All Benchmark Questions

Browse all natural language questions used in the KQL Benchmark. Click any question to see model answers and correctness.

188 Questions

Comprehensive test scenarios from real attack simulations

Searchable Interface

Find specific questions quickly with our search functionality

Real-World Scenarios

Based on actual cybersecurity threats and analyst queries

1
Question 1

On a Windows host, an attacker leveraged COMSVCS.DLL via rundll32.exe to dump the memory of svchost.exe into a file under the Temp directory. Review the file creation logs to determine the exact name of the dump file that was generated.

Correct Answer
svchost-exe.dmp
Solved by11models
Click to view model answers
2
Question 2

On a Linux system, review process creation logs to spot any dd commands reading from /proc/*/mem. What was the name of the file where the dumped memory was written?

Correct Answer
T1003.007.bin
Solved by14models
Click to view model answers
3
Question 3

On Windows devices, identify the full command used when the built-in credential manager utility was invoked to list stored credentials. What was the exact command?

Correct Answer
cmdkey /list
Solved by15models
Click to view model answers
4
Question 4

Using Windows process event logs, investigate PowerShell activity around lsass.exe memory capture. What was the name of the script file invoked to perform the dump?

Correct Answer
Out-Minidump.ps1
Solved by6models
Click to view model answers
5
Question 5

An analyst notices a PowerShell process on a Windows host that appears to be checking SMB connectivity. Which PowerShell cmdlet was executed to perform this outbound port 445 test?

Correct Answer
Test-NetConnection
Solved by6models
Click to view model answers
6
Question 6

On a Windows host, someone appears to have run a built-in network shell utility to list saved wireless network profiles and their passwords in clear text. Review the process creation logs to discover the exact command that was executed.

Correct Answer
netsh wlan show profile * key=...
Solved by14models
Click to view model answers
7
Question 7

A Linux host’s Syslog shows a shell-based network discovery script ran multiple commands. One of them listed current TCP connections. Which utility was invoked?

Correct Answer
netstat
Solved by7models
Click to view model answers
8
Question 8

A Windows host executed an ICMP-based network reconnaissance using a looping instruction in cmd.exe. Identify the exact command line that was used to perform the ping sweep.

Correct Answer
for /l %i in (1,1,254) do ping...
Solved by13models
Click to view model answers
9
Question 9

In a Linux environment, an elevated process was used to execute a command that read /etc/shadow and redirected its output to a file. Identify what file name was employed to store these results.

Correct Answer
T1003.008.txt
Solved by4models
Click to view model answers
10
Question 10

On a Windows endpoint, review process creation logs to uncover when a built-in utility was used to reveal ARP entries. What exact command was used to list the ARP cache?

Correct Answer
arp -a
Solved by13models
Click to view model answers
11
Question 11

Identify the PowerShell cmdlet used on Windows to format and display the raw volume bytes after an attacker read the boot sector via a DOS device path.

Correct Answer
Format-Hex
Solved by6models
Click to view model answers
12
Question 12

An analyst suspects a user or script ran a service enumeration command on a Linux system. Review process events to find the service-listing invocation and specify the full command that was executed.

Correct Answer
systemctl --type=service
Solved by3models
Click to view model answers
13
Question 13

On a Linux host, a ping command was executed to test internet connectivity. Determine which IP address was used as the ping target.

Correct Answer
8.8.8.8
Solved by10models
Click to view model answers
14
Question 14

On a Windows endpoint, look for evidence of a base64-encoded PowerShell payload execution. Which executable launched the encoded command?

Correct Answer
powershell.exe
Solved by11models
Click to view model answers
15
Question 15

A Windows host shows a process launch with an extremely obfuscated command line that dynamically builds and invokes code at runtime. Which process name was used to execute this payload?

Correct Answer
powershell
Solved by10models
Click to view model answers
16
Question 16

On Windows hosts, look through recent PowerShell execution records to find any elevated session where remote management was turned on. What exact command was run to enable PSRemoting?

Correct Answer
Enable-PSRemoting -Force
Solved by3models
Click to view model answers
17
Question 17

In a Linux environment, you observe a process labeled like the cron daemon but running from an unexpected path. Investigate creation events to uncover the actual filename used by this fake cron process.

Correct Answer
crond
Solved by7models
Click to view model answers
18
Question 18

On a Linux system, spotting a file‐size change by exactly one byte can indicate hash tampering via padding. Review process execution logs for invocations that increased a file’s size by one byte. Which utility was invoked to perform this padding?

Correct Answer
truncate
Solved by0models
Click to view model answers
19
Question 19

A process is running under a familiar Windows host name but originates from a user's AppData folder rather than the System32 directory. Identify the filename used to masquerade the PowerShell binary on this Windows device.

Correct Answer
taskhostw.exe
Solved by6models
Click to view model answers
20
Question 20

Analyze Windows process events for any schtasks.exe commands that created a new task invoking PowerShell. What is the name of the .ps1 script specified to run?

Correct Answer
T1036.004_NonExistingScript.ps...
Solved by9models
Click to view model answers
21
Question 21

On a Windows system, someone ran PowerShell to copy a file from a remote machine’s C$ share to the local TEMP folder. Using process event logs, what full PowerShell command was executed to perform this action?

Correct Answer
copy-item -Path "\\127.0.0.1\C...
Solved by10models
Click to view model answers
22
Question 22

Windows process creation logs show a PowerShell-driven file transfer to an FTP service. Which executable was leveraged to perform this exfiltration?

Correct Answer
rclone.exe
Solved by12models
Click to view model answers
23
Question 23

Review Linux process execution records for any commands that list TCP metric cache entries and filter out loopback interfaces. Which utility was used?

