Monthly CTF — May 2026
Scenario
You're a SOC analyst at Northgate Financial, a mid-size finance company. The endpoint security platform — Elastic Defend — has lit up overnight on one of your finance-department workstations. The on-call analyst dismissed the alerts as routine noise and went back to sleep. It's morning, and the alert pile has grown to multiple rules across persistence, defense evasion, and command-and-control.
The CIO wants a definitive answer before market open: was this a real intrusion, what did the attacker accomplish, and is there anything that needs to be ripped out of the environment right now?
Your tools
- Kibana at
<elastic-cloud-url>— credentials given separately. Look in the Security app first (Alerts, Hosts, Network, Users, Timeline). - ES|QL and KQL are both available via Discover. Many answers can be reached either via the visual analyzer or with a query.
- Set the Kibana time picker to "Last 14 days" — the relevant activity is roughly two days before now.
How this CTF is structured
28 questions across 6 categories:
| Category | Q | Pts | Focus |
|---|---|---|---|
| Initial Detection | 4 | 4 | Orient yourself in the Security app |
| Process Investigation | 6 | 12 | Reconstruct the execution chain |
| Persistence | 5 | 10 | What did the attacker leave behind? |
| Network & C2 | 5 | 12 | Where did the implant phone home? |
| Defense Evasion | 5 | 12 | How did the attacker hide from us? |
| Advanced Hunting | 3 | 15 | Beyond the alerts — go find what rules missed |
Total: 65 points. A competent SOC analyst should score 70-80% in ~4 hours.
Rules of engagement
- Stay within the provided Elastic Cloud deployment — don't pivot to external services or VirusTotal lookups (for now).
- Answers are case-insensitive unless the question says otherwise.
- For numeric questions, accept the literal integer (no "MB", "pts", etc.).
- For file paths, use the same backslash and capitalization style as appears in the event.
- If a flag uses regex matching (it'll say in the question), there may be acceptable variants — try the most natural form first.
A few hints
- Start with the Security → Alerts page and sort by
@timestampASC. The first alert tells you what got the attacker noticed. - The Analyzer view (click on an alert → "Analyzer") is the fastest way to see the process tree.
- When in doubt about a process, search both
logs-endpoint.events.process-*ANDlogs-windows.powershell*— script-block content lives in the latter. - Don't trust the alerts alone. There are at least three artifacts that no rule fired on but matter for the investigation. Those are the 5-pt questions.
Good hunting.