Skills Assessment

Hunt 1: Create a KQL query to hunt for "Lateral Tool Transfer" to C:\Users\Public. Enter the content of the user.name field in the document that is related to a transferred tool that starts with "r" as your answer.

event.code : 11 and file.directory : "C:\Users\Public"

Hunt 2: Create a KQL query to hunt for "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder". Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer.

event.code : "13"

Hunt 3: Create a KQL query to hunt for "PowerShell Remoting for Lateral Movement". Enter the content of the winlog.user.name field in the document that is related to PowerShell remoting-based lateral movement towards DC1.

event.code:"4104" and powershell.file.script_block_text : "DC1"

• powershell.file.script_block_text refers to a field in logging or security analysis contexts, particularly within the Elastic Stack (Elasticsearch, Kibana, Winlogbeat) or similar security information and event management (SIEM) systems. This field contains the actual content of a PowerShell script block that was executed on a system.