch-wide outage
- Credentials from Password Stores · Credential AccessT1555 · TA0006MappedHigh confidence
Trains recognition that an infostealer harvested a cloud access key from the browser store and a local credentials file on the endpoint.
- Valid Accounts: Cloud Accounts · Privilege EscalationT1078.004 · TA0004MappedHigh confidence
Trains response when a stolen long-lived key is replayed as a valid cloud account from an unexpected network path.
- Account Manipulation: Additional Cloud Credentials · PersistenceT1098.001 · TA0003MappedHigh confidence
Trains detecting and removing the second access key the actor created for the service identity as cloud persistence.
- Network Traffic AnalysisD3-NTAMappedHigh confidence
Trains correlating the unexpected branch-to-cloud firewall path with the anomalous service-identity API calls.
- User Account ContainmentD3-UACMappedHigh confidence
Trains disabling the stolen key and the newly created key to stop the service identity's cloud access.
- User Account PermissionsD3-UAPMappedMedium confidence
Trains scoping the over-permissioned build identity down so a stolen key cannot read production secrets.
- Continuous Monitoring · DetectDE.CM · DEMappedHigh confidence
Trains detection from cloud API calls arriving from an unexpected source network for a service identity.
- Mitigation · RespondRS.MI · RSMappedHigh confidence
Trains paired identity and firewall containment without a branch-wide VPN outage.
- IR lifecycle phaseDetection & AnalysisMappedHigh confidence
Trains correlating endpoint, firewall, and cloud telemetry into one attack timeline.
- IR lifecycle phaseContainment, Eradication & RecoveryMappedHigh confidence
Trains scoped key disablement, firewall rollback, and endpoint isolation together.
- Phishing-Resistant MFA2.EPartialLow confidence
Trains the identity-assurance baseline that complements moving service identities off long-lived static keys.
- Detecting Relevant Threats and TTPs3.AMappedMedium confidence
Trains the detection baseline that surfaces a service-identity key used from an unexpected source network.
- Access Control ManagementControl 6MappedHigh confidence
Trains least-privilege and key-rotation response when a broadly permissioned service identity's key is stolen.
- Network Infrastructure ManagementControl 12MappedHigh confidence
Trains the firewall change-control and egress hygiene the widened branch-to-cloud rule violated.