Correct Answer
ip
Solved by6models
Click to view model answers
24
Question 24

A user launched a Windows command prompt and executed a built-in utility to enumerate all active network connections. Using process creation logs, identify the exact tool that produced the list of current connections.

Correct Answer
netstat
Solved by14models
Click to view model answers
25
Question 25

Linux hosts may log events when new files are added to /var/spool/cron/crontabs. Query those logs for a creation or write action in that directory and determine the file name that was added.

Correct Answer
persistevil
Solved by13models
Click to view model answers
26
Question 26

In a Windows log analytics workspace, search for PowerShell processes that were used to enumerate network connections. Determine which PowerShell cmdlet was executed to list active TCP connections.

Correct Answer
Get-NetTCPConnection
Solved by14models
Click to view model answers
27
Question 27

A reconnaissance tool was executed on a Windows system. Identify the specific function of the tool that was executed. The function has a name from something you can eat

Correct Answer
fruit
Solved by1model
Click to view model answers
28
Question 28

On a Linux system, identify the script that was generated by decoding a base64 data file and then executed. What was the filename of that script?

Correct Answer
art.sh
Solved by3models
Click to view model answers
29
Question 29

You suspect malicious persistence via scheduled tasks on a Windows endpoint. Review the process execution logs to identify the built-in utility used to register tasks at logon or startup. What is the name of this utility?

Correct Answer
schtasks
Solved by14models
Click to view model answers
30
Question 30

A Windows host shows a core command-line utility being duplicated from its System32 location to a user-profile folder and subsequently run. Identify the name of the executable that was copied.

Correct Answer
cmd.exe
Solved by0models
Click to view model answers
31
Question 31

A Linux host briefly hosted an HTTP service under /tmp. Examine process creation logs to determine the exact python3 command that was used to start the server on port 9090.

Correct Answer
python3 -m http.server 9090
Solved by10models
Click to view model answers
32
Question 32

On a Windows device, review the process execution logs to find instances where a built-in listing tool was piped into a string filter. Identify the process name that the attacker was searching for.

Correct Answer
lsass
Solved by6models
Click to view model answers
33
Question 33

On Windows, review recent registry changes to detect when the MSC file association was hijacked by a reg add operation. What executable file was configured as the default command under HKCU\Software\Classes\mscfile\shell\open\command?

Correct Answer
calc.exe
Solved by1model
Click to view model answers
34
Question 34

On a Windows host, investigate process events to find when Task Manager was launched via cmd with an unusual flag. What was the full command executed?

Correct Answer
taskmgr.exe /7
Solved by8models
Click to view model answers
35
Question 35

A threat actor on a Windows system crafted and registered a service named almost identically to the standard time service, but redirecting execution to a custom script. Review the logging data to determine which native command-line tool was used to perform this action. What utility was invoked?

Correct Answer
sc
Solved by7models
Click to view model answers
36
Question 36

Review the process creation logs on a Windows host to uncover any tool execution indicative of a special APC injection for shellcode execution. What was the name of the executable used?

Correct Answer
NtQueueApcThreadEx.exe
Solved by0models
Click to view model answers
37
Question 37

A malicious actor may attempt to list running processes on a Windows machine using a WMI-based command. Review the process creation events to find out which utility was invoked to perform this enumeration.

Correct Answer
wmic.exe
Solved by7models
Click to view model answers
38
Question 38

On a Windows device, PowerShell was used to collect a snapshot of running processes. Identify the exact cmdlet that was executed.

Correct Answer
Get-Process
Solved by12models
Click to view model answers
39
Question 39

On a Windows endpoint you observe a PowerShell process that fetches a script from the internet and immediately executes an RPC service scan against the spooler. Which function name was invoked to perform that scan?

Correct Answer
spoolvulnscan
Solved by0models
Click to view model answers
40
Question 40

Which full interactive shell command, as recorded in the Linux process logs, repeatedly echoed a distinctive marker message to the terminal?

Correct Answer
for i in $(seq 1 5); do echo "...
Solved by2models
Click to view model answers
41
Question 41

While reviewing Windows process events, you spot a PowerShell process executing a WMI enumeration cmdlet. What WMI class name did the attacker query?

Correct Answer
Win32_Process
Solved by6models
Click to view model answers
42
Question 42

On a Windows host, find any scheduled task that was registered using PowerShell native cmdlets instead of schtasks.exe. What was the name given to the new task?

Correct Answer
AtomicTask
Solved by3models
Click to view model answers
43
Question 43

Examine the logs from the Linux system for events related to the systemd timer activation. Identify any records indicating that a new timer unit was started and enabled, and determine which timer name was used.

Correct Answer
art-timer.timer
Solved by4models
Click to view model answers
44
Question 44

An analyst suspects that a restricted shell escape was executed using a common Perl package manager on Linux. Review the process execution records to determine which tool was invoked to spawn the shell.

Correct Answer
cpan
Solved by5models
Click to view model answers
45
Question 45

On a Linux system, find any process creation record where awk is used with a BEGIN rule to launch a shell. What was the exact command invoked?

Correct Answer
awk 'BEGIN {system("/bin/sh &"...
Solved by12models
Click to view model answers
46
Question 46

On a Windows endpoint, wscript.exe was used to run a JScript. Identify the exact script path passed to wscript.

Correct Answer
PathToAtomicsFolder\T1059.007\...
Solved by10models
Click to view model answers
47
Question 47

Review recent Windows process event logs for PowerShell activity that suggests local group enumeration through WMI. What exact command was executed?

