Natural Language to Kusto Query Language Benchmark
| gpt-4.1 | 57.3% | 2.76 | 7.05s | $6.4416 |
| o1-low | 56.9% | 2.57 | 40.88s | $115.4357 |
| o1-high | 56.0% | 2.73 | 42.83s | $120.9677 |
| grok-3-mini-beta | 53.8% | 2.50 | 16.09s | $0.8885 |
| gemini-2.5-flash-preview-04-17 | 48.4% | 2.84 | 15.41s | $4.7399 |
| grok-3-beta | 46.7% | 3.00 | 11.06s | $14.2893 |
| o4-mini-high | 46.2% | 3.29 | 39.45s | $7.2510 |
| o3-mini-high | 44.4% | 2.77 | 23.49s | $6.0181 |
| o3-mini-low | 44.0% | 2.88 | 23.08s | $6.3790 |
| o4-mini-low | 40.9% | 3.38 | 37.45s | $6.8185 |
| gpt-4.1-mini | 38.4% | 3.10 | 7.25s | $1.2391 |
| gpt-4o | 33.8% | 3.48 | 7.64s | $9.8305 |
| gpt-4.1-finetuned | 23.6% | 4.20 | 9.69s | $9.1773 |
| gpt-4.1-nano | 23.1% | 3.91 | 3.88s | $0.3119 |
46.2%
(104 / 225 successful)
3.29
per question
39.45s
$7.2510
| # | Prompt (Question) | Technique ID | Expected Answer | LLM Answer | Correct? | LLM KQL |
|---|---|---|---|---|---|---|
| 1 | On a Windows host, an attacker leveraged COMSVCS.DLL via rundll32.exe to dump the memory of svchost.exe into a file under the Temp directory. Review the file creation logs to determine the exact name of the dump file that was generated. | T1003 | svchost-exe.dmp | svchost-exe.dmp | Yes | DeviceFileEvents | where ActionType == "FileCreated" // Identify rundll32.exe loading COMSVCS.DLL | where InitiatingProcessFileName == "rundll32.exe" | where tolower(InitiatingProcessCommandLine) contains "comsvcs.dll" // Focus on Temp folder | where tolower(FolderPath) contains "\\temp\\" // Look only for dump files | where tolower(FileName) endswith ".dmp" // Return relevant details | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FolderPath, FileName, InitiatingProcessCommandLine | distinct FileName, FolderPath, DeviceName, InitiatingProcessAccountName, TimeGenerated, InitiatingProcessCommandLine |
| 2 | In a Linux environment, an elevated process was used to execute a command that read /etc/shadow and redirected its output to a file. Identify what file name was employed to store these results. | T1003.008 | T1003.008.txt | /tmp/T1003.008.txt; | Yes | DeviceProcessEvents // Only processes run by root | where AccountName == "root" // Look for reading /etc/shadow and using shell redirection (> or >>) | where ProcessCommandLine has "/etc/shadow" and ProcessCommandLine matches regex @"\>{1,2}" // Extract the path/file following the redirection operator | extend OutputFile = extract(@"\>{1,2}\s*(\S+)", 1, ProcessCommandLine) | where isnotempty(OutputFile) // Show relevant fields | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, OutputFile // Summarize to see unique files and their timelines | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), Occurrences = count() by OutputFile, DeviceName, AccountName | order by LastSeen desc |
| 3 | On Windows devices, identify the full command used when the built-in credential manager utility was invoked to list stored credentials. What was the exact command? | T1003.005 | cmdkey /list | cmdkey.exe /list | Yes | DeviceProcessEvents | where ProcessCommandLine has_cs "cmdkey" and ProcessCommandLine has_cs "/list" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | distinct TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc |
| 4 | Examine Windows process execution logs for instances where PowerShell is invoked to gather service information. What full command line invocation was recorded? | T1007 | powershell.exe Get-Service | "powershell.exe" & {Get-Service > $env:TEMP\\T1119_1.txt\nGet-ChildItem Env: > $env:TEMP\\T1119_2.txt\nGet-Process > $env:TEMP\\T1119_3.txt} | No | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("Get-Service", "sc.exe query") | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine |
| 5 | On a Linux host, a ping command was executed to test internet connectivity. Determine which IP address was used as the ping target. | T1016.001 | 8.8.8.8 | 8.8.8.8 | Yes | // Identify Linux devices let linuxDevices = DeviceInfo | where OSPlatform contains "Linux" | project DeviceId, DeviceName; // Network-based ping events (ICMP by ping) let pingNetwork = DeviceNetworkEvents | where DeviceId in (linuxDevices | project DeviceId) | where Protocol == "ICMP" | where InitiatingProcessFileName in ("ping", "ping6") | extend ProcessCommandLine = InitiatingProcessCommandLine | project TimeGenerated, DeviceId, PingTarget = RemoteIP, ProcessCommandLine; // Process-based ping events (extract IP from command line) let pingProcess = DeviceProcessEvents | where DeviceId in (linuxDevices | project DeviceId) | where FileName in ("ping", "ping6") | extend PingTarget = extract(@"(\d+\.\d+\.\d+\.\d+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceId, PingTarget, ProcessCommandLine; // Combine, enrich, filter, and sort union pingNetwork, pingProcess | where isnotempty(PingTarget) | join kind=inner linuxDevices on DeviceId | sort by TimeGenerated desc | project TimeGenerated, DeviceName, PingTarget, ProcessCommandLine |
| 6 | On a Windows host, someone appears to have run a built-in network shell utility to list saved wireless network profiles and their passwords in clear text. Review the process creation logs to discover the exact command that was executed. | T1016.002 | netsh wlan show profile * key=clear | netsh wlan show profile * key=clear | Yes | DeviceProcessEvents | where FileName == "netsh.exe" | where ProcessCommandLine has "wlan" and ProcessCommandLine has "show" and ProcessCommandLine has "profile" | where ProcessCommandLine has "key=clear" | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessId, ProcessCommandLine | sort by TimeGenerated desc |
| 7 | On a Linux system, review process creation logs to spot any dd commands reading from /proc/*/mem. What was the name of the file where the dumped memory was written? | T1003.007 | T1003.007.bin | N/A | No | |
| 8 | An analyst suspects a user or script ran a service enumeration command on a Linux system. Review process events to find the service-listing invocation and specify the full command that was executed. | T1007 | systemctl --type=service | N/A | No | |
| 9 | An analyst observed activity on a Windows system involving potential enumeration of services. Your task is to determine the exact command used to discover the system services during this activity. | T1007 | sc query state= all | N/A | No | |
| 10 | Identify the PowerShell cmdlet used on Windows to format and display the raw volume bytes after an attacker read the boot sector via a DOS device path. | T1006 | Format-Hex | N/A | No | |
| 11 | On a Windows device, locate evidence of a PowerShell-based HTTP connectivity check and determine which remote host was tested (Domain). | T1016.001 | www.google.com | 127.0.0.1 | No | DeviceProcessEvents | where ProcessCommandLine has "powershell" and (ProcessCommandLine contains "http://" or ProcessCommandLine contains "https://") | extend Url = extract(@"(https?://[^\s""']+)", 1, ProcessCommandLine) | extend TestedHost = tostring(parse_url(Url).Host) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, Url, TestedHost | order by TimeGenerated desc |
| 12 | An analyst notices a PowerShell process on a Windows host that appears to be checking SMB connectivity. Which PowerShell cmdlet was executed to perform this outbound port 445 test? | T1016.001 | Test-NetConnection | N/A | No | |
| 13 | Using Windows process event logs, investigate PowerShell activity around lsass.exe memory capture. What was the name of the script file invoked to perform the dump? | T1003.001 | Out-Minidump.ps1 | N/A | No | |
| 14 | On the Windows host, look for any ping operations reaching out to the internet. What external IP address was being pinged? | T1016.001 | 8.8.8.8 | N/A | No | |
| 15 | A Linux host’s Syslog shows a shell-based network discovery script ran multiple commands. One of them listed current TCP connections. Which utility was invoked? | T1016 | netstat | sh | No | DeviceInfo | where OSPlatform == "Linux" | project DeviceId, DeviceName | join kind=inner ( DeviceProcessEvents // look for commands referencing TCP connections | where ProcessCommandLine contains "tcp" // common utilities for listing TCP connections | where ProcessCommandLine contains "netstat" or ProcessCommandLine contains "ss" or ProcessCommandLine contains "lsof" ) on DeviceId | extend Utility = tostring(split(ProcessCommandLine, ' ')[0]) | summarize Invocations = count() by DeviceName, Utility | project DeviceName, Utility, Invocations | sort by Invocations desc |
| 16 | On a Windows endpoint, search through PowerShell process execution records to find a test connection to an external IP address. What was the full command line recorded? | T1016.001 | Test-NetConnection -ComputerName 8.8.8.8 | N/A | No | |
| 17 | Review Linux process execution records for any commands that list TCP metric cache entries and filter out loopback interfaces. Which utility was used? | T1018 | ip | ip | Yes | let LinuxDevices = DeviceInfo | where tolower(OSPlatform) contains "linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) // Filter for any tcp_metrics invocation and ProcessCommandLine has "tcp_metrics" // Exclude loopback traffic entries and ProcessCommandLine !has " lo" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | summarize Invocations = count() by FileName, ProcessCommandLine | sort by Invocations desc |
| 18 | A Windows host executed an ICMP-based network reconnaissance using a looping instruction in cmd.exe. Identify the exact command line that was used to perform the ping sweep. | T1018 | for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i | "cmd.exe" /c for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i | Yes | DeviceProcessEvents // Apply your time range filter here (e.g. | where TimeGenerated between (start .. end)) | where FileName == "cmd.exe" | where ProcessCommandLine matches regex @"(?i)for\s+/?l.*ping" | project TimeGenerated, DeviceName, ProcessCommandLine | sort by TimeGenerated desc |
| 19 | On a Linux system, an unfamiliar process execution may indicate reconnaissance activity. Examine the Syslog records to determine which command was invoked to print the kernel’s routing table. | T1018 | ip route show | N/A | No | |
| 20 | On a Windows endpoint, look for evidence of a base64-encoded PowerShell payload execution. Which executable launched the encoded command? | T1027 | powershell.exe | powershell.exe | Yes | DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") // Match –EncodedCommand or –enc followed by a Base64‐style string | where tolower(ProcessCommandLine) matches regex @"-enc(odedcommand)?\s+[A-Za-z0-9+/=]{20,}" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc |
| 21 | On a Windows endpoint, review process creation logs to uncover when a built-in utility was used to reveal ARP entries. What exact command was used to list the ARP cache? | T1018 | arp -a | N/A | No | |
| 22 | On a Linux host, identify occurrences where a process invoked the built-in utility to list link-layer neighbors. Which tool name appears in those process events? | T1018 | ip | arp | No | let linuxDevices = DeviceInfo | where OSPlatform has "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) | extend ToolName = extract(@"([^/\\]+)$", 1, FileName) | where ToolName in ("ip", "arp") // For "ip", ensure the "neigh" subcommand was used | where (ToolName == "ip" and ProcessCommandLine has "neigh") or (ToolName == "arp") | summarize Occurrences = count() by ToolName | project ToolName, Occurrences |
| 23 | An operator on a Linux host appears to have listed system users using a native tool. Review the process execution logs to find which utility was invoked to display the user list. | T1033 | users | cut | No | DeviceProcessEvents | where ProcessCommandLine has "/etc/passwd" or ProcessCommandLine has "getent passwd" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId | sort by TimeGenerated desc |
| 24 | On a Windows system, we see evidence of a remote code execution attempt using native capabilities to run a simple query on the local host. Identify the tool name that was used to perform this action. | T1021.006 | powershell | powershell.exe | Yes | DeviceProcessEvents | where ActionType == "ProcessCreated" and ( (tolower(ProcessCommandLine) contains "select" and tolower(ProcessCommandLine) contains "from win32_") or tolower(ProcessCommandLine) contains "get-wmiobject" or tolower(ProcessCommandLine) contains "get-ciminstance" ) | project TimeGenerated, DeviceName, ToolName = FileName, CommandLine = ProcessCommandLine | order by TimeGenerated desc |
| 25 | On a Linux system, spotting a file‐size change by exactly one byte can indicate hash tampering via padding. Review process execution logs for invocations that increased a file’s size by one byte. Which utility was invoked to perform this padding? | T1027.001 | truncate | N/A | No | |
| 26 | Review Linux process execution logs for a shell command that listed routing tables and filtered out default routes. Which command was used? | T1018 | netstat | N/A | No | |
| 27 | On Windows, a system utility was duplicated and run under the name lsm.exe from an unexpected folder. Examine process creation logs to find the name of the executable that’s masquerading as a legitimate service. | T1036.003 | lsm.exe | lsm.exe | Yes | DeviceProcessEvents // Time range is applied outside this query | where FileName == "lsm.exe" // Exclude the legitimate System32 path | where FolderPath !startswith @"C:\Windows\System32" | project Timestamp, DeviceName, SuspiciousPath = strcat(FolderPath, "\\", FileName), ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId | sort by Timestamp desc |
| 28 | On Windows endpoints, attackers may copy legitimate system binaries into temporary directories and rename them to mimic critical services. Investigate recent process creation events to determine the exact filename used for the masqueraded executable. | T1036.003 | lsass.exe | svchost.exe | No | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FolderPath matches regex @"(\\Windows\\Temp\\|\\AppData\\Local\\Temp\\|\\Users\\[^\\]+\\AppData\\Local\\Temp\\)" | where tolower(FileName) in ("svchost.exe","services.exe","lsass.exe","winlogon.exe","spoolsv.exe") | extend FullPath = strcat(FolderPath, "\\", FileName) | project Timestamp, DeviceName, FullPath, FileName, ProcessCommandLine, InitiatingProcessFileName | sort by Timestamp desc |
| 29 | A Windows host shows a process launch with an extremely obfuscated command line that dynamically builds and invokes code at runtime. Which process name was used to execute this payload? | T1027 | powershell | N/A | No | |
