A financial company was compromised, and they are looking for a security analyst to help them investigate the incident. The company suspects that an insider helped the attacker get into the network, but they have no evidence.  

The initial analysis performed by the company's team showed that many systems were compromised. Also, alerts indicate the use of well known malicious tools in the network. As a SOC analyst, you are assigned to investigate the incident using QRadar SIEM and reconstruct the events carried out by the attacker.


  • Sysmon - swift on security configuration
  • Powershell logging
  • Windows Eventlog
  • Suricata IDS
  • Zeek logs (conn, HTTP)

Thanks to

# Question Weight Solved
1 How many log sources available? 50 64

2 What is the IDS software used to monitor the network? 50 65

3 What is the domain name used in the network? 100 57

4 What are the IP addresses that communicated with the malicious IP address? (comma-separated) 100 48

5 What is the SID of the most frequent alert rule in the dataset? 100 41

6 What is the attacker's IP address? 100 55

7 The attacker was searching for data belonging to one of the company's projects, can you find the name of the project? 150 22

8 What is the IP address of the first infected machine? 150 52

9 What is the username of the infected employee using 200 50

10 Hackers do not like logging, what logging was the attacker checking to see if enabled? 200 32

11 Name of the second system the attacker targeted to cover up the employee? 200 35

12 When was the first malicious connection to the domain controller (log start time)? 200 8

13 What is the md5 hash of the malicious file? 200 30

14 What is the MITRE persistence technique ID used by the attacker? 250 17

15 What protocol is used to perform host discovery? 250 42

16 What is the email service used by the company? 250 19

17 What is the name of the malicious file used for the initial infection? 300 32

18 What is the name of the new account added by the attacker? 300 32

19 What is the PID of the process that performed injection? 300 19

20 What is the name of the tool used for lateral movement? 300 11

21 Attacker exfiltrated one file, what is the name of the tool used for exfiltration? 300 23

22 Who is the other legitimate domain admin other than the administrator? 300 30

23 The attacker used the host discovery technique to know how many hosts available in a certain network, what is the network the hacker scanned from the host IP 1 to 30? 500 29

24 What is the name of the employee who hired the attacker? 500 17