Correct Answer
Get-WMIObject Win32_Group
Solved by12models
Click to view model answers
48
Question 48

A Windows endpoint recorded a command-line activity through cmd.exe that lists all running processes. Determine which built-in tool was executed to perform this action.

Correct Answer
tasklist
Solved by13models
Click to view model answers
49
Question 49

On a Linux endpoint, process events reveal a chain of group‐enumeration utilities executed by a single session. Which utility was used to query the system’s group database?

Correct Answer
getent
Solved by8models
Click to view model answers
50
Question 50

On a Linux system, analyze the process logs for suspicious command line activity that includes a sequence of commands indicating a pipe-to-shell operation. Identify the tool that was used to execute this piped command, paying special attention to its use in downloading and running script content.

Correct Answer
bash
Solved by2models
Click to view model answers
51
Question 51

Investigate Windows process events for PowerShell activity that leverages WMI to register a scheduled task via XML import. What was the name of the XML file supplied to the RegisterByXml method?

Correct Answer
T1053_005_WMI.xml
Solved by3models
Click to view model answers
52
Question 52

An attacker on a Linux host may try to enumerate installed shells by reading the system file that lists valid shells. Using process or syslog data, determine which command was executed to perform this enumeration.

Correct Answer
cat /etc/shells
Solved by14models
Click to view model answers
53
Question 53

On a Linux system, you suspect someone erased their command history by linking the history file to /dev/null. Investigate process events and determine which utility was executed to achieve this.

Correct Answer
ln
Solved by12models
Click to view model answers
54
Question 54

On a Windows endpoint, review process execution logs to see if any PowerShell sessions were wiped clean. Which command was executed to clear the PowerShell history?

Correct Answer
Clear-History
Solved by14models
Click to view model answers
55
Question 55

On a Windows endpoint, commands are no longer being logged to PowerShell history, suggesting PSReadLine settings were altered. Using process execution logs, determine the exact command that was run to set the history save style to 'SaveNothing'.

Correct Answer
Set-PSReadlineOption -HistoryS...
Solved by14models
Click to view model answers
56
Question 56

On a Linux host, identify the process invocation that altered a user’s login shell. What was the full command used?

Correct Answer
chsh -s /bin/sh art
Solved by12models
Click to view model answers
57
Question 57

During a Linux investigation, you notice processes spawning curl and wget commands that pull a script from a remote GitHub raw URL and pipe it into bash. Identify the name of the script that was retrieved and executed.

Correct Answer
echo-art-fish.sh
Solved by4models
Click to view model answers
58
Question 58

On a Linux system, review process execution records for any shell process that set an environment variable containing executable code and then piped it into another shell instance. Determine which environment variable name was used to store the script content.

Correct Answer
ART
Solved by4models
Click to view model answers
59
Question 59

A Linux host executed a native utility to overwrite and then remove a temporary file in one step. Identify the name of the file that was securely deleted by this action.

Correct Answer
victim-shred.txt
Solved by7models
Click to view model answers
60
Question 60

On a Linux endpoint, you suspect malicious clearing of the bash history by redirecting from the null device. Explore process or file events to uncover the exact shell command that performed this action.

Correct Answer
cat /dev/null > ~/.bash_histor...
Solved by7models
Click to view model answers
61
Question 61

An alert has surfaced on a Linux host indicating a potentially malicious recursive delete operation. Investigate process events to find out which directory name was completely removed.

Correct Answer
victim-folder
Solved by0models
Click to view model answers
62
Question 62

While reviewing Windows process events, you observe a command that recursively deleted a folder under the temporary directory. Use the process event data to identify which process or tool executed this recursive delete.

Correct Answer
powershell
Solved by6models
Click to view model answers
63
Question 63

Suspiciously, the recycle bin appears empty system-wide. Determine which command was executed on Windows to clear the system's recycle bin directory, including any switches and environment variables.

Correct Answer
rd /s /q %systemdrive%\$RECYCL...
Solved by8models
Click to view model answers
64
Question 64

On a Windows system, an attacker used the command prompt to remove one or more default administrative shares. Which share names were deleted?

Correct Answers
C$IPC$ADMIN$
Solved by6models
Click to view model answers
65
Question 65

Investigate Windows process execution logs for a PowerShell cmdlet used to list group members. Look for entries where a group name is provided after a '-Name' flag and identify which group was queried.

Correct Answer
Administrators
Solved by8models
Click to view model answers
66
Question 66

On a Linux system, attackers may use timestamp manipulation to hide malicious changes. Investigate relevant logs to identify which file’s modification timestamp was altered by such a command.

Correct Answer
T1070.006-modification.txt
Solved by7models
Click to view model answers
67
Question 67

On a Windows device, there’s evidence that PowerShell history was wiped by deleting the history file. What was the exact command used to perform this action?

Correct Answer
Remove-Item (Get-PSReadlineOpt...
Solved by5models
Click to view model answers
68
Question 68

A suspicious actor appears to have removed the USN change journal on a Windows workstation. Investigate process start records to find out exactly which command was used to delete the journal. What was the full command line invoked?

Correct Answer
fsutil usn deletejournal /D C:...
Solved by13models
Click to view model answers
69
Question 69

Using Linux process execution logs, identify the specific command that was used to filter loaded kernel modules for entries containing “vmw.” What was that full command?

Correct Answer
grep vmw /proc/modules
Solved by9models
Click to view model answers
70
Question 70

On a Linux device, a file was silently removed from the /tmp/victim-files directory. Search through file event or syslog records to identify the exact file name that was deleted.