| 30 | On Windows hosts, look through recent PowerShell execution records to find any elevated session where remote management was turned on. What exact command was run to enable PSRemoting? | T1021.006 | Enable-PSRemoting -Force | N/A | No | |
| 31 | An attacker copied a core Windows executable into a temporary folder, renamed it to mimic a trusted system process, and executed it. Identify the name of the masqueraded tool that was launched. | T1036.003 | svchost.exe | svchost.exe | Yes | DeviceProcessEvents | where FolderPath has "\\Temp\\" | where FileName endswith ".exe" | summarize by FileName, DeviceName, FolderPath, ProcessCommandLine, TimeGenerated | project FileName | distinct FileName |
| 32 | On a Linux system, identify the script that was generated by decoding a base64 data file and then executed. What was the filename of that script? | T1027 | art.sh | N/A | No | |
| 33 | On a Windows system, someone ran PowerShell to copy a file from a remote machine’s C$ share to the local TEMP folder. Using process event logs, what full PowerShell command was executed to perform this action? | T1039 | copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password" | "powershell.exe" & {copy-item -Path "\\127.0.0.1\C$\Windows\temp\Easter_Bunny.password" -Destination "$Env:TEMP\Easter_egg.password"} | Yes | DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has "Copy-Item" and ProcessCommandLine contains "\\C$" and ProcessCommandLine contains "Temp" | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | sort by Timestamp desc |
| 34 | A Linux host briefly hosted an HTTP service under /tmp. Examine process creation logs to determine the exact python3 command that was used to start the server on port 9090. | T1048.003 | python3 -m http.server 9090 | python3 -m http.server 9090 | Yes | DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine has "python3" and ProcessCommandLine has "9090" and ProcessCommandLine has "/tmp" | project ProcessCreationTime, DeviceName, ProcessId, ProcessCommandLine | order by ProcessCreationTime desc |
| 35 | In a Linux environment, you observe a process labeled like the cron daemon but running from an unexpected path. Investigate creation events to uncover the actual filename used by this fake cron process. | T1036.003 | crond | N/A | No | |
| 36 | On Windows, an executable normally stored in System32 is duplicated into a user directory under a different name and then executed. Identify which native tool was masqueraded. | T1036.003 | cscript.exe | N/A | No | |
| 37 | A process is running under a familiar Windows host name but originates from a user's AppData folder rather than the System32 directory. Identify the filename used to masquerade the PowerShell binary on this Windows device. | T1036.003 | taskhostw.exe | taskhostw.exe | Yes | DeviceProcessEvents // Processes launched from a user AppData folder (not the system path) | where FolderPath has "\\Users\\" and FolderPath has "\\AppData\\" and not(FolderPath has "\\Windows\\System32\\") // Identify entries where the original file name is PowerShell but the actual file name differs | where tolower(ProcessVersionInfoOriginalFileName) == "powershell.exe" and tolower(FileName) != "powershell.exe" // Aggregate by the masquerade filename | summarize Occurrences = count() by MasqueradeFile = FileName | sort by Occurrences desc |
| 38 | Analyze Windows process events for any schtasks.exe commands that created a new task invoking PowerShell. What is the name of the .ps1 script specified to run? | T1036.004 | T1036.004_NonExistingScript.ps1 | T1036.004_NonExistingScript.ps1 | Yes | DeviceProcessEvents | where FileName == "schtasks.exe" and ProcessCommandLine has "/create" and ProcessCommandLine contains "-file" and ProcessCommandLine contains ".ps1" | extend ScriptName = extract(@"(?i)-file\s+""?([^""\s]+\.ps1)", 1, ProcessCommandLine) | where isnotempty(ScriptName) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, ScriptName | sort by TimeGenerated desc |
| 39 | On a Windows endpoint you observe a PowerShell process that fetches a script from the internet and immediately executes an RPC service scan against the spooler. Which function name was invoked to perform that scan? | T1046 | spoolvulnscan | N/A | No | |
| 40 | A threat actor on a Windows system crafted and registered a service named almost identically to the standard time service, but redirecting execution to a custom script. Review the logging data to determine which native command-line tool was used to perform this action. What utility was invoked? | T1036.004 | sc | N/A | No | |
| 41 | Review the Linux process execution logs to spot when a shell command was used to enumerate active network connections. What was the name of the command‐line utility invoked? | T1049 | netstat | netstat | Yes | DeviceProcessEvents | where DeviceId in ( DeviceInfo | where OSPlatform == "Linux" | project DeviceId ) // Filter for typical network‐enumeration commands | where ProcessCommandLine has_any ("netstat", "ss") | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | sort by TimeGenerated desc // Optionally, summarize by utility to see distinct tools and counts | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), RunCount=count() by FileName | sort by FirstSeen desc |
| 42 | Windows process creation logs show a PowerShell-driven file transfer to an FTP service. Which executable was leveraged to perform this exfiltration? | T1048.003 | rclone.exe | rclone.exe | Yes | DeviceProcessEvents | where InitiatingProcessFileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has "ftp" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ExfiltrationProcess = FileName, ProcessCommandLine | summarize Count = count() by ExfiltrationProcess, ProcessCommandLine | order by Count desc |
| 43 | A port scan was detected originating from a Windows device. Determine which ports were being probed during the activity. | T1046 | 445, 3389 | N/A | No | |
| 44 | In a Windows log analytics workspace, search for PowerShell processes that were used to enumerate network connections. Determine which PowerShell cmdlet was executed to list active TCP connections. | T1049 | Get-NetTCPConnection | Get-NetTCPConnection | Yes | DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine contains "Get-NetTCPConnection" | extend Cmdlet = extract(@"(Get-NetTCPConnection)", 1, ProcessCommandLine) | summarize Count = count() by Cmdlet | order by Count desc |
| 45 | Linux hosts may log events when new files are added to /var/spool/cron/crontabs. Query those logs for a creation or write action in that directory and determine the file name that was added. | T1053.003 | persistevil | persistevil | Yes | DeviceFileEvents | where FolderPath has "/var/spool/cron/crontabs" | where ActionType in ("FileCreated", "FileWritten", "FileModified", "FileOpenedWrite") | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), EventCount = count() by FileName | sort by LastSeen desc |
| 46 | A Windows host shows a core command-line utility being duplicated from its System32 location to a user-profile folder and subsequently run. Identify the name of the executable that was copied. | T1036 | cmd.exe | N/A | No | |
| 47 | You suspect malicious persistence via scheduled tasks on a Windows endpoint. Review the process execution logs to identify the built-in utility used to register tasks at logon or startup. What is the name of this utility? | T1053.005 | schtasks | schtasks | Yes | DeviceProcessEvents | where TimeGenerated between (startofday(ago(30d)) .. now()) // replace with desired timerange | where FileName =~ "schtasks.exe" | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessAccountName | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by count_ desc |
| 48 | Review the Linux process or syslog entries for any crontab commands that imported a schedule from a temporary file rather than the standard input. What was the name of that file? | T1053.003 | persistevil | notevil | No | let proc = DeviceProcessEvents | where FileName == "crontab" | where ProcessCommandLine matches regex @"\bcrontab\s+\/" | where not(ProcessCommandLine matches regex @"\bcrontab\s+\-") | extend ImportedFile = extract(@"crontab\s+(\S+)", 1, ProcessCommandLine); let sys = Syslog | where ProcessName == "crontab" | where SyslogMessage matches regex @"\bcrontab\s+\/" | extend ImportedFile = extract(@"crontab\s+(\S+)", 1, SyslogMessage); union proc, sys | extend FileName = tostring(split(ImportedFile, "/")[-1]) | project TimeGenerated, DeviceName, ImportedFile, FileName | distinct ImportedFile, FileName |
| 49 | A user launched a Windows command prompt and executed a built-in utility to enumerate all active network connections. Using process creation logs, identify the exact tool that produced the list of current connections. | T1049 | netstat | netstat.exe | Yes | DeviceProcessEvents | where tolower(InitiatingProcessFileName) == "cmd.exe" | where tolower(FileName) == "netstat.exe" or ProcessCommandLine has_any ("netstat", "Get-NetTCPConnection") | project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ChildProcessFileName = FileName, ChildProcessCommandLine = ProcessCommandLine | order by TimeGenerated desc |
| 50 | A reconnaissance tool was executed on a Windows system. Identify the specific function of the tool that was executed. The function has a name from something you can eat | T1046 | fruit | N/A | No | |
| 51 | On a Windows device, PowerShell was used to collect a snapshot of running processes. Identify the exact cmdlet that was executed. | T1057 | Get-Process | Get-Process | Yes | DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine contains "Get-Process" or ProcessCommandLine contains "Get-WmiObject" or ProcessCommandLine contains "Get-CimInstance" or ProcessCommandLine contains "tasklist" | extend Cmdlet = extract(@"(?i)\b(Get-(?:Process|WmiObject|CimInstance))\b", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, Cmdlet, ProcessCommandLine | sort by TimeGenerated desc |
| 52 | A malicious actor may attempt to list running processes on a Windows machine using a WMI-based command. Review the process creation events to find out which utility was invoked to perform this enumeration. | T1057 | wmic.exe | wmic | Yes | DeviceProcessEvents | where ActionType == "ProcessCreated" and ( ProcessCommandLine has_cs "wmic" or ProcessCommandLine has_cs "Get-WmiObject" or ProcessCommandLine has_cs "gwmi" ) | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, ParentProcess = InitiatingProcessFileName, ParentCommandLine = InitiatingProcessCommandLine, ProcessFileName = FileName, ProcessCommandLine | order by TimeGenerated desc |
| 53 | A Windows endpoint recorded a command-line activity through cmd.exe that lists all running processes. Determine which built-in tool was executed to perform this action. | T1057 | tasklist | tasklist | Yes | DeviceProcessEvents | where FileName == "cmd.exe" | where ProcessCommandLine has_any ("tasklist","wmic","powershell","Get-Process") | extend Tool = case( ProcessCommandLine contains "tasklist", "tasklist", ProcessCommandLine contains "wmic", "wmic", ProcessCommandLine contains "Get-Process", "Get-Process", ProcessCommandLine contains "powershell", "PowerShell", "Unknown") | where Tool != "Unknown" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, Tool | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, InitiatingProcessAccountName, Tool | order by Count desc |
| 54 | On a Windows device, review the process execution logs to find instances where a built-in listing tool was piped into a string filter. Identify the process name that the attacker was searching for. | T1057 | lsass | lsass | Yes | DeviceProcessEvents // Look for any command line containing a pipe | where ProcessCommandLine contains "|" // Ensure a built-in listing tool is used before the pipe | where ProcessCommandLine matches regex "(?i)\\b(?:dir|ls|Get-ChildItem|tasklist|wmic)\\b\\s*\\|" // Ensure a string filter is called after the pipe | where ProcessCommandLine matches regex "(?i)\\|\\s*(?:findstr|grep)\\b" // Extract the term passed to findstr or grep (first non-quoted token) | extend SearchedTerm = extract("(?i)(?:findstr|grep)\\s+['\\\"]?([^'\\\"]+)", 1, ProcessCommandLine) | where isnotempty(SearchedTerm) // Summarize by the searched term, showing count and example devices/accounts | summarize EventCount = count(), AffectedDevices = make_set(DeviceName, 10), AffectedUsers = make_set(InitiatingProcessAccountName, 10) by SearchedTerm | project SearchedTerm, EventCount, AffectedDevices, AffectedUsers | order by EventCount desc |
| 55 | A Linux host appears to have been queried for its kernel details via a shell command. Using process event data, determine the exact command that was executed to enumerate the kernel name, release, and architecture. | T1059.004 | uname -srm | uname -a | No | let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) | where FileName == "uname" | where ProcessCommandLine has "-a" or (ProcessCommandLine has "-s" and ProcessCommandLine has "-r" and ProcessCommandLine has "-m") | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessParentId | sort by TimeGenerated desc |
| 56 | Examine the logs from the Linux system for events related to the systemd timer activation. Identify any records indicating that a new timer unit was started and enabled, and determine which timer name was used. | T1053.006 | art-timer.timer | art-timer.timer | Yes | let SyslogTimers = DeviceEvents | where ActionType == "Syslog" | extend SyslogMessage = tostring(AdditionalFields['SyslogMessage']), SyslogTag = tostring(AdditionalFields['SyslogTag']) | where SyslogTag == "systemd" and SyslogMessage contains ".timer" | extend Action = extract(@"systemd\[\d+\]:\s+(Started|Loaded|Enabled)", 1, SyslogMessage), TimerName = extract(@"systemd\[\d+\]:\s+(?:Started|Loaded|Enabled)\s+([^\s]+\.timer)", 1, SyslogMessage) | where isnotempty(Action) and isnotempty(TimerName) | project TimeGenerated, DeviceName, EventType = "Syslog", Action, TimerName; let ProcTimers = DeviceProcessEvents | where ProcessCommandLine has "systemctl" and ProcessCommandLine has ".timer" | extend Action = extract(@"systemctl\s+(start|enable)", 1, ProcessCommandLine), TimerName = extract(@"systemctl\s+(?:start|enable)\s+([^\s]+\.timer)", 1, ProcessCommandLine) | where isnotempty(Action) and isnotempty(TimerName) | project TimeGenerated, DeviceName, EventType = "Process", Action, TimerName; union SyslogTimers, ProcTimers | sort by TimeGenerated desc |
