A widened cloud-VPN split-tunnel let a compromised laptop ride an SSO session into the cloud admin console
A hard Cyber × Network Fusion scenario on Tri-Domain: VPN Policy → SSO Session → Cloud Console Pivot.
Start a graded attempt against this scenario. Your response is scored by the same deterministic rubric used across the catalog. Email and evidence content stay hidden until you start.
Launches this exact scenario. One of 6 templates in this Track + Difficulty pool.
catalog id · fusion-tri-domain-vpn-sso-cloud-console-pivot
What this scenario practices, mapped to recognized frameworks.
Educational mapping only. Not a compliance attestation.
- Endpoint to VPN to cloud console correlated triage
- Cross-domain containment without a VPN-wide outage
- Steal Web Session Cookie · Credential AccessT1539 · TA0006MappedHigh confidence
Trains recognition that an endpoint tool stole a live SSO session cookie for the cloud admin console rather than a password.
- Use Alternate Authentication Material: Web Session Cookie · Defense EvasionT1550.004 · TA0005MappedHigh confidence
Trains response when a stolen session cookie is replayed to reach the cloud console with no password or MFA prompt.
- Valid Accounts: Cloud Accounts · Privilege EscalationT1078.004 · TA0004MappedHigh confidence
Trains response to a stolen session assuming a privileged console-admin role from an unexpected VPN-pool source address.
- Network Traffic AnalysisD3-NTAMappedHigh confidence
Trains correlating the widened VPN-to-cloud-management path with the anomalous console session from the VPN client pool.
- User Account ContainmentD3-UACMappedHigh confidence
Trains revoking the SSO session and the assumed console-admin role session to stop the console access.
- User Account PermissionsD3-UAPMappedMedium confidence
Trains scoping console-admin to least privilege so a stolen analyst session cannot reach the admin console.
- Continuous Monitoring · DetectDE.CM · DEMappedHigh confidence
Trains detection from console access by the VPN client pool and a first-time privileged role assumption.
- Mitigation · RespondRS.MI · RSMappedHigh confidence
Trains paired identity and VPN-path containment without a VPN-wide outage.
- IR lifecycle phaseDetection & AnalysisMappedHigh confidence
Trains correlating endpoint, VPN, and cloud console telemetry into one attack timeline.
- IR lifecycle phaseContainment, Eradication & RecoveryMappedHigh confidence
Trains scoped session revocation, VPN policy rollback, and endpoint isolation together.
- Phishing-Resistant MFA2.EPartialLow confidence
Trains the identity-assurance baseline (step-up reauthentication) that complements short-lived console sessions.
- Detecting Relevant Threats and TTPs3.AMappedMedium confidence
Trains the detection baseline that surfaces console access from a network that should never reach the admin plane.
- Access Control ManagementControl 6MappedHigh confidence
Trains session and role containment when a stolen SSO session reaches a privileged cloud console.
- Network Infrastructure ManagementControl 12MappedHigh confidence
Trains the VPN change-control and split-tunnel hygiene the widened VPN-to-cloud-management rule violated.