Correct Answer
T1070.004-test.txt
Solved by2models
Click to view model answers
71
Question 71

A Linux system shows a process in the execution logs that fetched the machine’s name. Review the DeviceProcessEvents table to find out which utility was called to perform this hostname lookup.

Correct Answer
hostname
Solved by12models
Click to view model answers
72
Question 72

On a Windows host, suspicious PowerShell activity adjusted the system clock and recorded a value. What numeric value was used to slip the system date?

Correct Answer
3
Solved by10models
Click to view model answers
73
Question 73

On Windows systems, identify when the built-in Shadow Copy utility is used to enumerate existing snapshots. What was the full command executed?

Correct Answer
vssadmin.exe list shadows
Solved by12models
Click to view model answers
74
Question 74

While investigating process creation logs on a Linux device, you observe a privileged hardware interrogation step used to reveal virtualization details. Which utility was invoked?

Correct Answer
dmidecode
Solved by14models
Click to view model answers
75
Question 75

Review the Linux process creation records to find which user account management utility was used to reactivate the previously locked and expired account.

Correct Answer
usermod
Solved by11models
Click to view model answers
76
Question 76

Review Windows process logs to find which built-in command was executed to reveal the system’s hostname.

Correct Answer
hostname
Solved by12models
Click to view model answers
77
Question 77

Review registry event logs on the Windows host for PowerShell-driven writes to system policy and file system keys. Which registry value names were created during this BlackByte preparation simulation?

Correct Answers
LocalAccountTokenFilterPolicyEnableLinkedConnectionsLongPathsEnabled
Solved by2models
Click to view model answers
78
Question 78

A user‐space process on a Linux device invoked a shell to capture and display the system’s environment variables and path. Which exact command was used to perform this discovery?

Correct Answer
env
Solved by10models
Click to view model answers
79
Question 79

A Windows system shows a cmd.exe process spawn that appears to have been used for environment discovery. Review the process creation records to identify the exact command the adversary ran to enumerate environment variables.

Correct Answer
set
Solved by12models
Click to view model answers
80
Question 80

On a Linux endpoint, a command was executed to start a proxy service commonly used for onion routing. Identify the name of the service that was launched to enable this proxy functionality.

Correct Answer
tor
Solved by10models
Click to view model answers
81
Question 81

On a Linux host, review account management activity in Syslog or process event logs to pinpoint which command was executed to create a new local user. What was the name of the tool invoked?

Correct Answer
useradd
Solved by12models
Click to view model answers
82
Question 82

Windows: Investigate PowerShell process events for instances where a web client fetched and executed an external host-survey tool. What was the name of the script file that was downloaded and run?

Correct Answer
Invoke-Seatbelt.ps1
Solved by3models
Click to view model answers
83
Question 83

On a Windows host, registry events reveal that PowerShell modified a value under the WDigest provider. Identify the exact command line that performed this registry change.

Correct Answers
Set-ItemProperty -Force -Path ...Set-ItemProperty -Force -Path ...
Solved by12models
Click to view model answers
84
Question 84

A Linux host was used to collect various system release files and kernel details, writing them into a single file under /tmp. What was the name of that output file?

Correct Answer
T1082.txt
Solved by4models
Click to view model answers
85
Question 85

A Windows host logs a change to the Terminal Server registry key disabling single-session per user. Which command-line utility executed this registry modification?

Correct Answer
reg
Solved by9models
Click to view model answers
86
Question 86

Evidence shows that the Windows Defender startup entry was tampered with via an elevated command prompt. Investigate registry events related to the Run key to discover which executable replaced the default SecurityHealth value. What is the name of the new program?

Correct Answer
calc.exe
Solved by7models
Click to view model answers
87
Question 87

On a Windows device, examine registry event logs for modifications under the System policies path. Determine which registry value name was altered to disable the shutdown button at login.

Correct Answer
shutdownwithoutlogon
Solved by6models
Click to view model answers
88
Question 88

Analyze the system logs for changes that indicate the addition of a port proxy configuration via registry key alteration. Identify which port number was set to listen.

Correct Answer
1337
Solved by1model
Click to view model answers
89
Question 89

An attacker on Linux used bash to copy all files from /var/spool/mail into a newly created subdirectory before modifying them. What is the name of that subdirectory?

Correct Answer
copy
Solved by2models
Click to view model answers
90
Question 90

A Windows user’s registry was altered via a command-line tool to disable the lock workstation feature by adding a DWORD entry under the current user Policies\System key. Which registry value name was modified in this operation?

Correct Answer
DisableLockWorkstation
Solved by4models
Click to view model answers
91
Question 91

Investigate Windows registry events to identify any newly set ProxyServer entry under the user Internet Settings hive. What proxy server address was configured?

Correct Answer
proxy.atomic-test.com:8080
Solved by10models
Click to view model answers
92
Question 92

Review Windows process execution logs for any PowerShell activity that retrieves the system clock. Which command was executed?

Correct Answer
Get-Date
Solved by13models
Click to view model answers
93
Question 93

In Windows process event logs, you notice both the net time and w32tm commands being executed to display the system time and timezone. Which executor name from the test configuration was responsible for launching these utilities?

Correct Answer
cmd.exe
Solved by4models
Click to view model answers
94
Question 94

Review Windows process execution logs to find any native utility that was used to enumerate connected drives. Which utility was invoked?

Correct Answer
fsutil
Solved by3models
Click to view model answers
95
Question 95

On Windows systems, disabling RDP via the registry generates registry write events. Investigate registry event logs for modifications under the Terminal Server configuration path. What is the name of the registry value that was changed to disable Remote Desktop Protocol?