| 57 | On Windows, review recent registry changes to detect when the MSC file association was hijacked by a reg add operation. What executable file was configured as the default command under HKCU\Software\Classes\mscfile\shell\open\command? | T1053.005 | calc.exe | N/A | No | |
| 58 | On a Windows host, investigate process events to find when Task Manager was launched via cmd with an unusual flag. What was the full command executed? | T1057 | taskmgr.exe /7 | "cmd.exe" /c taskmgr.exe /7 | Yes | DeviceProcessEvents | where ActionType == "ProcessCreated" | where tolower(FileName) endswith "cmd.exe" | where tolower(ProcessCommandLine) has "taskmgr.exe" | project TimeGenerated, DeviceName, ProcessCommandLine |
| 59 | Review the process creation logs on a Windows host to uncover any tool execution indicative of a special APC injection for shellcode execution. What was the name of the executable used? | T1055.004 | NtQueueApcThreadEx.exe | N/A | No | |
| 60 | While reviewing Windows process events, you spot a PowerShell process executing a WMI enumeration cmdlet. What WMI class name did the attacker query? | T1057 | Win32_Process | Win32_Process | Yes | DeviceProcessEvents | where FileName has_cs "powershell.exe" | where ProcessCommandLine has_any ("Get-WmiObject", "Get-CimInstance", "gwmi") | extend WmiClass1 = extract("(?i)-Class\\s+['\\\"]?(Win32_[^\\s'\\\"]+)", 1, ProcessCommandLine) | extend WmiClass2 = extract("(?i)FROM\\s+(Win32_[^\\s'\\\";,]+)", 1, ProcessCommandLine) | extend WmiClass = coalesce(WmiClass1, WmiClass2) | where isnotempty(WmiClass) | summarize EventCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by WmiClass | project WmiClass, EventCount, FirstSeen, LastSeen | order by EventCount desc |
| 61 | Using Linux process creation records, identify any instance where bash executed a non-native enumeration script. What was the name of the script file invoked? | T1059.004 | LinEnum.sh | AutoSUID.sh | No | let LinuxDevices = DeviceInfo | where tolower(OSPlatform) contains "linux" | project DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) // ensure the creator is bash | where tolower(InitiatingProcessFileName) == "bash" // look for invocation of a .sh script | where ProcessCommandLine has @".sh" // exclude scripts in standard system paths | where not(ProcessCommandLine has "/bin/") | where not(ProcessCommandLine has "/usr/bin/") // extract the script file name | extend ScriptName = extract(@"(?i)\b([\w\-/\.]+\.sh)\b", 1, ProcessCommandLine) | where isnotempty(ScriptName) // summarize occurrences and time range per script | summarize Instances = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ScriptName | project ScriptName, Instances, FirstSeen, LastSeen |
| 62 | On a Linux system, review process execution records for any shell process that set an environment variable containing executable code and then piped it into another shell instance. Determine which environment variable name was used to store the script content. | T1059.004 | ART | EnvVariable | No | DeviceProcessEvents | where FileName in ("bash", "sh", "zsh", "dash") | where ProcessCommandLine matches regex @"(?<varName>[A-Za-z_][A-Za-z0-9_]*)=.*\|\s*(bash|sh|zsh|dash)" | extend EnvVariable = extract(@"([A-Za-z_][A-Za-z0-9_]*)=", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, ProcessId, FileName, EnvVariable, ProcessCommandLine | distinct EnvVariable |
| 63 | On a Windows host, find any scheduled task that was registered using PowerShell native cmdlets instead of schtasks.exe. What was the name given to the new task? | T1053.005 | AtomicTask | N/A | No | |
| 64 | Investigate Windows process events for PowerShell activity that leverages WMI to register a scheduled task via XML import. What was the name of the XML file supplied to the RegisterByXml method? | T1053.005 | T1053_005_WMI.xml | N/A | No | |
| 65 | During a Linux investigation, you notice processes spawning curl and wget commands that pull a script from a remote GitHub raw URL and pipe it into bash. Identify the name of the script that was retrieved and executed. | T1059.004 | echo-art-fish.sh | echo-art-fish.sh | Yes | DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) // timerange will be set by the external control | where ProcessCommandLine has_any ("curl", "wget") | where ProcessCommandLine contains "raw.githubusercontent.com" | where ProcessCommandLine contains "bash" or ProcessCommandLine contains "|" // Extract the raw.githubusercontent.com URL | extend DownloadUrl = extract(@"(https?://raw\.githubusercontent\.com/[^\s|]+)", 1, ProcessCommandLine) | where isnotempty(DownloadUrl) // Parse out the script name (last segment of the URL) | extend ScriptName = tostring(split(DownloadUrl, "/")[array_length(split(DownloadUrl, "/")) - 1]) | project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine, DownloadUrl, ScriptName | sort by TimeGenerated desc |
| 66 | An attacker on a Linux host may try to enumerate installed shells by reading the system file that lists valid shells. Using process or syslog data, determine which command was executed to perform this enumeration. | T1059.004 | cat /etc/shells | cat /etc/shells | Yes | let ShellProcessEvents = DeviceProcessEvents | where ProcessCommandLine matches regex @"\b(cat|grep|awk|sed|less|more|tail|head)\b.*\/etc\/shells" | project TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, CommandLine=ProcessCommandLine; // If syslog data is available, look for raw slash etc shells reads in logs let ShellSyslogEvents = Syslog | where SyslogMessage has "/etc/shells" | project TimeGenerated, DeviceName=HostName, AccountName="(unknown)", CommandLine=SyslogMessage; // Combine both sources for a full view ShellProcessEvents | union ShellSyslogEvents | sort by TimeGenerated desc |
| 67 | On a Linux host, identify the process invocation that altered a user’s login shell. What was the full command used? | T1059.004 | chsh -s /bin/sh art | chsh -s /bin/sh art | Yes | DeviceProcessEvents // limit to typical shell‐change commands | where ProcessCommandLine has "chsh -s" or ProcessCommandLine has "usermod -s" | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, ChangedByProcess = FileName, FullCommandLine = ProcessCommandLine | sort by TimeGenerated desc |
| 68 | Which full interactive shell command, as recorded in the Linux process logs, repeatedly echoed a distinctive marker message to the terminal? | T1059.004 | for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done | bash -c 'mkdir -p ********** for file in /var/spool/mail/*; do if [ "$(basename "$file")" != "copy" ]; then cp -R "$file" /var/spool/mail/copy/; if [ -f "/var/spool/mail/copy/$(basename "$file")" ]; then echo "Modification for Atomic Red Test" >> "/var/spool/mail/copy/$(basename "$file")"; fi; fi; done' | No | DeviceProcessEvents | where FileName in~ ("bash", "sh", "zsh") | where ProcessCommandLine has "echo" | summarize EchoCount = count() by FullCommand = ProcessCommandLine | where EchoCount > 1 | sort by EchoCount desc | project FullCommand, EchoCount |
| 69 | In a Linux environment, a suspicious activity related to privilege escalation has been detected. A shell script was executed via bash to harvest SUID executable files. Analyze the process logs to identify the name of the script file used in this operation. | T1059.004 | AutoSUID.sh | N/A | No | |
| 70 | A suspicious command was used on a Windows system to list all local user groups. Your task is to determine the exact command that was executed. Analyze available logs related to process creation or command-line arguments. | T1069.001 | wmic group get name | net localgroup | No | DeviceProcessEvents // (The external time picker in the portal will apply your time range) | where ProcessCommandLine contains_cs "localgroup" or ProcessCommandLine contains_cs "Get-LocalGroup" | where FileName has_cs "net.exe" or InitiatingProcessFileName has_cs "powershell.exe" or FileName has_cs "powershell.exe" | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, ProcessId, ProcessCommandLine | sort by TimeGenerated asc |
| 71 | An analyst suspects that a restricted shell escape was executed using a common Perl package manager on Linux. Review the process execution records to determine which tool was invoked to spawn the shell. | T1059.004 | cpan | N/A | No | |
| 72 | On a Windows endpoint, wscript.exe was used to run a JScript. Identify the exact script path passed to wscript. | T1059.007 | PathToAtomicsFolder\T1059.007\src\sys_info.js | N/A | No | |
| 73 | On a Linux system, find any process creation record where awk is used with a BEGIN rule to launch a shell. What was the exact command invoked? | T1059.004 | awk 'BEGIN {system("/bin/sh &")}’ | awk 'BEGIN {system("/bin/sh &")}' | Yes | let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) // Filter to awk executions | where FileName =~ "awk" or FileName endswith "awk" // Look for BEGIN block invoking a shell via system(...) | where ProcessCommandLine matches regex @"\bawk\b.*\bBEGIN\s*\{[^}]*system\s*\(" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 74 | Review recent Windows process event logs for PowerShell activity that suggests local group enumeration through WMI. What exact command was executed? | T1069.001 | Get-WMIObject Win32_Group | Get-WMIObject Win32_Group | Yes | DeviceProcessEvents | where ProcessCommandLine has "powershell" | where ProcessCommandLine has_any ("Win32_Group", "Get-WmiObject", "Invoke-WmiMethod", "wmic group") | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine | sort by TimeGenerated desc |
| 75 | On a Linux system, you suspect someone erased their command history by linking the history file to /dev/null. Investigate process events and determine which utility was executed to achieve this. | T1070.003 | ln | ln | Yes | DeviceProcessEvents | where ProcessCommandLine has "/dev/null" and ProcessCommandLine has ".bash_history" | where FileName == "ln" | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, ProcessId, InitiatingProcessId |
| 76 | On a Windows endpoint, commands are no longer being logged to PowerShell history, suggesting PSReadLine settings were altered. Using process execution logs, determine the exact command that was run to set the history save style to 'SaveNothing'. | T1070.003 | Set-PSReadlineOption -HistorySaveStyle SaveNothing | Set-PSReadlineOption -HistorySaveStyle SaveNothing | Yes | DeviceProcessEvents // Look for PowerShell or PowerShell Core processes | where FileName in~ ("powershell.exe", "pwsh.exe") // Identify invocations that disable PSReadLine history logging | where ProcessCommandLine has "-HistorySaveStyle" and ProcessCommandLine has "SaveNothing" // Show relevant details | project TimeGenerated, DeviceName, User = InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 77 | On a Windows endpoint, review process execution logs to see if any PowerShell sessions were wiped clean. Which command was executed to clear the PowerShell history? | T1070.003 | Clear-History | Clear-History | Yes | DeviceProcessEvents | where ProcessCommandLine has "powershell.exe" or ProcessCommandLine has "pwsh.exe" | where (ProcessCommandLine has "Clear-History") or (ProcessCommandLine has "ClearHistory(") or (ProcessCommandLine has "PSConsoleReadLine::ClearHistory") or (ProcessCommandLine has "Remove-Item" and ProcessCommandLine has "ConsoleHost_history.txt") or (ProcessCommandLine has "Set-PSReadLineOption" and ProcessCommandLine has "HistorySaveStyle SaveNothing") | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 78 | Review Windows process event logs to uncover when PowerShell was directed to bypass its history mechanism. What was the exact command used to achieve this? | T1070.003 | Set-PSReadLineOption -AddToHistoryHandler { return $false } | powershell.exe & {Set-PSReadlineOption -HistorySaveStyle SaveNothing} | No | DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_cs "Set-PSReadLineOption" or ProcessCommandLine has_cs "-HistorySaveStyle" | where ProcessCommandLine has_cs "SaveNothing" | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 79 | You’ve detected execution of a system utility on a Windows host that lists local permission groups. You need to confirm what command was run to display the members of the built-in Administrators group. What was the exact command line? | T1069.001 | net localgroup "Administrators" | N/A | No | |
| 80 | On a Linux system, analyze the process logs for suspicious command line activity that includes a sequence of commands indicating a pipe-to-shell operation. Identify the tool that was used to execute this piped command, paying special attention to its use in downloading and running script content. | T1059.004 | bash | curl | No | // Timerange is applied externally by the UI DeviceInfo | where OSPlatform has "Linux" | project DeviceId, OSPlatform | join kind=inner ( DeviceProcessEvents // look for a pipeline to a shell with a download tool | where ProcessCommandLine has "|" | where ProcessCommandLine matches regex @"(?i)\b(?:curl|wget|fetch|perl|python)\b.*\|\s*(?:bash|sh)\b" ) on DeviceId | extend Downloader = extract(@"(?i)\b(curl|wget|fetch|perl|python)\b", 1, ProcessCommandLine), Shell = extract(@"(?i)\|\s*(bash|sh)\b", 1, ProcessCommandLine), URL = extract(@"(?i)(?:curl|wget|fetch)\s+.*?(https?://\S+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, OSPlatform, AccountName = InitiatingProcessAccountName, ProcessFileName = FileName, ProcessCommandLine, Downloader, Shell, URL | sort by TimeGenerated desc |
| 81 | Suspicious activity on a Linux system indicates the shell history was wiped. Investigate the process creation logs to find out which command was executed to clear the bash history buffer. What command was run? | T1070.003 | history -c | history -c | Yes | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName in ("bash", "sh") | where ProcessCommandLine has_any ( "history -c", "history -w", "rm -f ~/.bash_history", "cat /dev/null > ~/.bash_history", "echo '' > ~/.bash_history", "truncate -s 0 ~/.bash_history" ) | project TimeGenerated, DeviceName, InitiatingUser = InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc |
| 82 | Investigate Windows process execution logs for a PowerShell cmdlet used to list group members. Look for entries where a group name is provided after a '-Name' flag and identify which group was queried. | T1069.001 | Administrators | Administrators | Yes | DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"-Name\s+\S+" | extend QueriedGroup = extract(@"-Name\s+(\S+)", 1, ProcessCommandLine) | where isnotempty(QueriedGroup) | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, QueriedGroup, ProcessCommandLine | sort by TimeGenerated desc |
