← All Challenges

Phantom SOC

Forensics 200 pts standard
Challenge Description

An intrusion occurred while the SOC dashboard stayed green. The attacker is suspected of tampering with detection content and API keys in the SIEM stack.

Identify:

  1. Compromised API key ID.
  2. Deleted detection rule ID.
  3. First host hidden by suppression.
  4. Source IP that performed tampering actions.

Flag format: HackCTF{...}

Files
↓ decoy_admin_actions.csv ↓ detection_changes.json ↓ elastic_audit.log ↓ host_timeline.txt ↓ mixed_case_telemetry.log ↓ noise.log ↓ noise_expanded.log ↓ siem_alert_export.csv
Hints
View Hint : Hint
  1. Separate external tampering from internal admin hygiene actions.
  2. Build the sequence from audit -> rule change -> suppressed alert.
  3. The final flag needs the tampering source IP.
Submit Flag

Login to submit a flag.