Correct Answer
fDenyTSConnections
Solved by6models
Click to view model answers
96
Question 96

On a Windows endpoint, review the registry write events to spot when the WDigest key is altered to permit plaintext credential storage. What registry value name was changed?

Correct Answer
UseLogonCredential
Solved by12models
Click to view model answers
97
Question 97

An analyst reviewing Windows process logs wants to spot instances where a native time tool was repurposed to introduce a delay. Which full W32tm invocation, including the stripchart and period flags, appears in the logs?

Correct Answer
W32tm /stripchart /computer:lo...
Solved by13models
Click to view model answers
98
Question 98

On Windows, identify the registry value name that was created or modified to override the RDP authentication level under the current user’s Terminal Server Client settings.

Correct Answer
AuthenticationLevelOverride
Solved by0models
Click to view model answers
99
Question 99

On a Windows host, registry events indicate that the Internet Zone Protocol Defaults under the current user were modified via PowerShell. Investigate which protocol value names were set to 0.

Correct Answers
httphttps
Solved by0models
Click to view model answers
100
Question 100

A suspicious BITS transfer was orchestrated via bitsadmin.exe on Windows, creating a job to download and then execute a payload. Investigate the process event logs to determine what custom job name was specified when the BITS job was created.

Correct Answer
AtomicBITS
Solved by7models
Click to view model answers
101
Question 101

On a Linux host, an activity was recorded where the local clock and timezone were queried. Review the available process execution logs to uncover what full command was run to fetch the system time and timezone.

Correct Answer
date
Solved by9models
Click to view model answers
102
Question 102

Windows systems may be probed for their password policy settings using a native command-line tool. Determine which command was executed to list the local password policy on the target hosts.

Correct Answer
net accounts
Solved by14models
Click to view model answers
103
Question 103

A Windows host logs show PowerShell fetching and executing a remote script to gain SeDebugPrivilege token duplication. Which Empire module was invoked?

Correct Answer
Get-System
Solved by3models
Click to view model answers
104
Question 104

Review Windows process and PowerShell activity for commands that enumerate PnP entities through WMI. Which PowerShell cmdlet was invoked to perform this hardware inventory?

Correct Answer
Get-WMIObject
Solved by0models
Click to view model answers
105
Question 105

A Windows host recorded a process that simply executes the system’s native time utility. Without spelling out the query, determine which command was run based on process creation events.

Correct Answer
time
Solved by6models
Click to view model answers
106
Question 106

An attacker is suspected of using the Windows shell to enumerate a user’s Internet Explorer bookmarks via the Favorites folder. Identify the exact command they executed to perform this listing.

Correct Answer
dir /s /b %USERPROFILE%\Favori...
Solved by13models
Click to view model answers
107
Question 107

You are reviewing Linux syslog records on a CentOS/RHEL 7.x server. You notice entries for shell commands that access system configuration files under /etc/security. Determine exactly which configuration file was being inspected by the command.

Correct Answer
pwquality.conf
Solved by10models
Click to view model answers
108
Question 108

On Linux, review the process execution logs to uncover when Chromium’s bookmark JSON files were being located and the results persisted. Focus on shell commands that search under .config/chromium and write output to a file. What was the filename used to save the findings?

Correct Answer
T1217-Chrome.txt
Solved by10models
Click to view model answers
109
Question 109

Review Windows process creation events for evidence of a .NET assembly being installed. Which executable was launched with an "/action=install" argument?

Correct Answer
InstallUtil
Solved by14models
Click to view model answers
110
Question 110

On a Linux system, logs show that the password expiration settings file was accessed. Identify which command was executed to list its contents.

Correct Answer
cat /etc/login.defs
Solved by7models
Click to view model answers
111
Question 111

You notice rundll32.exe being used with desk.cpl,InstallScreenSaver on a Windows endpoint. Investigate your process creation logs to find which .scr file was loaded by this unusual invocation.

Correct Answer
not_an_scr.scr
Solved by9models
Click to view model answers
112
Question 112

On a Windows system, you notice a process that recursively enumerates files named 'Bookmarks' under every user profile directory. Which Windows command-line utility was used to perform that search?

Correct Answer
where
Solved by7models
Click to view model answers
113
Question 113

A Windows host shows chrome.exe starting with a --load-extension parameter. What folder name was specified in that flag?

Correct Answer
extension
Solved by1model
Click to view model answers
114
Question 114

On Windows, an elevated SecEdit.exe process was observed exporting the local security policy. Review the process execution records to identify the name of the text file where the policy was saved.

Correct Answer
output_mysecpol.txt
Solved by1model
Click to view model answers
115
Question 115

An attacker has attempted to sideload code by invoking regsvr32.exe in a Windows host against a file that does not use the standard .dll extension. Investigate the process event logs to determine the name of the file that was registered.

Correct Answer
shell32.jpg
Solved by10models
Click to view model answers
116
Question 116

An attacker leveraged a PowerShell command on a Windows host to enumerate browser bookmark files across all user profiles. Examine the process execution logs to determine the exact filename that was being searched for.

Correct Answer
Bookmarks
Solved by6models
Click to view model answers
117
Question 117

On a Linux host, process execution logs show a chmod invocation with a recursive flag. Which file or folder was targeted by this recursive permission change?

Correct Answer
T1222.002
Solved by14models
Click to view model answers
118
Question 118

While investigating a Windows endpoint where boot repair options have unexpectedly been turned off, search your logs for BCDEdit modifying recovery settings. What was the command executed to disable the recovery console?