| 83 | On a Linux endpoint, process events reveal a chain of group‐enumeration utilities executed by a single session. Which utility was used to query the system’s group database? | T1069.001 | getent | N/A | No | |
| 84 | While reviewing Windows process events, you observe a command that recursively deleted a folder under the temporary directory. Use the process event data to identify which process or tool executed this recursive delete. | T1070.004 | powershell | powershell.exe | Yes | DeviceProcessEvents | where tolower(ProcessCommandLine) has "temp" and ( tolower(ProcessCommandLine) has "remove-item" and tolower(ProcessCommandLine) has "-recurse" or tolower(ProcessCommandLine) matches regex @"rmdir\s+/s" or tolower(ProcessCommandLine) matches regex @"del\s+/s" or tolower(ProcessCommandLine) matches regex @"rm\s+-r" ) | project TimeGenerated, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine | sort by TimeGenerated desc |
| 85 | On a Windows system, an attacker used the command prompt to remove one or more default administrative shares. Which share names were deleted? | T1070.005 | C$, IPC$, ADMIN$ | C$, IPC$, ADMIN$ | Yes | // 1) Registry-based share deletions let RegistryDeletion = DeviceRegistryEvents | where ActionType == "ValueDeleted" | where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares" | extend ShareName = RegistryValueName | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName; // 2) "net share <ShareName> /delete" command let NetShareDelete = DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine matches regex @"(?i)\bnet\s+share\s+\S+\s+/delete\b" | extend ShareName = tostring(split(trim(@"/", ProcessCommandLine), ' ')[2]) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName; // 3) PowerShell Remove-SmbShare -Name <ShareName> let RemoveSmbShare = DeviceProcessEvents | where ActionType == "ProcessCreated" | where ProcessCommandLine matches regex @"(?i)\bRemove-SmbShare\s+-Name\s+\S+\b" | extend ShareName = extract(@"Remove-SmbShare\s+-Name\s+(\S+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, ShareName; // Combine all and sort descending by time RegistryDeletion | union NetShareDelete | union RemoveSmbShare | sort by TimeGenerated desc |
| 86 | Review Linux system logs for evidence of a history file being emptied. Which utility was executed to zero out the bash history file? | T1070.003 | truncate | truncate | Yes | let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId, DeviceName; let historyWipes = DeviceProcessEvents | where ProcessCommandLine has ".bash_history" | where ProcessCommandLine contains "truncate" or ProcessCommandLine contains "dd if=/dev/null" or ProcessCommandLine contains "history -c" or ProcessCommandLine contains "cat /dev/null" or ProcessCommandLine contains ">~/.bash_history" or ProcessCommandLine contains "echo" | extend Utility = case( ProcessCommandLine contains "truncate", "truncate", ProcessCommandLine contains "dd if=/dev/null", "dd", ProcessCommandLine contains "history -c", "history -c", ProcessCommandLine contains "cat /dev/null", "cat", ProcessCommandLine contains ">~/.bash_history", "shell redirection", ProcessCommandLine contains "echo", "echo", "unknown" ) | project TimeGenerated, DeviceId, AccountName, Utility, ProcessCommandLine; linuxDevices | join kind=inner historyWipes on DeviceId | project TimeGenerated, DeviceName, AccountName, Utility, ProcessCommandLine | order by TimeGenerated desc |
| 87 | Suspiciously, the recycle bin appears empty system-wide. Determine which command was executed on Windows to clear the system's recycle bin directory, including any switches and environment variables. | T1070.004 | rd /s /q %systemdrive%\$RECYCLE.BIN | cmd.exe /c rd /s /q %systemdrive%\$RECYCLE.BIN | Yes | DeviceProcessEvents | where ProcessCommandLine has "$Recycle.Bin" or ProcessCommandLine has "Clear-RecycleBin" or (ProcessCommandLine has "Remove-Item" and ProcessCommandLine has "Recycle.Bin") or (ProcessCommandLine has "rd " and ProcessCommandLine has "Recycle.Bin") or (ProcessCommandLine has "%SystemDrive%" and ProcessCommandLine has "Recycle.Bin") or (ProcessCommandLine has "$env:SystemDrive" and ProcessCommandLine has "Recycle.Bin") | project Timestamp=TimeGenerated, DeviceName, AccountName=InitiatingProcessAccountName, ProcessCommandLine | sort by Timestamp desc |
| 88 | On a Linux system, attackers may use timestamp manipulation to hide malicious changes. Investigate relevant logs to identify which file’s modification timestamp was altered by such a command. | T1070.006 | T1070.006-modification.txt | /tmp/T1070.006-modification.txt | Yes | DeviceProcessEvents | where FileName == "touch" // split the command line into tokens | extend args = split(ProcessCommandLine, " ") // calculate the index of the last element | extend idx = array_length(args) - 1 // extract the target file path (last token) | extend TargetFile = tostring(args[idx]) // select the fields of interest | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, TargetFile |
| 89 | Investigators find the process sh -c echo -n > ~/.bash_history on a Linux endpoint. This single line overwrites the user’s ~/.bash_history, leaving it 0 bytes. Which built-in shell command is responsible for performing the overwrite? Return only the command name. | T1070.003 | echo | N/A | No | |
| 90 | On a Windows host, suspicious PowerShell activity adjusted the system clock and recorded a value. What numeric value was used to slip the system date? | T1070.006 | 3 | 3 | Yes | DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has "Set-Date" | extend directDateNumber = extract(@"-Date\s+([+-]?\d+)", 1, ProcessCommandLine), addMethodNumber = extract(@"Add(?:Days|Hours|Minutes|Seconds)\(([+-]?\d+)\)", 1, ProcessCommandLine) | extend slipValue = coalesce(directDateNumber, addMethodNumber) | where isnotempty(slipValue) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, slipValue, ProcessCommandLine |
| 91 | A Linux host executed a native utility to overwrite and then remove a temporary file in one step. Identify the name of the file that was securely deleted by this action. | T1070.004 | victim-shred.txt | /tmp/victim-shred.txt | Yes | DeviceProcessEvents | where FileName == "shred" or FileName endswith "/shred" | where ProcessCommandLine contains "-u" or ProcessCommandLine contains "--remove" | extend DeletedFile = extract(@"(?:-u|--remove)\s+([^\s]+)", 1, ProcessCommandLine) | where isnotempty(DeletedFile) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, DeletedFile |
| 92 | An alert has surfaced on a Linux host indicating a potentially malicious recursive delete operation. Investigate process events to find out which directory name was completely removed. | T1070.004 | victim-folder | N/A | No | |
| 93 | A suspicious actor appears to have removed the USN change journal on a Windows workstation. Investigate process start records to find out exactly which command was used to delete the journal. What was the full command line invoked? | T1070 | fsutil usn deletejournal /D C:\\ | fsutil usn deletejournal /D C: | Yes | DeviceProcessEvents | where ActionType == "ProcessCreated" // Look specifically for the fsutil usn deletejournal command | where tolower(FileName) == "fsutil.exe" and tolower(ProcessCommandLine) contains "usn" and tolower(ProcessCommandLine) contains "deletejournal" // Show the relevant details including the full command line | project TimeGenerated, DeviceName, AccountName, ProcessId, ProcessCommandLine | sort by TimeGenerated asc |
| 94 | On a Linux endpoint, you suspect malicious clearing of the bash history by redirecting from the null device. Explore process or file events to uncover the exact shell command that performed this action. | T1070.003 | cat /dev/null > ~/.bash_history | N/A | No | |
| 95 | While investigating process creation logs on a Linux device, you observe a privileged hardware interrogation step used to reveal virtualization details. Which utility was invoked? | T1082 | dmidecode | dmidecode | Yes | // Identify Linux devices let LinuxDevices = DeviceInfo | where OSPlatform has "Linux" or OSDistribution has "linux" | distinct DeviceId; // Find dmidecode invocations on those Linux devices DeviceProcessEvents | where DeviceId in (LinuxDevices) and (FileName == "dmidecode" or ProcessCommandLine has "dmidecode") | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName | sort by TimeGenerated desc |
| 96 | On a Linux device, a file was silently removed from the /tmp/victim-files directory. Search through file event or syslog records to identify the exact file name that was deleted. | T1070.004 | T1070.004-test.txt | N/A | No | |
| 97 | On a Windows device, there’s evidence that PowerShell history was wiped by deleting the history file. What was the exact command used to perform this action? | T1070.003 | Remove-Item (Get-PSReadlineOption).HistorySavePath | "powershell.exe" & {Remove-Item (Get-PSReadlineOption).HistorySavePath} | Yes | // 1) Find explicit file-deletion events for the PSReadLine history file let FileDeletes = DeviceFileEvents | where ActionType == "FileDeleted" | where FileName endswith "ConsoleHost_history.txt" | where FolderPath contains "PSReadLine" | where InitiatingProcessFileName in ("powershell.exe","pwsh.exe") | project TimeGenerated, DeviceName, Account = InitiatingProcessAccountName, Command = InitiatingProcessCommandLine; // 2) Find PowerShell process executions that reference the history file with delete/clear cmdlets let ProcessDeletes = DeviceProcessEvents | where FileName in ("powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"(?i)\b(remove-?item|del|erase|rm|clear-?content)\b" | where ProcessCommandLine contains "HistorySavePath" or ProcessCommandLine contains "ConsoleHost_history" | project TimeGenerated, DeviceName, Account = AccountName, Command = ProcessCommandLine; // Combine, dedupe, and sort to get the exact command used to wipe the history union FileDeletes, ProcessDeletes | sort by TimeGenerated asc | distinct TimeGenerated, DeviceName, Account, Command | project Timestamp = TimeGenerated, DeviceName, Account, Command |
| 98 | A Linux system shows a process in the execution logs that fetched the machine’s name. Review the DeviceProcessEvents table to find out which utility was called to perform this hostname lookup. | T1082 | hostname | hostname | Yes | let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; linuxDevices | join kind=inner ( DeviceProcessEvents | where FileName in ("hostname", "hostnamectl", "uname") and (FileName != "uname" or ProcessCommandLine has "-n") ) on DeviceId | project TimeGenerated, DeviceName, ProcessId, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by TimeGenerated desc | take 50 |
| 99 | Review the Linux process creation records to find which user account management utility was used to reactivate the previously locked and expired account. | T1078.003 | usermod | usermod | Yes | DeviceProcessEvents // Limit to process creation events | where ActionType in ("ProcessCreated", "Start", "ProcessStart") // Focus on known user account management utilities | where FileName in ("passwd", "usermod", "chage", "gpasswd") // Look for flags related to unlocking or re‐enabling accounts | extend Cmd = ProcessCommandLine | where Cmd has_any ("--unlock", "-u", "-U", "--expire", "-E") // Only successful operations (if exit code is captured) | extend ExitCode = toint(AdditionalFields.ExitCode) | where isnull(ExitCode) or ExitCode == 0 // Restrict to Linux devices | join kind=inner ( DeviceInfo | where OSPlatform == "Linux" | project DeviceId, OSPlatform ) on DeviceId // Present the key details | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, ExitCode | sort by TimeGenerated desc |
| 100 | Using Linux process execution logs, identify the specific command that was used to filter loaded kernel modules for entries containing “vmw.” What was that full command? | T1082 | grep vmw /proc/modules | sh -c "lsmod; kmod list; grep vmw /proc/modules" | Yes | let LinuxDevices = DeviceInfo | where OSPlatform has "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDevices) | where ProcessCommandLine has "lsmod" and ProcessCommandLine has "grep vmw" | project FullCommand = ProcessCommandLine | distinct FullCommand |
| 101 | A Linux host was used to collect various system release files and kernel details, writing them into a single file under /tmp. What was the name of that output file? | T1082 | T1082.txt | loot.txt | No | let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d)) .. now()) // time range will be set by the portal | where DeviceId in (linuxDevices) | where ProcessCommandLine contains ">" and ProcessCommandLine contains "/tmp/" | extend OutputFile = extract(@">\s*\/tmp\/(?<filename>[^\s]+)", 1, ProcessCommandLine) | where isnotempty(OutputFile) | summarize Count = count() by OutputFile | sort by Count desc |
| 102 | On a Linux endpoint, a command was executed to start a proxy service commonly used for onion routing. Identify the name of the service that was launched to enable this proxy functionality. | T1090.003 | tor | tor | Yes | let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | project DeviceId; linuxDevices | join kind=inner DeviceProcessEvents on DeviceId | where ProcessCommandLine has "systemctl" and ProcessCommandLine has "start" | extend ServiceName = extract(@"start\s+(\S+)", 1, ProcessCommandLine) | where ServiceName has "tor" | distinct ServiceName |
| 103 | On a Linux system, an adversary used a standard utility to copy modify and access times from one file to another. Which executable’s timestamps were used as the source? | T1070.006 | sh | N/A | No | |
| 104 | A Windows system shows a cmd.exe process spawn that appears to have been used for environment discovery. Review the process creation records to identify the exact command the adversary ran to enumerate environment variables. | T1082 | set | cmd.exe /c set comspec=%windir%\System32\cmd.exe | Yes | DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine has "/c set" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessAccountDomain, ProcessCommandLine | sort by TimeGenerated desc |
