Intro Defensive Investigation

Windows Logon Anomaly Triage

Use host and auth logs to identify suspicious authentication behavior.

beginner40 min40 pts

Review the scenario

Read the scenario summary and note the primary investigation goal.

Inspect the provided artifact or environment

Use the artifact downloads or the live container session to gather evidence.

Answer the guided questions

Submit answers and the final flag before time expires.