Correct Answer
bcdedit.exe /set {default} rec...
Solved by0models
Click to view model answers
119
Question 119

On a Windows system, a non-standard image downloader was used to fetch a remote file by passing a URL to a lockscreen utility. Identify the executable responsible for launching that activity.

Correct Answer
desktopimgdownldr.exe
Solved by1model
Click to view model answers
120
Question 120

On a Linux host, a command was run to list all processes and filter for common security or monitoring agents. Review the process logs and identify which agent name was actually observed.

Correct Answer
auditbeat
Solved by0models
Click to view model answers
121
Question 121

A suspicious registry change was made on a Windows system modifying the Terminal Services DLL path. Investigate registry events to find out which DLL file name was set as the ServiceDll value under TermService. What was the file name?

Correct Answer
AtomicTest.dll
Solved by12models
Click to view model answers
122
Question 122

Investigate Windows file creation logs to uncover any new executable added directly to the System32 directory, which may indicate a UEFI persistence implant. What was the name of the file created?

Correct Answer
wpbbin.exe
Solved by8models
Click to view model answers
123
Question 123

On a Linux host, identify any processes that used ping with a large count value to introduce a delay before launching another process. What was the command executed immediately after the ping delay?

Correct Answer
whoami
Solved by5models
Click to view model answers
124
Question 124

On Linux, review file events for changes in the system-wide shell profile directory. Determine the name of the script file in /etc/profile.d that shows evidence of an unauthorized append.

Correct Answer
bash_completion.sh
Solved by4models
Click to view model answers
125
Question 125

An attacker obtained elevated rights on a Windows system and ran a deletion command that attempted to remove various backup file types across the C: drive, generating numerous “access denied” errors. What was the full command line used?

Correct Answer
del /s /f /q c:\*.VHD c:\*.bac...
Solved by3models
Click to view model answers
126
Question 126

Investigate registry modifications on Windows that reveal when cmd.exe persistence was configured via the CommandProcessor AutoRun key. What command was configured under the AutoRun value?

Correct Answer
notepad.exe
Solved by9models
Click to view model answers
127
Question 127

Suspicious PowerShell activity on a Windows machine shows an external script being fetched and executed, followed by a quiet SQL enumeration call. Using process event logs, identify the name of the tool executed immediately after the script retrieval.

Correct Answer
powerSQL
Solved by1model
Click to view model answers
128
Question 128

A suspicious file modification on a Linux device targeted the ~/.bash_profile file, apparently adding a new line. What was the full command string that was appended?

Correct Answer
echo "Hello from Atomic Red Te...
Solved by5models
Click to view model answers
129
Question 129

On Linux systems, an attacker may gain persistence by appending instructions to the global shell profile. Investigate process or file modification events to find evidence of text being added to /etc/profile, and identify the exact command invocation that carried out this change.

Correct Answer
echo '# Hello from Atomic Red ...
Solved by8models
Click to view model answers
130
Question 130

Within Windows process event logs, identify instances where the built-in net.exe utility is used to change a user account password. What was the new password argument passed in?

Correct Answer
HuHuHUHoHo283283@dJD
Solved by8models
Click to view model answers
131
Question 131

On a Windows system, a process has introduced a new shim database into the default apppatch directory. Investigate file creation logs to reveal the database filename that appeared under C:\Windows\apppatch\Custom.

Correct Answer
T1546.011CompatDatabase.sdb
Solved by12models
Click to view model answers
132
Question 132

A Windows host shows evidence of a driver being installed using a built-in utility. Investigate process creation events to find the INF filename that was specified in the add-driver invocation.

Correct Answer
usbstor.inf
Solved by12models
Click to view model answers
133
Question 133

On a Windows endpoint, an attacker ran a PowerShell sequence to establish a WMI event subscription using CommandLineEventConsumer. Inspect the process or script execution logs to uncover which executable was set to run by this subscription.

Correct Answer
notepad.exe
Solved by6models
Click to view model answers
134
Question 134

Investigate recent file modification events on Linux that could reveal an adversary appending commands to a user’s ~/.profile for persistence. Determine the exact command that was added.

Correct Answer
echo '# Atomic Red Team was he...
Solved by3models
Click to view model answers
135
Question 135

A Linux system shows a shell invocation that appears to be searching for files with elevated group permissions. Using the available process execution logs, determine exactly what command was run.

Correct Answer
find /usr/bin -perm -2000
Solved by6models
Click to view model answers
136
Question 136

A Windows host shows a process launching with install-driver switches, likely signaling malicious driver deployment. What is the name of the tool that was executed?

Correct Answer
pnputil.exe
Solved by3models
Click to view model answers
137
Question 137

On a Windows endpoint, review any events showing content being appended to a user’s PowerShell profile that introduce new process launches. What exact command line was added?

Correct Answer
Start-Process calc.exe
Solved by1model
Click to view model answers
138
Question 138

On a Windows endpoint, someone may have disabled the secure desktop for elevation prompts by modifying a registry setting. Review the registry event logs to identify which registry value name was changed to 0.

Correct Answer
PromptOnSecureDesktop
Solved by12models
Click to view model answers
139
Question 139

A Windows endpoint shows an Active Setup entry under Internet Explorer Core Fonts being altered with a StubPath value. Investigate the registry events and identify the payload that was set.

Correct Answer
calc.exe
Solved by5models
Click to view model answers
140
Question 140

A suspicious elevated shell on Linux changed a file’s permissions for a user to include the SetUID bit. What was the exact command used to set that flag?

Correct Answer
chmod u+xs /tmp/evilBinary
Solved by0models
Click to view model answers
141
Question 141

Investigate Linux process or syslog records to find any invocation of the 'find' utility used to scan /usr/bin for files with the setuid bit. What was the full command executed?