| 105 | Analyze the system logs for changes that indicate the addition of a port proxy configuration via registry key alteration. Identify which port number was set to listen. | T1090.001 | 1337 | 1337 | Yes | let RegistryChanges = DeviceRegistryEvents | where RegistryKey has "PortProxy" | where ActionType in ("RegistryValueSet", "RegistryValueCreate") | extend ListenPort = coalesce( toint(extract(@"listenport[=:\s]*(\d+)", 1, RegistryValueData)), toint(extract(@"(\d{1,5})", 1, RegistryValueName)) ) | where isnotempty(ListenPort) | project TimeGenerated, DeviceName, Source = "Registry", RegistryKey, RegistryValueName, RegistryValueData, ListenPort; let NetshCommands = DeviceProcessEvents | where tolower(ProcessCommandLine) has "portproxy" | extend ListenPort = toint(extract(@"listenport\s*=\s*(\d+)", 1, ProcessCommandLine)) | where isnotempty(ListenPort) | project TimeGenerated, DeviceName, Source = "Process", ProcessCommandLine, ListenPort; RegistryChanges | union NetshCommands | sort by TimeGenerated desc | project TimeGenerated, DeviceName, Source, ListenPort, Details = iff(Source == "Registry", strcat("Key=", RegistryKey, "; ValueName=", RegistryValueName), ProcessCommandLine) |
| 106 | An attacker on Linux used bash to copy all files from /var/spool/mail into a newly created subdirectory before modifying them. What is the name of that subdirectory? | T1070.008 | copy | N/A | No | |
| 107 | Evidence shows that the Windows Defender startup entry was tampered with via an elevated command prompt. Investigate registry events related to the Run key to discover which executable replaced the default SecurityHealth value. What is the name of the new program? | T1112 | calc.exe | calc.exe | Yes | DeviceRegistryEvents | where RegistryKey has "Run" | where RegistryValueName == "SecurityHealth" | where ActionType contains "Set" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | sort by TimeGenerated desc | extend NewProgram = tostring(split(RegistryValueData, "\\")[-1]) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RegistryKey, NewProgram |
| 108 | Review registry event logs on the Windows host for PowerShell-driven writes to system policy and file system keys. Which registry value names were created during this BlackByte preparation simulation? | T1112 | LocalAccountTokenFilterPolicy, EnableLinkedConnections, LongPathsEnabled | ASRRules, DisableAntiVirus, DisableAntiSpyware | No | DeviceRegistryEvents | where ActionType in ("RegistryValueSet", "RegistryValueAdded") | where tolower(InitiatingProcessFileName) has "powershell" | where RegistryKey has "\\SYSTEM\\CurrentControlSet\\Control\\FileSystem" or RegistryKey has "\\SOFTWARE\\Policies" | where isnotempty(RegistryValueName) | summarize CreatedValueNames = make_set(RegistryValueName) by RegistryKey | project RegistryKey, CreatedValueNames |
| 109 | Windows: Investigate PowerShell process events for instances where a web client fetched and executed an external host-survey tool. What was the name of the script file that was downloaded and run? | T1082 | Invoke-Seatbelt.ps1 | N/A | No | |
| 110 | On Windows systems, identify when the built-in Shadow Copy utility is used to enumerate existing snapshots. What was the full command executed? | T1082 | vssadmin.exe list shadows | vssadmin.exe list shadows | Yes | let ShadowTools = dynamic(["vssadmin.exe","diskshadow.exe","wmic.exe"]); DeviceProcessEvents | where FileName in~ (ShadowTools) | where ProcessCommandLine matches regex @"(?i)\b(list|get|enum)\b.*\b(shadow|shadowcopy)s?\b" | project TimeGenerated, DeviceName, User = InitiatingProcessAccountName, Executable = FileName, CommandLine = ProcessCommandLine | sort by TimeGenerated desc |
| 111 | A user‐space process on a Linux device invoked a shell to capture and display the system’s environment variables and path. Which exact command was used to perform this discovery? | T1082 | env | env | Yes | let linuxDevices = DeviceInfo | where OSPlatform =~ "Linux" | project DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) | where InitiatingProcessFileName in~ ("bash", "sh", "zsh") | where ProcessCommandLine matches regex @"\b(env|printenv|set)\b|\becho\s+\$PATH\b" | project TimeGenerated, DeviceName, DeviceId, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine | sort by TimeGenerated desc |
| 112 | Review Windows process logs to find which built-in command was executed to reveal the system’s hostname. | T1082 | hostname | N/A | No | |
| 113 | On Windows systems, disabling RDP via the registry generates registry write events. Investigate registry event logs for modifications under the Terminal Server configuration path. What is the name of the registry value that was changed to disable Remote Desktop Protocol? | T1112 | fDenyTSConnections | N/A | No | |
| 114 | Investigate Windows registry events to identify any newly set ProxyServer entry under the user Internet Settings hive. What proxy server address was configured? | T1112 | proxy.atomic-test.com:8080 | proxy.atomic-test.com:8080 | Yes | DeviceRegistryEvents | where RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | where RegistryValueName == "ProxyServer" | where ActionType == "RegistryValueSet" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, ProxyServer = RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by TimeGenerated desc |
| 115 | On a Linux host, review account management activity in Syslog or process event logs to pinpoint which command was executed to create a new local user. What was the name of the tool invoked? | T1078.003 | useradd | N/A | No | |
| 116 | A Windows host logs a change to the Terminal Server registry key disabling single-session per user. Which command-line utility executed this registry modification? | T1112 | reg | N/A | No | |
| 117 | A Windows user’s registry was altered via a command-line tool to disable the lock workstation feature by adding a DWORD entry under the current user Policies\System key. Which registry value name was modified in this operation? | T1112 | DisableLockWorkstation | DisableLockWorkstation | Yes | DeviceRegistryEvents | where ActionType == "RegistryValueSet" // Only DWORD-type value changes | where RegistryValueType has "DWORD" // Target the current user Policies\System key (where DisableLockWorkstation is stored) | where RegistryKey has @"\Software\Microsoft\Windows\CurrentVersion\Policies\System" // Detect use of reg.exe (reg add) for the modification | where InitiatingProcessFileName has_cs "reg.exe" or InitiatingProcessCommandLine has_cs "reg add" // Return the registry value name and related context | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | order by TimeGenerated desc |
| 118 | On a Windows endpoint, review the registry write events to spot when the WDigest key is altered to permit plaintext credential storage. What registry value name was changed? | T1112 | UseLogonCredential | UseLogonCredential | Yes | DeviceRegistryEvents | where ActionType == "RegistryValueSet" | where RegistryKey has "\\Control\\SecurityProviders\\WDigest" | where PreviousRegistryValueData == "0" and RegistryValueData == "1" | distinct RegistryValueName |
| 119 | In Windows process event logs, you notice both the net time and w32tm commands being executed to display the system time and timezone. Which executor name from the test configuration was responsible for launching these utilities? | T1124 | cmd.exe | wipro | No | DeviceProcessEvents | where ProcessCommandLine contains "net time" or ProcessCommandLine contains "w32tm" | summarize Executions = count() by InitiatingProcessAccountName | order by Executions desc |
| 120 | On a Windows device, examine registry event logs for modifications under the System policies path. Determine which registry value name was altered to disable the shutdown button at login. | T1112 | shutdownwithoutlogon | N/A | No | |
| 121 | Review Windows process execution logs to find any native utility that was used to enumerate connected drives. Which utility was invoked? | T1120 | fsutil | cmd.exe | No | DeviceProcessEvents | where ProcessCommandLine has_any ("logicaldisk", "fsinfo", "Get-PSDrive", "net use", "mountvol", "list volume") | summarize InvocationCount = count() by FileName | order by InvocationCount desc |
| 122 | Review Windows process execution logs for any PowerShell activity that retrieves the system clock. Which command was executed? | T1124 | Get-Date | Get-Date | Yes | DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // look for commands that retrieve or query the system time | where ProcessCommandLine has "get-date" or ProcessCommandLine matches regex @"(?i)\[datetime\]::(Now|UtcNow)" or ProcessCommandLine matches regex @"(?i)\bw32tm\b" or ProcessCommandLine matches regex @"(?i)\bnet\s+time\b" or ProcessCommandLine matches regex @"(?i)get-wmiobject.*time" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 123 | On Windows, identify the registry value name that was created or modified to override the RDP authentication level under the current user’s Terminal Server Client settings. | T1112 | AuthenticationLevelOverride | N/A | No | |
| 124 | On a Windows host, registry events reveal that PowerShell modified a value under the WDigest provider. Identify the exact command line that performed this registry change. | T1112 | Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '1' -ErrorAction Ignore, Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name 'UseLogonCredential' -Value '0' -ErrorAction Ignore | N/A | No | |
| 125 | On a Windows host, registry events indicate that the Internet Zone Protocol Defaults under the current user were modified via PowerShell. Investigate which protocol value names were set to 0. | T1112 | http, https | N/A | No | |
| 126 | An analyst reviewing Windows process logs wants to spot instances where a native time tool was repurposed to introduce a delay. Which full W32tm invocation, including the stripchart and period flags, appears in the logs? | T1124 | W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 | W32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 | Yes | DeviceProcessEvents | where FileName == "w32tm.exe" | where ProcessCommandLine has "stripchart" and ProcessCommandLine has "period" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by TimeGenerated desc |
| 127 | Review Windows process and PowerShell activity for commands that enumerate PnP entities through WMI. Which PowerShell cmdlet was invoked to perform this hardware inventory? | T1120 | Get-WMIObject | N/A | No | |
| 128 | A Windows host logs show PowerShell fetching and executing a remote script to gain SeDebugPrivilege token duplication. Which Empire module was invoked? | T1134.001 | Get-System | WinPwn | No | DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine contains "DownloadString" and ProcessCommandLine contains "IEX" | extend EmpireModuleWithExt = extract(@"\/([^\/]+\.ps1)", 1, ProcessCommandLine) | extend EmpireModule = replace(@"\.ps1$", "", EmpireModuleWithExt) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, EmpireModule |
| 129 | On a Windows device, a command‐prompt utility was used to query the registry for time zone settings. Investigate the registry events to identify which value name under the TimeZoneInformation key was accessed. | T1124 | TimeZoneKeyName | N/A | No | |
| 130 | A Windows host recorded a process that simply executes the system’s native time utility. Without spelling out the query, determine which command was run based on process creation events. | T1124 | time | N/A | No | |
| 131 | On a Linux host, an activity was recorded where the local clock and timezone were queried. Review the available process execution logs to uncover what full command was run to fetch the system time and timezone. | T1124 | date | N/A | No | |
| 132 | On Windows, an investigator suspects that shared directories were enumerated via a built-in tool. Search the process creation logs for evidence of this activity and identify the exact command string that was used to list available shares. | T1135 | net share | N/A | No | |
| 133 | Windows systems may be probed for their password policy settings using a native command-line tool. Determine which command was executed to list the local password policy on the target hosts. | T1201 | net accounts | net accounts | Yes | DeviceProcessEvents | where ProcessCommandLine has "net accounts" | project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 134 | A Windows host shows chrome.exe starting with a --load-extension parameter. What folder name was specified in that flag? | T1176 | extension | N/A | No | |
| 135 | An attacker is suspected of using the Windows shell to enumerate a user’s Internet Explorer bookmarks via the Favorites folder. Identify the exact command they executed to perform this listing. | T1217 | dir /s /b %USERPROFILE%\Favorites | cmd.exe /c dir /s /b %USERPROFILE%\Favorites | Yes | DeviceProcessEvents | where ProcessCommandLine has "\\Favorites" | where FileName in ("cmd.exe", "powershell.exe") | where ProcessCommandLine matches regex @"(?i)\b(dir|ls|tree|get-childitem)\b" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine |
| 136 | You are reviewing Linux syslog records on a CentOS/RHEL 7.x server. You notice entries for shell commands that access system configuration files under /etc/security. Determine exactly which configuration file was being inspected by the command. | T1201 | pwquality.conf | pwquality.conf | Yes | union isfuzzy=true ( DeviceFileEvents | where FolderPath startswith "/etc/security" | extend FullPath = strcat(FolderPath, "/", FileName) | project Timestamp = TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, CommandLine = InitiatingProcessCommandLine, FullPath ), ( DeviceProcessEvents | where ProcessCommandLine contains "/etc/security/" | extend FullPath = extract(@"(/etc/security/\S+)", 1, ProcessCommandLine) | project Timestamp = ProcessCreationTime, DeviceName, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, CommandLine = ProcessCommandLine, FullPath ) | sort by Timestamp desc |
| 137 | On a Windows system, a non-standard image downloader was used to fetch a remote file by passing a URL to a lockscreen utility. Identify the executable responsible for launching that activity. | T1197 | desktopimgdownldr.exe | N/A | No | |
| 138 | A suspicious BITS transfer was orchestrated via bitsadmin.exe on Windows, creating a job to download and then execute a payload. Investigate the process event logs to determine what custom job name was specified when the BITS job was created. | T1197 | AtomicBITS | AtomicBITS | Yes | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName has_cs "bitsadmin.exe" | where ProcessCommandLine has_cs "/create" | extend JobName = extract('(?i)/create\\s+"?([^"\\s]+)"?', 1, ProcessCommandLine) | where isnotempty(JobName) | project TimeGenerated, DeviceName, AccountName, ProcessId, JobName, ProcessCommandLine |
