<!-- .slide: class="content" --> ## Capture the Flag 1. Break into 4 teams. 2. Each team will receive a Velociraptor server connected to a small network. 3. You will be given 1 hour to develop and deploy detection rules 4. After the break a set of attacks will take place hiding flags through the network. 5. Your team will detect as many attacks as possible 6. The team with the most detections wins at timeout! --- <!-- .slide: class="content" --> ## Rules of engagements * Do not do anything destructive to the network or any of the hosts! * Submit all your novel artifacts at the end: * Artifacts are worth more points the more novel the VQL. * The more unique aspects of each detection the more points. --- <!-- .slide: class="content" --> ## Possible attacks * The following reports refer to some of the attacks that will take place. * https://github.com/ashemery/LinuxForensics/blob/master/Workshops/DFRWS_USA_2023/Linux-Forensics-Workshop-Slides.pdf * https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/ * https://www.praetorian.com/blog/threat-hunting-how-to-detect-psexec/