Correct Answer
find /usr/bin -perm -4000
Solved by10models
Click to view model answers
142
Question 142

A Windows host shows a suspicious registry change under the LSA hive. Review recent registry events to locate any new entries under Authentication Packages and determine the name of the DLL the attacker added.

Correct Answer
package.dll
Solved by3models
Click to view model answers
143
Question 143

A Windows host shows a registry write under DeviceRegistryEvents affecting the System policy path. Investigate entries where the data is set to ‘0’ and determine which registry value was modified to turn off UAC consent prompts.

Correct Answer
ConsentPromptBehaviorAdmin
Solved by13models
Click to view model answers
144
Question 144

A Linux system shows a 'find' command used to search within .aws directories. Which specific AWS credential filename was the attacker attempting to locate?

Correct Answer
credentials
Solved by6models
Click to view model answers
145
Question 145

Windows registry events show that a new key under the Active Setup Installed Components branch was added to launch a payload immediately via runonce.exe. Which component name was created?

Correct Answer
atomic_test
Solved by2models
Click to view model answers
146
Question 146

On a Windows host, sift through registry modification events targeting HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin. What new value was written to disable the admin consent prompt?

Correct Answer
0
Solved by6models
Click to view model answers
147
Question 147

On a Windows system, PowerShell was used to gather multiple browser credential files into a temp folder and then archive them. What was the name of the resulting ZIP file?

Correct Answer
T1555.003.zip
Solved by10models
Click to view model answers
148
Question 148

A Windows 10 system shows registry modifications under HKCU:\Software\Classes\ms-settings\shell\open\command, followed by a launch of fodhelper.exe. Determine which executable path was written into the registry to be launched by this UAC bypass.

Correct Answer
C:\Windows\System32\cmd.exe
Solved by0models
Click to view model answers
149
Question 149

On a Windows system, security logs show a PowerShell process downloaded and executed a WinPwn script. Which function name was invoked to perform the search for credentials or other sensitive data?

Correct Answer
powershellsensitive
Solved by0models
Click to view model answers
150
Question 150

A Linux host’s Syslog contains records of an elevated shell executing a command that granted group execute rights and enabled the SetGID bit on a file. Investigate the logs and report the name of the file whose group ID bit was modified.

Correct Answer
evilBinary
Solved by1model
Click to view model answers
151
Question 151

On Windows endpoints, find the registry enumeration activity that was used to locate password entries. What was the full command line executed?

Correct Answers
reg query HKLM /f password /t ...reg query HKCU /f password /t ...
Solved by1model
Click to view model answers
152
Question 152

On a Windows host, an external PowerShell script is fetched and run to harvest local Wi-Fi credentials. Investigate the process execution logs to find out what script file name was downloaded and invoked.

Correct Answer
WinPwn.ps1
Solved by8models
Click to view model answers
153
Question 153

A Windows host shows registry modifications in its boot configuration store enabling test signing mode. Investigate which process made this change and identify the exact command it ran to turn on test signing.

Correct Answer
bcdedit /set testsigning on
Solved by4models
Click to view model answers
154
Question 154

A security investigator suspects that someone attempted to dump stored web credentials on a Windows system using an in-built command-line tool. Review process creation logs to determine which executable was called to list the Web Credentials vault.

Correct Answer
vaultcmd.exe
Solved by8models
Click to view model answers
155
Question 155

On Windows devices, hunt for PowerShell activity where a remote script is fetched and executed to perform LLMNR/NBNS spoofing. Which cmdlet kicked off the listener?

Correct Answer
Invoke-Inveigh
Solved by7models
Click to view model answers
156
Question 156

On Windows, review PowerShell process events to spot where a remote .ps1 was fetched and run to pull vault credentials. Determine the name of the script file that was downloaded.

Correct Answer
GetCredmanCreds.ps1
Solved by6models
Click to view model answers
157
Question 157

Windows system logs show PowerShell zipping up the contents of a user’s profile folder. Investigate process and file events to determine the exact name of the ZIP archive created.

Correct Answer
T1560-data-ps.zip
Solved by9models
Click to view model answers
158
Question 158

A Linux user’s bash history was searched for patterns like ‘pass’ and ‘ssh’, and the matching lines were redirected into a new file. Determine the name of that file.

Correct Answer
loot.txt
Solved by11models
Click to view model answers
159
Question 159

An attacker on a Linux host has attempted to turn off command history by modifying an environment variable. Using process execution logs, determine the exact shell command used to set HISTSIZE to zero.

Correct Answer
export HISTSIZE=0
Solved by13models
Click to view model answers
160
Question 160

On a Linux system you suspect someone altered Bash’s history settings to hide their activity. Investigate process logs for evidence of HISTCONTROL being set to ignore entries. What was the full command executed to configure HISTCONTROL?

Correct Answer
export HISTCONTROL="ignoreboth...
Solved by15models
Click to view model answers
161
Question 161

Within Linux process execution records, locate any bash commands where the HISTFILESIZE environment variable was exported. What value was assigned to HISTFILESIZE?

Correct Answer
0
Solved by16models
Click to view model answers
162
Question 162

On a Windows endpoint, you find PowerShell reaching out to a remote URL and then running a module command. What was the LaZagne module name that was executed?

Correct Answer
lazagnemodule
Solved by0models
Click to view model answers
163
Question 163

Review Windows registry event logs for the ProcessCreationIncludeCmdLine_Enabled value being set to 0. Which PowerShell cmdlet performed this change?