| 139 | Review Windows process creation events for evidence of a .NET assembly being installed. Which executable was launched with an "/action=install" argument? | T1218.004 | InstallUtil | InstallUtil.exe | Yes | DeviceProcessEvents | where ActionType == "ProcessCreated" | where tolower(ProcessCommandLine) contains "/action=install" | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine | sort by TimeGenerated desc |
| 140 | On Windows, an elevated SecEdit.exe process was observed exporting the local security policy. Review the process execution records to identify the name of the text file where the policy was saved. | T1201 | output_mysecpol.txt | N/A | No | |
| 141 | On a Windows system, you notice a process that recursively enumerates files named 'Bookmarks' under every user profile directory. Which Windows command-line utility was used to perform that search? | T1217 | where | where.exe | Yes | DeviceProcessEvents | where ProcessCommandLine has "Bookmarks" | where ProcessCommandLine has_any ("/s", "/r", "-Recurse") | where FileName in~ ("where.exe", "cmd.exe", "powershell.exe") | distinct FileName |
| 142 | On a Linux host, process execution logs show a chmod invocation with a recursive flag. Which file or folder was targeted by this recursive permission change? | T1222.002 | T1222.002 | /tmp/AtomicRedTeam/atomics/T1222.002 | Yes | DeviceProcessEvents | where ProcessCommandLine contains "chmod" | where ProcessCommandLine matches regex @"chmod\s+(?:-[^\s]*\s+)*-R" | extend TargetPath = extract(@"chmod\s+(?:-[^\s]*\s+)*-R\s+([^\s]+)", 1, ProcessCommandLine) | join kind=inner ( DeviceInfo | where OSPlatform == "Linux" | project DeviceId ) on DeviceId | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, TargetPath |
| 143 | On a Linux system, logs show that the password expiration settings file was accessed. Identify which command was executed to list its contents. | T1201 | cat /etc/login.defs | N/A | No | |
| 144 | On Linux, review the process execution logs to uncover when Chromium’s bookmark JSON files were being located and the results persisted. Focus on shell commands that search under .config/chromium and write output to a file. What was the filename used to save the findings? | T1217 | T1217-Chrome.txt | /tmp/T1217-Chrome.txt | Yes | DeviceProcessEvents | where InitiatingProcessFileName in ("bash","sh","dash","zsh") | where ProcessCommandLine has ".config/chromium" and ProcessCommandLine has ">" | extend SavedFile = extract("[>]{1,2}\\s*['\"`]?([^'\"`;&| ]+)", 1, ProcessCommandLine) | where isnotempty(SavedFile) | distinct SavedFile |
| 145 | On a Windows host, investigators notice a download event that saved a remote access tool to a user’s Desktop. What was the filename of the downloaded executable? | T1219 | rustdesk-1.2.3-1-x86_64.exe | N/A | No | |
| 146 | A suspicious registry change was made on a Windows system modifying the Terminal Services DLL path. Investigate registry events to find out which DLL file name was set as the ServiceDll value under TermService. What was the file name? | T1505.005 | AtomicTest.dll | AtomicTest.dll | Yes | DeviceRegistryEvents | where RegistryKey endswith @"\Services\TermService\Parameters" | where RegistryValueName == "ServiceDll" | where ActionType == "RegistryValueSet" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryValueData | extend DllFileName = tostring(split(RegistryValueData, "\\")[-1]) | distinct DllFileName |
| 147 | You notice rundll32.exe being used with desk.cpl,InstallScreenSaver on a Windows endpoint. Investigate your process creation logs to find which .scr file was loaded by this unusual invocation. | T1218.011 | not_an_scr.scr | N/A | No | |
| 148 | An attacker obtained elevated rights on a Windows system and ran a deletion command that attempted to remove various backup file types across the C: drive, generating numerous “access denied” errors. What was the full command line used? | T1490 | del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk | "cmd.exe" /c del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk | Yes | DeviceProcessEvents | where FileName in ("cmd.exe", "erase.exe") | where ProcessCommandLine has_any ("del", "erase") | where ProcessCommandLine has_any (".bak", ".bkf", ".zip", ".rar") | where ProcessCommandLine contains "C:\\" | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 149 | An attacker has attempted to sideload code by invoking regsvr32.exe in a Windows host against a file that does not use the standard .dll extension. Investigate the process event logs to determine the name of the file that was registered. | T1218.010 | shell32.jpg | shell32.jpg | Yes | DeviceProcessEvents | where tolower(FileName) == "regsvr32.exe" | where isnotempty(ProcessCommandLine) // Extract the arguments string after 'regsvr32.exe' | parse ProcessCommandLine with * "regsvr32.exe" rest:string // Split on spaces and take the first token as the target file | extend args = split(rest, " ") | extend RegisteredFile = trim('"', tostring(args[0])) // Filter out switches (starting with '/') and standard .dll targets | where RegisteredFile !startswith "/" | where tolower(RegisteredFile) !endswith ".dll" | project TimeGenerated, DeviceName, AccountName, RegisteredFile, ProcessCommandLine | sort by TimeGenerated desc |
| 150 | Within Windows process event logs, identify instances where the built-in net.exe utility is used to change a user account password. What was the new password argument passed in? | T1531 | HuHuHUHoHo283283@dJD | User2ChangePW! | No | DeviceProcessEvents // Filter for the built-in net.exe utility | where tolower(FileName) == "net.exe" // Look for the "net user <account> <newpassword>" pattern | where ProcessCommandLine matches regex @"\bnet\s+user\s+\S+\s+\S+" // Extract the account name and the new password argument | extend AccountName = extract(@"\bnet\s+user\s+(\S+)\s+\S+", 1, ProcessCommandLine), NewPassword = extract(@"\bnet\s+user\s+\S+\s+(\S+)", 1, ProcessCommandLine) // Select relevant columns | project TimeGenerated, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountName, NewPassword, ProcessCommandLine |
| 151 | A Linux system shows evidence of a chmod invocation recorded in process telemetry. Investigate these logs to find out what symbolic mode flag was supplied to chmod during that execution. | T1222.002 | a+w | N/A | No | |
| 152 | While investigating a Windows endpoint where boot repair options have unexpectedly been turned off, search your logs for BCDEdit modifying recovery settings. What was the command executed to disable the recovery console? | T1490 | bcdedit.exe /set {default} recoveryenabled no | N/A | No | |
| 153 | Suspicious PowerShell activity on a Windows machine shows an external script being fetched and executed, followed by a quiet SQL enumeration call. Using process event logs, identify the name of the tool executed immediately after the script retrieval. | T1518 | powerSQL | powerSQL | Yes | // 1) Identify PowerShell script-download events let downloads = DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") // look for download methods in the command line | where ProcessCommandLine matches regex @"(?i)(Invoke-WebRequest|DownloadString|DownloadFile|-Url\s+https?://)" | project DeviceId, DownloadPid = ProcessId, DownloadTime = TimeGenerated; // 2) Find child processes launched by those PowerShell PIDs after the download let childProcs = DeviceProcessEvents | where InitiatingProcessParentId in (downloads | distinct DownloadPid) | project DeviceId, ParentPid = InitiatingProcessParentId, ChildName = FileName, ChildTime = TimeGenerated, ChildCmd = ProcessCommandLine; // 3) Join and pick the first child process per download downloads | join kind=inner childProcs on DeviceId, $left.DownloadPid == $right.ParentPid | where ChildTime > DownloadTime | summarize arg_min(ChildTime, ChildName, ChildCmd, ChildTime) by DownloadPid, DeviceId | project ToolExecuted = ChildName, ExecutionTime = ChildTime, CommandLine = ChildCmd |
| 154 | Investigate Windows file creation logs to uncover any new executable added directly to the System32 directory, which may indicate a UEFI persistence implant. What was the name of the file created? | T1542.001 | wpbbin.exe | wpbbin.exe | Yes | DeviceFileEvents | where ActionType == "FileCreated" | where FolderPath has @"Windows\System32" | where FileName endswith ".exe" | project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by TimeGenerated desc |
| 155 | You're reviewing Windows process events showing a recursive directory search via the command prompt for a browser file under C:\Users. What was the exact filename targeted in that search? | T1217 | places.sqlite | N/A | No | |
| 156 | Review the Linux process execution logs for an unusual command that lists several security or monitoring daemons. Identify the utility used to perform this discovery based on the command line. | T1518.001 | pgrep | systemctl | No | DeviceProcessEvents | join kind=inner ( DeviceInfo | where OSPlatform contains "Linux" | project DeviceId ) on DeviceId | where ProcessCommandLine matches regex @"(?i)\b(?:ps|pgrep|systemctl|ss|netstat|lsof)\b.*\b(?:auditd|fail2ban|syslog|snort|ossec)\b" | extend Utility = extract(@"^([^\s]+)", 1, ProcessCommandLine) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, Utility, ProcessCommandLine | order by TimeGenerated desc |
| 157 | On a Linux host, a command was run to list all processes and filter for common security or monitoring agents. Review the process logs and identify which agent name was actually observed. | T1518.001 | auditbeat | N/A | No | |
| 158 | On a Linux host, identify any processes that used ping with a large count value to introduce a delay before launching another process. What was the command executed immediately after the ping delay? | T1497.003 | whoami | N/A | No | |
| 159 | An unusual Systemd unit file appears to have been dropped and enabled on a Linux system. Investigate relevant events to find out which service definition file the actor created and enabled. | T1543.002 | art-systemd-service.service | N/A | No | |
| 160 | On a Windows system, a process has introduced a new shim database into the default apppatch directory. Investigate file creation logs to reveal the database filename that appeared under C:\Windows\apppatch\Custom. | T1546.011 | T1546.011CompatDatabase.sdb | T1546.011CompatDatabase.sdb | Yes | DeviceFileEvents | where ActionType == "FileCreated" and FolderPath has "\\Windows\\apppatch\\Custom" and FileName endswith ".sdb" | project TimeGenerated, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | sort by TimeGenerated desc |
| 161 | On Linux, review file events for changes in the system-wide shell profile directory. Determine the name of the script file in /etc/profile.d that shows evidence of an unauthorized append. | T1546.004 | bash_completion.sh | N/A | No | |
| 162 | On a Windows endpoint, an attacker ran a PowerShell sequence to establish a WMI event subscription using CommandLineEventConsumer. Inspect the process or script execution logs to uncover which executable was set to run by this subscription. | T1546.003 | notepad.exe | N/A | No | |
| 163 | On Linux systems, an attacker may gain persistence by appending instructions to the global shell profile. Investigate process or file modification events to find evidence of text being added to /etc/profile, and identify the exact command invocation that carried out this change. | T1546.004 | echo '# Hello from Atomic Red Team T1546.004' >> /etc/profile | sh -c "echo '# Hello from Atomic Red Team T1546.004' >> /etc/profile" | Yes | let LinuxDeviceIds = DeviceInfo | where OSPlatform startswith "Linux" | distinct DeviceId; let FileMods = DeviceFileEvents | where DeviceId in (LinuxDeviceIds) | where FolderPath has "/etc" and FileName == "profile" | where ActionType has "Modified" or ActionType has "Overwritten" | extend FilePath = strcat(FolderPath, "/", FileName) | project TimeGenerated, DeviceId, DeviceName, FilePath, ActionType, InitiatingProcessId; let FileModCommands = FileMods | join kind=leftouter ( DeviceProcessEvents | where DeviceId in (LinuxDeviceIds) | project DeviceId, ProcessId, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCreationTime, ProcessCommandLine ) on DeviceId, $left.InitiatingProcessId == $right.ProcessId | project TimeGenerated, DeviceName, FilePath, ActionType, ProcessCreationTime, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine; let DirectAppends = DeviceProcessEvents | where DeviceId in (LinuxDeviceIds) | where ProcessCommandLine has ">> /etc/profile" or ProcessCommandLine has "tee -a /etc/profile" | project TimeGenerated, DeviceName, FilePath = "/etc/profile", ActionType = "Direct Append", ProcessCreationTime, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine; FileModCommands | union DirectAppends | sort by TimeGenerated desc |
| 164 | A suspicious file modification on a Linux device targeted the ~/.bash_profile file, apparently adding a new line. What was the full command string that was appended? | T1546.004 | echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004 | sh -c 'echo 'echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004' >> ~/.bash_profile' | Yes | // 1. Identify all Linux devices let LinuxDeviceIds = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; // 2. Find .bash_profile file events on Linux devices DeviceFileEvents | where DeviceId in (LinuxDeviceIds) | where FileName == ".bash_profile" | where ActionType in ("FileCreated", "FileModified", "FileOverwritten") // 3. Filter for append operations | where InitiatingProcessCommandLine has ">>" or InitiatingProcessCommandLine has "tee -a" // 4. Project relevant details | project TimeGenerated, DeviceName, FilePath = strcat(FolderPath, "/", FileName), AppendingProcess = InitiatingProcessFileName, AppendingCommandLine = InitiatingProcessCommandLine // 5. Sort by time | sort by TimeGenerated desc |
| 165 | A Windows endpoint shows an Active Setup entry under Internet Explorer Core Fonts being altered with a StubPath value. Investigate the registry events and identify the payload that was set. | T1547.014 | calc.exe | calc.exe | Yes | DeviceRegistryEvents | where RegistryValueName == "StubPath" | where RegistryKey has "Software\\Microsoft\\Active Setup\\Installed Components" | project TimeGenerated, DeviceName, ActionType, InitiatingProcessAccountName, InitiatingProcessCommandLine, RegistryKey, RegistryValueData | sort by TimeGenerated desc |
