Cobalt Strike Request -

For the next three hours, Leila became a puppeteer. Every Cobalt Strike request from the compromised Jenkins box was answered with a carefully crafted lie. The Beacon asked for a directory listing. She provided a fake list of "customer PII" folders. It asked to upload a file. She gave a fake 200 OK and recorded the exfiltration endpoint.

"Control, this is Iris. We have a confirmed cobalt strike request. Repeat, confirmed. Source is Jenkins build node. Destination is Bulgarian cloud host. Beacon appears to be dormant, awaiting tasking." cobalt strike request

A long pause. Then the CISO’s tired voice: "Give them the trap. Build a perfect replica of hq-sql-prod. Let them exfiltrate fake data. I want to know their drop site." For the next three hours, Leila became a puppeteer

Her heart didn't race. It sank.