Hi and welcome to monitoring team qualification process!

 

 

We had proposed a number of challenges that you have to tackle and report your findings.

 

Your tool will be Splunk, accessible at:

 

https://splunk.blueteam.si

 

To save you time on basic SIEM recon, we have prepared a table of sources and indexes where key data for solving challenges can be found:

 

Indexes:

Index

Content

wineventlog

Security, system and application logs from Windows servers and workstations

sysmon

Sysmon (processes, registry, file create DNS, events...)

iis

Webserver logs (Microsoft IIS)

 

 

 

 

1.        [General question] Please descibe why would you be good fit in LockedShields 2025 Slo&Ita team and what is your domain expertise (Windows, Linux, Network, K8s, Cloud...)

 

 

2.        [General question] Which lolbins/gtfobuns would you monitor in Windows and in Linux environment? Take into consideration amount of false positives that monitoring specific executable can generate.

 

 

3.        On 24th of april 2024 we detected that new Windows user was added workstation and later added to privileged group. Name the system where it occured, newly created user and group that this user was added to.

 

 

 

4.        On 25th of april 2024  we missed non legitimate activity on CODE web server. We discovered later that an open source tool was used to detect bind vulnerabilities on the website.

 

What was the IP of the system that was running this tool?

 

What tool was used?

 

What detection search would you  compile to detect such activity with smallest amount of false positivies and considering that other simillar tools can be used?

 

 

 

 

5.         LockShitelds uses MISP to share IOC. Splunk instance is connected to MISP updates lookup tables:

a.        misp_hash_ioc.csv

b.        misp_domain_ioc.csv

 

Search for Windows process that was started that match with hashes and process name from MISP on workstation WS3-M365 on 24th of april 2024.  

 

Which process was run?

 

What was the consequence?

 

 

6.        What caused the process from the previous task to have such powerfull impact?

 

7.        How would you detect if Microsoft Defender for Endpoint was disabled on the system?

 

8.        In Splunk, you can find a lot of interesting events from previous years exercises. Based on your knowledge and threat hunting experiences, you have the freedom to discover something that you deem important and shouldn't be overlooked during the 2025 exercise. Write down your findings and support them with events that led you to these conclusions. Impress us! 😊