| 166 | A Linux system shows a shell invocation that appears to be searching for files with elevated group permissions. Using the available process execution logs, determine exactly what command was run. | T1548.001 | find /usr/bin -perm -2000 | find /usr/bin -perm -2000 | Yes | let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (linuxDevices) | where ProcessCommandLine matches regex @"\bfind\b.*(-perm\s+(?:/g\+s|-2000))" | project TimeGenerated, DeviceName, ProcessId, InitiatingProcessFileName, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated asc |
| 167 | Investigate recent file modification events on Linux that could reveal an adversary appending commands to a user’s ~/.profile for persistence. Determine the exact command that was added. | T1546.004 | echo '# Atomic Red Team was here... T1546.004' >> ~/.profile | N/A | No | |
| 168 | A Windows host shows a suspicious registry change under the LSA hive. Review recent registry events to locate any new entries under Authentication Packages and determine the name of the DLL the attacker added. | T1547.002 | package.dll | N/A | No | |
| 169 | A Windows host shows a process launching with install-driver switches, likely signaling malicious driver deployment. What is the name of the tool that was executed? | T1547 | pnputil.exe | N/A | No | |
| 170 | Windows registry events show that a new key under the Active Setup Installed Components branch was added to launch a payload immediately via runonce.exe. Which component name was created? | T1547.014 | atomic_test | N/A | No | |
| 171 | On a Windows endpoint, review any events showing content being appended to a user’s PowerShell profile that introduce new process launches. What exact command line was added? | T1546.013 | Start-Process calc.exe | N/A | No | |
| 172 | A Windows host shows evidence of a driver being installed using a built-in utility. Investigate process creation events to find the INF filename that was specified in the add-driver invocation. | T1547 | usbstor.inf | usbstor.inf | Yes | DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName has_any ("pnputil.exe", "dism.exe", "devcon.exe") | where ProcessCommandLine contains ".inf" | extend InfFile = extract(@"(?i)([^\s]+\.inf)", 1, ProcessCommandLine) | where isnotempty(InfFile) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessCommandLine, InfFile |
| 173 | Investigate registry modifications on Windows that reveal when cmd.exe persistence was configured via the CommandProcessor AutoRun key. What command was configured under the AutoRun value? | T1546 | notepad.exe | N/A | No | |
| 174 | Investigate Linux process or syslog records to find any invocation of the 'find' utility used to scan /usr/bin for files with the setuid bit. What was the full command executed? | T1548.001 | find /usr/bin -perm -4000 | N/A | No | |
| 175 | A Linux host’s Syslog contains records of an elevated shell executing a command that granted group execute rights and enabled the SetGID bit on a file. Investigate the logs and report the name of the file whose group ID bit was modified. | T1548.001 | evilBinary | N/A | No | |
| 176 | On a Windows host, sift through registry modification events targeting HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin. What new value was written to disable the admin consent prompt? | T1548.002 | 0 | 0 | Yes | DeviceRegistryEvents | where RegistryKey startswith @"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" and RegistryValueName == "ConsentPromptBehaviorAdmin" and ActionType in~ ("RegistryValueSet","SetValue","ValueSet") | extend NewValue = toint(RegistryValueData), OldValue = toint(PreviousRegistryValueData) | where NewValue == 0 | project TimeGenerated, DeviceName, InitiatingUser = InitiatingProcessAccountName, InitiatingProcess = InitiatingProcessFileName, ActionType, OldValue, NewValue | order by TimeGenerated desc |
| 177 | A Windows host shows a registry write under DeviceRegistryEvents affecting the System policy path. Investigate entries where the data is set to ‘0’ and determine which registry value was modified to turn off UAC consent prompts. | T1548.002 | ConsentPromptBehaviorAdmin | N/A | No | |
| 178 | A suspicious elevated shell on Linux changed a file’s permissions for a user to include the SetUID bit. What was the exact command used to set that flag? | T1548.001 | chmod u+xs /tmp/evilBinary | N/A | No | |
| 179 | On a Windows endpoint, someone may have disabled the secure desktop for elevation prompts by modifying a registry setting. Review the registry event logs to identify which registry value name was changed to 0. | T1548.002 | PromptOnSecureDesktop | N/A | No | |
| 180 | A Linux user’s bash history was searched for patterns like ‘pass’ and ‘ssh’, and the matching lines were redirected into a new file. Determine the name of that file. | T1552.003 | loot.txt | loot.txt | Yes | DeviceProcessEvents // Filter for processes invoking grep (handles cases where FileName or the full command line contains 'grep') | where tolower(FileName) endswith "grep" or tolower(ProcessCommandLine) contains "grep" // Match whole-word occurrences of 'pass' or 'ssh' | where ProcessCommandLine matches regex @"\b(pass|ssh)\b" // Ensure redirection of output | where ProcessCommandLine contains ">" // Extract the filename after '>' or '>>' | extend OutFile = trim('"''', extract(@"(?:>>|>)\s*([^\s]+)", 1, ProcessCommandLine)) // Select and sort results | project TimeGenerated, DeviceName, InitiatingProcessAccountName, grepCommand = ProcessCommandLine, OutFile | sort by TimeGenerated desc |
| 181 | A Windows 10 system shows registry modifications under HKCU:\Software\Classes\ms-settings\shell\open\command, followed by a launch of fodhelper.exe. Determine which executable path was written into the registry to be launched by this UAC bypass. | T1548.002 | C:\Windows\System32\cmd.exe | N/A | No | |
| 182 | On a Windows system, a registry event shows the EnableLUA value under the System policies key was set to 0, effectively disabling UAC. Which utility carried out this change? | T1548.002 | reg.exe | N/A | No | |
| 183 | An endpoint shows a PowerShell process that downloaded and executed a remote script aimed at extracting credentials from the Windows Credential Manager. Review the process creation logs and identify the function name that was invoked to dump the web credentials. | T1555 | Get-CredManCreds | Seatbelt | No | DeviceProcessEvents | where FileName == "powershell.exe" // Only include runs that reference a .ps1 script (likely downloaded) | where ProcessCommandLine contains ".ps1" // Look for any Invoke- function call in the parameters | where ProcessCommandLine matches regex @"Invoke-[A-Za-z0-9_]+" // Extract the function name invoked to dump credentials | extend FunctionName = extract(@"Invoke-([A-Za-z0-9_]+)", 1, ProcessCommandLine) | where isnotempty(FunctionName) // Show the key context to identify the credential dumping routine | project TimeGenerated, DeviceName, AccountName, ProcessId, FunctionName, ProcessCommandLine | sort by TimeGenerated desc |
| 184 | A Linux system shows a 'find' command used to search within .aws directories. Which specific AWS credential filename was the attacker attempting to locate? | T1552.001 | credentials | N/A | No | |
| 185 | On a Windows system, PowerShell was used to gather multiple browser credential files into a temp folder and then archive them. What was the name of the resulting ZIP file? | T1555.003 | T1555.003.zip | T1560-data-ps.zip | No | // First, capture PowerShell processes that ran Compress-Archive targeting a .zip let psCompress = DeviceProcessEvents | where FileName == "powershell.exe" | where ProcessCommandLine has "Compress-Archive" | where ProcessCommandLine contains ".zip" | project DeviceId, InitiatingProcessId = ProcessId; // Then find the matching file events for .zip files created by those PowerShell processes DeviceFileEvents | where InitiatingProcessFileName == "powershell.exe" | where FileName endswith ".zip" | join kind=inner psCompress on DeviceId, InitiatingProcessId | distinct FileName | project ZipFileName = FileName |
| 186 | On Windows endpoints, find the registry enumeration activity that was used to locate password entries. What was the full command line executed? | T1552.002 | reg query HKLM /f password /t REG_SZ /s, reg query HKCU /f password /t REG_SZ /s | reg query HKLM /f password /t REG_SZ /s | Yes | // Lookup registry enumeration events for password-related entries let RegEnumEvents = DeviceRegistryEvents | where ActionType in ("RegEnumKey", "RegEnumValue", "RegQueryValue") // Filter on keys or values containing “password” or the SAM hive | where tolower(RegistryKey) contains "password" or tolower(RegistryValueName) contains "password" or RegistryKey startswith "HKEY_LOCAL_MACHINE\\SAM" | extend CommandLine = InitiatingProcessCommandLine | project TimeGenerated, DeviceName, InitiatingProcessFileName, CommandLine, ActionType, RegistryKey, RegistryValueName; // Lookup use of ‘reg.exe’ to query password entries via command line let RegExeEvents = DeviceProcessEvents | where FileName == "reg.exe" | where tolower(ProcessCommandLine) contains "query" and tolower(ProcessCommandLine) contains "password" | extend CommandLine = ProcessCommandLine | project TimeGenerated, DeviceName, InitiatingProcessFileName = FileName, CommandLine, ActionType = strcat("Process:", ActionType), RegistryKey = "(n/a)", RegistryValueName = "(n/a)"; // Union both sources and show latest union RegEnumEvents, RegExeEvents | sort by TimeGenerated desc |
| 187 | A Linux host may have undergone automated data collection and compression right before sensitive information is exfiltrated. Using process execution logs, determine which archive file name was created when the tar utility was run with gzip compression. | T1560.001 | data.tar.gz | data.tar.gz | Yes | DeviceProcessEvents | where FileName in ("tar", "gnutar") // look for gzip compression (-z) and file flag (-f), flags may be combined | where ProcessCommandLine matches regex @"\-[^\s]*z[^\s]*f" // extract the argument immediately following -f | extend Archive = extract(@"\-[^\s]*f\s+([^\s]+)", 1, ProcessCommandLine) | where isnotempty(Archive) // narrow to typical gzip archive extensions | where Archive endswith ".tar.gz" or Archive endswith ".tgz" | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, ProcessCommandLine, Archive | sort by TimeGenerated desc |
| 188 | On Windows, review PowerShell process events to spot where a remote .ps1 was fetched and run to pull vault credentials. Determine the name of the script file that was downloaded. | T1555 | GetCredmanCreds.ps1 | GetCredmanCreds.ps1 | Yes | DeviceProcessEvents | where FileName in ("powershell.exe", "pwsh.exe") | where ProcessCommandLine matches regex @"https?://\S+?\.ps1" | extend ScriptUrl = extract(@"https?://\S+?\.ps1", 0, ProcessCommandLine) | extend ScriptName = extract(@"([^/]+\.ps1)$", 1, ScriptUrl) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ScriptUrl, ScriptName, ProcessCommandLine | sort by TimeGenerated desc |
| 189 | An attacker leveraged a PowerShell command on a Windows host to enumerate browser bookmark files across all user profiles. Examine the process execution logs to determine the exact filename that was being searched for. | T1217 | Bookmarks | N/A | No | |
| 190 | On a Windows system, security logs show a PowerShell process downloaded and executed a WinPwn script. Which function name was invoked to perform the search for credentials or other sensitive data? | T1552.001 | powershellsensitive | N/A | No | |
| 191 | A Windows host shows registry modifications in its boot configuration store enabling test signing mode. Investigate which process made this change and identify the exact command it ran to turn on test signing. | T1553.006 | bcdedit /set testsigning on | N/A | No | |
| 192 | On a Linux system you suspect someone altered Bash’s history settings to hide their activity. Investigate process logs for evidence of HISTCONTROL being set to ignore entries. What was the full command executed to configure HISTCONTROL? | T1562.003 | export HISTCONTROL="ignoreboth" | bash -c 'TEST=$(echo $HISTCONTROL); if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi; history -c ; ls -la $HISTFILE # " ls -la $HISTFILE"; if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi; if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi; history -c ; ls -la $HISTFILE; ls -la $HISTFILE; ls -la $HISTFILE; if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi' | Yes | DeviceProcessEvents | where FileName endswith "bash" | where ProcessCommandLine contains "HISTCONTROL=" | sort by TimeGenerated desc | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, ProcessCommandLine |
| 193 | Windows system logs show PowerShell zipping up the contents of a user’s profile folder. Investigate process and file events to determine the exact name of the ZIP archive created. | T1560 | T1560-data-ps.zip | T1560-data-ps.zip | Yes | let CompressEvents = DeviceProcessEvents // Identify PowerShell compress-archive commands | where FileName == "powershell.exe" | where ProcessCommandLine has "Compress-Archive" | project DeviceId, DeviceName, CompressProcessId = ProcessId, CompressTime = TimeGenerated, User = AccountName, CommandLine = ProcessCommandLine; let ZipFileCreations = DeviceFileEvents // Capture created ZIP files | where ActionType in ("Created", "FileCreated") | where FileName endswith ".zip" | project DeviceId, ZipCreationTime = TimeGenerated, InitiatingProcessId, ZipFileName = FileName, ZipFullPath = strcat(FolderPath, "\\", FileName); // Correlate the compress command with the ZIP file creation CompressEvents | join kind=inner ZipFileCreations on $left.DeviceId == $right.DeviceId and $left.CompressProcessId == $right.InitiatingProcessId | project ZipCreationTime, DeviceId, DeviceName, User, ZipFileName, ZipFullPath, CommandLine | sort by ZipCreationTime desc |
| 194 | Within Linux process execution records, locate any bash commands where the HISTFILESIZE environment variable was exported. What value was assigned to HISTFILESIZE? | T1562.003 | 0 | 0 | Yes | DeviceProcessEvents | where FileName == "bash" | where ProcessCommandLine contains "HISTFILESIZE" | extend HistFileSize = extract(@"HISTFILESIZE\s*=\s*([^;\s]+)", 1, ProcessCommandLine) | where isnotempty(HistFileSize) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, HistFileSize |
