industry event
SnapAttack makes it easy for SOC analysts and detection engineers to create high quality, behavioral detections. For this challenge, we’ve added five threats from our threat library: adding a user to the local administrators group, credential dumping with mimikatz, obtaining persistence with a sticky keys backdoor, executing code via MSHTA, and activity via a webshell. Your job is to create a detection rule for each attack. The highest score / first to solve all challenges will win a Raspberry Pi.
You must use the link below to register. This will put you in a special “training mode” where you will only be able to see the five challenges. You will also only be able to see detections that you create.
Getting Started
- Login to SnapAttack, and in the header click on “Sandbox” -> “Threat Library”.
- Click on any one of the five threats. Review the threat, including the video, event logs, and process graph.
- Click on a “Create Detection” button if you see an interesting log or event. This will bring that event into our detection builder. Alternatively, you can go to the builder directly from “Detect” -> “Create a New Detection” in the header.
- Use the detection builder to create a detection rule. You can use the search icon to test your detection in Splunk. After you get the detection logic correct, click on the details tab and finish adding metadata. We’re not scoring you based on title or description, but you should have a matching MITRE ATT&CK tag (hint: it’s the same as the one in the labelled attack / red star). When you are done, hit the publish buttin to make the detection live.
- Return to the threat. The detection hit should now appear in the timeline (it may take a minute to process). If your detection is validated (red star and blue dot are both filled in), congrats – you’ve made your first detection rule! If the detection does not appear, or is not validated, go back to the detection builder and refine the detection.
Need more help? Stop by our booth, watch the video tutorial below, or join our community slack and ask your question in the #shmoocon-2024 channel.
Getting Started
- Login to SnapAttack, and in the header click on “Sandbox” -> “Threat Library”.
- Click on any one of the five threats. Review the threat, including the video, event logs, and process graph.
- Click on a “Create Detection” button if you see an interesting log or event. This will bring that event into our detection builder. Alternatively, you can go to the builder directly from “Detect” -> “Create a New Detection” in the header.
- Use the detection builder to create a detection rule. You can use the search icon to test your detection in Splunk. After you get the detection logic correct, click on the details tab and finish adding metadata. We’re not scoring you based on title or description, but you should have a matching MITRE ATT&CK tag (hint: it’s the same as the one in the labelled attack / red star). When you are done, hit the publish buttin to make the detection live.
- Return to the threat. The detection hit should now appear in the timeline (it may take a minute to process). If your detection is validated (red star and blue dot are both filled in), congrats – you’ve made your first detection rule! If the detection does not appear, or is not validated, go back to the detection builder and refine the detection.
Need more help? Stop by our booth, watch the video tutorial below, or join our community slack and ask your question in the #shmoocon-2024 channel.
Rules and Fine Print
Contest runs from Friday, January 12th at 12:00 PM to Sunday, January 14th at 12:00 PM EST. Prizes are only eligible for ShmooCon conference attendees and must be picked up on Sunday at the booth.
Don’t be a dick. We reserve the right to disqualify any participant.