Correct Answer
New-ItemProperty
Solved by10models
Click to view model answers
164
Question 164

An endpoint shows a PowerShell process that downloaded and executed a remote script aimed at extracting credentials from the Windows Credential Manager. Review the process creation logs and identify the function name that was invoked to dump the web credentials.

Correct Answer
Get-CredManCreds
Solved by2models
Click to view model answers
165
Question 165

On a Linux system where an attacker may disable iptables by saving the current rules and then flushing them, examine process execution logs to identify the specific filename that received the rules backup. What file name was used?

Correct Answer
iptables.rules
Solved by11models
Click to view model answers
166
Question 166

A Windows system’s process logs show a PowerShell execution that altered firewall settings. Which cmdlet was used to add this new rule?

Correct Answer
New-NetFirewallRule
Solved by13models
Click to view model answers
167
Question 167

On a Windows device, a new inbound firewall rule was created unexpectedly. Review process execution records to identify the command-line utility responsible for adding the rule.

Correct Answer
netsh
Solved by10models
Click to view model answers
168
Question 168

Investigate Linux process execution logs for any use of iptables that removes a rule blocking outbound FTP traffic. What full command was issued to delete this rule?

Correct Answer
iptables -D OUTPUT -p tcp --dp...
Solved by8models
Click to view model answers
169
Question 169

Investigating a Windows device, you suspect a non-standard executable was launched to set up a named pipe for client-server messaging. Determine the name of the executable that was run.

Correct Answer
namedpipes_executor.exe
Solved by4models
Click to view model answers
170
Question 170

Investigate Windows registry modification events to find the name of the registry value that was changed under the WindowsFirewall policy path when someone turned the firewall off.

Correct Answer
EnableFirewall
Solved by3models
Click to view model answers
171
Question 171

A Linux system’s audit framework appears to have been reset unexpectedly. Search your process execution records to identify which exact invocation removed all auditd rules. What full command was executed?

Correct Answer
auditctl -D
Solved by12models
Click to view model answers
172
Question 172

On a Linux host, auditing has been turned off. Review process execution or syslog data to determine which command was executed to disable the audit subsystem.

Correct Answer
auditctl -e 0
Solved by12models
Click to view model answers
173
Question 173

Review Linux process execution logs to find where the system journal service was stopped. Which utility was invoked to disable journal logging?

Correct Answer
systemctl
Solved by11models
Click to view model answers
174
Question 174

During investigation of a Linux device, you see evidence of a process that reports system locale details. Identify the tool used.

Correct Answer
localectl
Solved by1model
Click to view model answers
175
Question 175

A .NET tracing environment variable was turned off in a user’s registry on a Windows system. Which built-in command-line tool was used to make this registry change?

Correct Answer
reg.exe
Solved by1model
Click to view model answers
176
Question 176

On a Windows device, an attacker ran a PowerShell script to collect system settings including UI language and locale. Identify which cmdlet in the command line was used to obtain the system locale.

Correct Answer
Get-WinSystemLocale
Solved by9models
Click to view model answers
177
Question 177

A Linux host may have undergone automated data collection and compression right before sensitive information is exfiltrated. Using process execution logs, determine which archive file name was created when the tar utility was run with gzip compression.

Correct Answer
data.tar.gz
Solved by1model
Click to view model answers
178
Question 178

On a Windows system, a registry event shows the EnableLUA value under the System policies key was set to 0, effectively disabling UAC. Which utility carried out this change?

Correct Answer
reg.exe
Solved by12models
Click to view model answers
179
Question 179

Using Linux process or syslog logs, identify the executable that was run to output the system's locale information.

Correct Answer
locale
Solved by10models
Click to view model answers
180
Question 180

Windows process creation logs show a cmd.exe launch that retrieved the system’s locale code page. Which exact command was executed to discover the system language?

Correct Answer
chcp
Solved by14models
Click to view model answers
181
Question 181

On Windows systems, identify any user account that was hidden by setting its value to 0 under the SpecialAccounts\\UserList registry key. What was the name of the hidden account?

Correct Answer
AtomicOperator$
Solved by9models
Click to view model answers
182
Question 182

On the Windows device, a security check was run to detect debugger processes via PowerShell. Which tool (process) carried out this check?

Correct Answer
powershell
Solved by7models
Click to view model answers
183
Question 183

Review process creation logs for an instance where a built-in Windows utility was used to enumerate installed device drivers with verbose list output. What is the name of that tool?

Correct Answer
driverquery
Solved by15models
Click to view model answers
184
Question 184

During a Linux engagement, an operator exported HISTSIZE=0 to turn off shell history and then ran another utility. Using the DeviceProcessEvents table, identify the exact command executed immediately after the history was disabled. What was the command?

Correct Answer
whoami
Solved by7models
Click to view model answers
185
Question 185

On a Windows system, identify any PowerShell Test-NetConnection executions against an uncommon port. Which port number was checked?

Correct Answer
8081
Solved by6models
Click to view model answers
186
Question 186

In a Windows environment, locate any occurrences where an elevated DISM utility was run to enumerate the system’s international (locale) settings. What was the exact command line used?

Correct Answer
dism.exe /online /Get-Intl
Solved by5models
Click to view model answers
187
Question 187

A Linux host was probed by reading its locale configuration file to discover the system language. Identify which tool was invoked to perform that read operation.

Correct Answer
cat
Solved by2models
Click to view model answers
188
Question 188

On Windows, following a phantom DLL hijack of the Print Spooler service, determine which system file was first copied from its original location before being renamed for persistence.

Correct Answer
amsi.dll
Solved by0models
Click to view model answers
Showing all 188 benchmark questions