Universal Bus

EasyThreat Hunting

Overview

SCENARIO

This morning, someone left something behind on one of the seats. A small flash drive, unmarked, sitting right where the new IT contractor usually sits.

Someone from facilities found it, figured it belonged to IT, and helpfully plugged it into an office workstation to check what was on it. Just trying to return it to its owner, right?

By lunch, the SOC dashboard lights up. Nothing dramatic — just a few anomalies buried under thousands of routine log entries. A file copied to an odd location. A process spawning from a temp directory. An outbound connection to an IP nobody recognizes.

Most analysts would scroll right past it.

But you are not most analysts. Something rode that Universal Bus into your network, and now it is your job to figure out what.

Flag format: FLAG{}

Infrastructure

- Docker Container — HTTP on port 5000

Provided Files

- No External Files Provided

Job Positions

Threat Hunter

Tags

KqlLog AnalysisPowershell LogsLateral MovementFalse PositiveSoc