Phantom

PHANTOM CTF I

Welcome to Level Effect's first major CTF on our Guardian Foundry platform. This is not your typical CTF hunting for flags and IOCs. You'll be performing and delivering on real work tasks and even submit a DFIR report at the end which is manually reviewed.

PHANTOM Badge

Earn a digital badge for completing all challenges on this CTF! Example here: https://foundry.leveleffect.com/verify/3bje6kupwh

Your Challenges

You'll submit your work in the platform across these four progressive sections. Each one builds off the former and becomes increasingly harder.

Part 1 - IOC Discovery (10 questions, 2 threat analysis questions)

Answer the 10 IOC questions in the platform. Fact-extraction from the artifacts. Some questions are auto-graded (exact match), others are graded for substance.

You'll also have 2 threat analysis questions. These are small written report answers. They test threat actor attribution skills, and to consider what operational impact your findings might have.

Part 2 - Detection Rules (3 rules)

Build three detection rules, one each:

• YARA rule that would fire on the malicious payload or its dropped artifacts
• Snort rule that would fire on the network exfil traffic
• Sigma rule that would fire on the build-time process telemetry

Each rule depends on you having identified the right IOCs in Part 1.

Part 3 - Threat Hunt Query (1 query, your choice of language)

Write a single threat hunt query in either KQL (Microsoft Sentinel / Defender) or PowerShell that you could run across Goodcorp's fleet to find other potentially compromised hosts. You submit one language. The grader accepts either and will pick up on it.

Part 4 - Incident Report (4 sections)

Submit your incident report in four separate platform fields:

1. IOC Entries Table Add IOC entries one at a time (Type, Value, Notes). Capture every IOC the SOC manager would want documented. Roughly 12-18 entries is the right range.
2. Executive Summary Plain-language summary for non-technical readers (CISO, board). What happened, what was at risk, what we're doing about it. 150-250 words.
3. Technical Analysis Walk the kill chain in order with evidence citations. 400-600 words.
4. Remediation Steps Numbered list of containment and remediation actions. Containment first. Specific and actionable.

Incident Record

Goodcorp Professional Services
Incident reference: GC-IR-2026-0518
SOC Tier 1 escalation, awaiting analyst pickup

Briefing Memo

To: Incoming analyst
From: Goodcorp SOC, graveyard shift handoff
Subject: CI/CD outbound anomaly escalation to you

Hey. You're picking this up. Here's where we are.

At 02:14:33 UTC this morning our Sentinel deployment fired on outbound anomaly behavior from ci-build-runner-03.goodcorp.internal, one of our GitHub Actions self-hosted runners. The runner had kicked off the nightly build pipeline for our internal goodcorp-portal repo about ten minutes earlier. Initial triage shows the npm install step pulled a package version that nobody on our side had touched in months. Outbound traffic from the runner to an unfamiliar endpoint started a few seconds after install completed.

Graveyard shift isolated the runner and pulled the relevant artifacts. The build host is offline but the artifacts are on the share.

Your job is to figure out what happened, scope the damage, and hand the SOC manager something they can take to the CISO.

Threat intel sent us a heads-up last week about a worm-style supply chain campaign called Mini Shai-Hulud, attributed to TeamPCP. The pattern looks like a fit. The CTI briefing in the artifact pack walks through what they've seen so far. Read that first.

The blast radius could be significant. The build runner holds an AWS IAM role with read access to our Secrets Manager and push access to ECR. The repo's GitHub PAT is stored on the runner. We use Vault sidecars for application secrets. Anything mounted at build time was reachable.

You have until end of shift to produce the deliverables below. The SOC manager is briefing the CISO at 16:00 after you wrap up. Get me what they need.

J. Park, SOC Lead

Artifacts available

Pull these from the case folder. Read them in this order:

1. 02-cti-briefing.md - CTI team's threat intel briefing on TeamPCP and Mini Shai-Hulud
2. 03-package.json - the project's package.json from the affected repo
3. 04-package-lock-diff.md - diff between yesterday's and today's package-lock.json
4. 05-ci-cd-job.log - full CI/CD job log from the affected build
5. 06-deobfuscation-analysis.md - CTI team's deobfuscation report on the malicious preinstall payload
6. 07-network-proxy.log - egress proxy log entries from the build runner during the incident window
7. 08-github-audit.json - relevant GitHub audit log excerpts
8. 09-environment-context.md - Goodcorp environment context, what's at risk

Bonus Items

There's a campaign signature buried in the malicious payload that real-world Shai-Hulud variants are known for. Find it and submit the exact string for bonus XP. Hint: the worm authors have a sense of humor about their work.

Grading

Your work is reviewed by Instructor On-Demand against rubric-based criteria, then a Level Effect instructor will follow up with you for a 1-on-1 feedback session on your submission.

Bring questions. Hunt thoroughly. Good luck.