| 195 | On a Windows endpoint, you find PowerShell reaching out to a remote URL and then running a module command. What was the LaZagne module name that was executed? | T1555 | lazagnemodule | N/A | No | |
| 196 | On a Windows host, an external PowerShell script is fetched and run to harvest local Wi-Fi credentials. Investigate the process execution logs to find out what script file name was downloaded and invoked. | T1555 | WinPwn.ps1 | N/A | No | |
| 197 | Investigating a Windows device, you suspect a non-standard executable was launched to set up a named pipe for client-server messaging. Determine the name of the executable that was run. | T1559 | namedpipes_executor.exe | N/A | No | |
| 198 | On Windows devices, hunt for PowerShell activity where a remote script is fetched and executed to perform LLMNR/NBNS spoofing. Which cmdlet kicked off the listener? | T1557.001 | Invoke-Inveigh | Invoke-Inveigh | Yes | DeviceProcessEvents // Time range is applied externally by the hunting dashboard or query tool | where FileName in ("powershell.exe", "pwsh.exe") // Identify remote fetch and execution patterns | where ProcessCommandLine has_any ("Invoke-WebRequest", "iwr", "DownloadString", "New-Object Net.WebClient", "Invoke-Expression", "iex") // Narrow to LLMNR/NBNS spoofing indicators | where ProcessCommandLine matches regex @"(?i)\b(?:llmnr|nbns|spoof)\b" // Extract the spoofing-related cmdlet (e.g., Invoke-LlmnrSpoofing, Start-NbnsSpoofing) | extend SpoofingCmdlet = extract(@"(?i)\b((?:Invoke|Start)-[A-Za-z0-9]+)\b", 1, ProcessCommandLine) | where isnotempty(SpoofingCmdlet) // Summarize which cmdlet kicked off the listener | summarize Occurrences = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExampleCommand = any(ProcessCommandLine) by SpoofingCmdlet | order by Occurrences desc |
| 199 | Review Linux process logs for evidence of bash history manipulation. Which command was executed to clear the in-memory bash history cache? | T1562.003 | history -c | history -c | Yes | let LinuxDeviceIds = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where DeviceId in (LinuxDeviceIds) | where FileName == "bash" and ProcessCommandLine has "history -c" | project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 200 | A Windows system’s process logs show a PowerShell execution that altered firewall settings. Which cmdlet was used to add this new rule? | T1562.004 | New-NetFirewallRule | New-NetFirewallRule | Yes | DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine matches regex @"(?i)(New|Add)-NetFirewallRule" | extend UsedCmdlet = extract(@"(?i)(New|Add)-NetFirewallRule", 0, ProcessCommandLine) | summarize Count = count(), Examples = make_set(ProcessCommandLine, 5) by UsedCmdlet | project UsedCmdlet, Count, Examples |
| 201 | On a Linux system where an attacker may disable iptables by saving the current rules and then flushing them, examine process execution logs to identify the specific filename that received the rules backup. What file name was used? | T1562.004 | iptables.rules | /tmp/iptables.rules; | Yes | DeviceProcessEvents | where ProcessCommandLine contains "iptables-save" | extend BackupFile = extract(@">\s*(\S+)", 1, ProcessCommandLine) | where isnotempty(BackupFile) | summarize FirstSeen = min(TimeGenerated) by BackupFile, DeviceName, InitiatingProcessAccountName | order by FirstSeen desc |
| 202 | A security investigator suspects that someone attempted to dump stored web credentials on a Windows system using an in-built command-line tool. Review process creation logs to determine which executable was called to list the Web Credentials vault. | T1555 | vaultcmd.exe | N/A | No | |
| 203 | An attacker on a Linux host has attempted to turn off command history by modifying an environment variable. Using process execution logs, determine the exact shell command used to set HISTSIZE to zero. | T1562.003 | export HISTSIZE=0 | export HISTSIZE=0 | Yes | DeviceProcessEvents // Filter for HISTSIZE assignments of zero, optionally preceded by 'export' | where ProcessCommandLine matches regex @"\b(?:export\s+)?HISTSIZE\s*=\s*0\b" // Restrict to Linux devices | join kind=inner ( DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId ) on DeviceId // Select and rename fields of interest | project Timestamp = TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ProcessId // Sort chronologically | sort by Timestamp asc |
| 204 | On a Windows device, a firewall rule was created to allow inbound TCP traffic for a proxy. Identify the full command that was executed to open the port. | T1562.004 | netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450 | cmd.exe /c netsh advfirewall firewall add rule name="atomic testing" action=allow dir=in protocol=TCP localport=450 | Yes | DeviceProcessEvents | where ( tolower(ProcessCommandLine) contains "netsh advfirewall firewall add rule" and tolower(ProcessCommandLine) contains "dir=in" and tolower(ProcessCommandLine) contains "protocol=tcp" ) or ( tolower(ProcessCommandLine) contains "new-netfirewallrule" and tolower(ProcessCommandLine) contains "direction inbound" and tolower(ProcessCommandLine) contains "protocol tcp" ) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 205 | On a Windows device, a new inbound firewall rule was created unexpectedly. Review process execution records to identify the command-line utility responsible for adding the rule. | T1562.004 | netsh | netsh | Yes | DeviceProcessEvents | where ProcessCommandLine matches regex @"(?i)(?:netsh\s+advfirewall\s+firewall\s+add\s+rule|New-NetFirewallRule)" | project TimeGenerated, DeviceName, AccountName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc |
| 206 | Review Linux process execution logs to find where the system journal service was stopped. Which utility was invoked to disable journal logging? | T1562 | systemctl | systemctl | Yes | // Find instances where the system journal (journald) was stopped or disabled on Linux hosts // Time filtering is controlled by the query time picker (start/end) let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where TimeGenerated between (startofday(ago(30d)) .. now()) // replace or remove if using time picker | where DeviceId in (linuxDevices) | where ActionType == "ProcessCreated" // Look for systemctl stop/disable commands targeting systemd-journald | where ProcessCommandLine matches regex @"systemctl\s+(stop|disable)\s+systemd-journald(\.service)?" | project TimeGenerated, DeviceName, User = InitiatingProcessAccountName, CommandLine = ProcessCommandLine |
| 207 | On a Linux host, auditing has been turned off. Review process execution or syslog data to determine which command was executed to disable the audit subsystem. | T1562.012 | auditctl -e 0 | auditctl -e 0 | Yes | let linuxDevices = DeviceInfo | where OSPlatform == "Linux" | distinct DeviceId; DeviceProcessEvents | where TimeGenerated between (startofday(ago(7d))..now()) // adjust time range as needed | where DeviceId in (linuxDevices) | where (FileName == "auditctl" and ProcessCommandLine has "-e 0") or (FileName == "systemctl" and ProcessCommandLine has "auditd" and (ProcessCommandLine has "stop" or ProcessCommandLine has "disable")) or ProcessCommandLine has "service auditd stop" or ProcessCommandLine has "auditoff" or ProcessCommandLine has "chkconfig auditd off" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine | sort by TimeGenerated desc |
| 208 | Review Windows registry event logs for the ProcessCreationIncludeCmdLine_Enabled value being set to 0. Which PowerShell cmdlet performed this change? | T1562.003 | New-ItemProperty | New-ItemProperty | Yes | DeviceRegistryEvents | where RegistryValueName == "ProcessCreationIncludeCmdLine_Enabled" | where RegistryValueData == "0" // include any PowerShell host in the command line | where tolower(InitiatingProcessCommandLine) contains "powershell" // extract the cmdlet name from the command line | extend Cmdlet = extract(@"(?i)\b(Set-ItemProperty|New-ItemProperty|Remove-ItemProperty|Set-Item|Clear-ItemProperty)\b", 1, InitiatingProcessCommandLine) | where isnotempty(Cmdlet) | project TimeGenerated, DeviceName, InitiatingProcessAccountName, Cmdlet, InitiatingProcessCommandLine, RegistryKey, RegistryValueData |
| 209 | A Linux system’s audit framework appears to have been reset unexpectedly. Search your process execution records to identify which exact invocation removed all auditd rules. What full command was executed? | T1562.012 | auditctl -D | N/A | No | |
| 210 | During investigation of a Linux device, you see evidence of a process that reports system locale details. Identify the tool used. | T1614.001 | localectl | locale | No | DeviceProcessEvents | where ProcessCommandLine has "locale" | join kind=inner ( DeviceInfo | where OSPlatform has "Linux" | project DeviceId ) on DeviceId | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine |
| 211 | A .NET tracing environment variable was turned off in a user’s registry on a Windows system. Which built-in command-line tool was used to make this registry change? | T1562.006 | reg.exe | N/A | No | |
| 212 | Investigate Windows registry modification events to find the name of the registry value that was changed under the WindowsFirewall policy path when someone turned the firewall off. | T1562.004 | EnableFirewall | N/A | No | |
| 213 | Investigate Linux process execution logs for any use of iptables that removes a rule blocking outbound FTP traffic. What full command was issued to delete this rule? | T1562.004 | iptables -D OUTPUT -p tcp --dport 21 -j DROP | N/A | No | |
| 214 | During a Linux engagement, an operator exported HISTSIZE=0 to turn off shell history and then ran another utility. Using the DeviceProcessEvents table, identify the exact command executed immediately after the history was disabled. What was the command? | T1562.003 | whoami | N/A | No | |
| 215 | Investigate Linux process creation logs for shell commands that list environment variables and filter for locale settings. Which environment variable key was being queried? | T1614.001 | LANG | LANG, LC_ALL | Yes | DeviceProcessEvents | where FileName in ("env", "printenv", "set") // Time range will be applied externally | where ProcessCommandLine has "LANG" or ProcessCommandLine has "LC_" | extend QueriedVar = extract(@"(LANG[A-Z0-9_]*|LC_[A-Z0-9_]+)", 1, ProcessCommandLine) | where isnotempty(QueriedVar) | summarize Count = count() by QueriedVar | sort by Count desc |
| 216 | On Windows systems, identify any user account that was hidden by setting its value to 0 under the SpecialAccounts\\UserList registry key. What was the name of the hidden account? | T1564.002 | AtomicOperator$ | N/A | No | |
| 217 | Windows process creation logs show a cmd.exe launch that retrieved the system’s locale code page. Which exact command was executed to discover the system language? | T1614.001 | chcp | chcp | Yes | DeviceProcessEvents | where FileName == "cmd.exe" | where ProcessCommandLine has "chcp" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc |
| 218 | Review process creation logs for an instance where a built-in Windows utility was used to enumerate installed device drivers with verbose list output. What is the name of that tool? | T1652 | driverquery | driverquery | Yes | DeviceProcessEvents // Filter within external time range | where FileName == "driverquery.exe" or ProcessCommandLine has "driverquery" // Look for verbose output switches | where ProcessCommandLine has_any ("/v", "-v", "/verbose") // Show relevant details | project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, ProcessId | sort by TimeGenerated desc |
| 219 | On Windows, following a phantom DLL hijack of the Print Spooler service, determine which system file was first copied from its original location before being renamed for persistence. | T1574.001 | amsi.dll | N/A | No | |
| 220 | On the Windows device, a security check was run to detect debugger processes via PowerShell. Which tool (process) carried out this check? | T1622 | powershell | powershell.exe | Yes | // 1) Find PowerShell instances invoking debugger checks let psDebugChecks = DeviceProcessEvents | where FileName == "powershell.exe" // look for debugger‐related keywords in the PS command line | where ProcessCommandLine has_any ("Debugger", "-Debug", "Test-ProcessDebugger") | project TimeGenerated, DeviceName, PsProcessId = ProcessId, ParentProcessId = InitiatingProcessParentId, PsCommandLine = ProcessCommandLine; // 2) Lookup parent process details let parentInfo = DeviceProcessEvents | project ParentProcessId = ProcessId, ParentFileName = FileName, ParentCommandLine = ProcessCommandLine; // 3) Join and summarize unique parent tools psDebugChecks | join kind=leftouter parentInfo on ParentProcessId | project TimeGenerated, DeviceName, ParentFileName, ParentCommandLine, PsCommandLine | distinct ParentFileName, ParentCommandLine | order by ParentFileName |
| 221 | A Linux host was probed by reading its locale configuration file to discover the system language. Identify which tool was invoked to perform that read operation. | T1614.001 | cat | N/A | No | |
| 222 | In a Windows environment, locate any occurrences where an elevated DISM utility was run to enumerate the system’s international (locale) settings. What was the exact command line used? | T1614.001 | dism.exe /online /Get-Intl | N/A | No | |
| 223 | Using Linux process or syslog logs, identify the executable that was run to output the system's locale information. | T1614.001 | locale | N/A | No | |
| 224 | On a Windows system, identify any PowerShell Test-NetConnection executions against an uncommon port. Which port number was checked? | T1571 | 8081 | 8081 | Yes | DeviceProcessEvents | where FileName has_cs "powershell.exe" or FileName has_cs "pwsh.exe" | where tolower(ProcessCommandLine) has "test-netconnection" or tolower(ProcessCommandLine) has "tnc " | extend cmdLower = tolower(ProcessCommandLine) | extend Port = toint(coalesce( extract(@"-port(?:=|:|\s+)(\d+)", 1, cmdLower), extract(@"-p(?:=|:|\s+)(\d+)", 1, cmdLower) )) | where Port > 0 // exclude common ports | where Port !in (80, 443, 3389, 22, 21, 23, 25, 110, 143, 53, 445) | summarize Count = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Port | order by Count desc | project Port, Count, FirstSeen, LastSeen |
| 225 | On a Windows device, an attacker ran a PowerShell script to collect system settings including UI language and locale. Identify which cmdlet in the command line was used to obtain the system locale. | T1614.001 | Get-WinSystemLocale | N/A | No |