First Shift CTF
The first SOC shift won't be that challenging, right?
medium
240 min
16,911
To access material, start machines and answer questions login.
Welcome
Following the recent SOC Level 1 path refresh, it's time for the ultimate test of your blue-team skills, the First Shift CTF! This beginner-friendly event features six unique scenarios, starting with quick warmups and classic SOC investigations you've seen in the path, and escalating to cases that push well beyond the typical L1 role. Check out the website for details:
The event kicks off on January 24th at 17:00 GMT and runs for four hours. For those who can't join, the challenges will be available even after the CTF. Until then, sharpen your analytical thinking and revisit the SOC topics - you will definitely need them. One final hint: be ready to Splunk your way to the flags!
How To Join
This is a single-player CTF where anyone can join! This competition has no limits for participants and is open to all. Make sure to join this room, set up OpenVPN if you want to use your own tools, and join the #first-shift-ctf Discord channel to keep updated!
CTF Rules
- Do not brute force answers (flags) on the TryHackMe platform.
- Do not attack TryHackMe's infrastructure or other users' machines.
- Do not share flags with others, and don't ask for hints during the event.
If you have questions or need support from TryHackMe, please join our Discord channel and open a ticket. The full Terms and Conditions of the competition can be read here.
Read the rules and join Discord!
Meet ProbablyFine
Haven't you heard about ProbablyFine? No way! ProbablyFine Ltd. is the most advanced, next-generation MSSP startup you can find for a reasonable price nowadays. Founded by experienced blue-teamers and DFR professionals, we take a radically honest approach to cyber security: don't dismiss alerts as False Positives, but reassure the client it's probably fine.
These were the words you heard during your SOC Level 1 onboarding. You were skilled and lucky enough to pass the internship, and now it's your first monitoring week at a top-tier MSSP! Sure, senior analysts are always ready to support and no one is about to throw you into an incident alone, but you never know what might happen at ProbablyFine.
Let's go!
Your flag is: THM{first_shift_check_in!}
Probably Just Fine
Welcome to your first shift! You are greeted by an internal alert on the SOC dashboard titled "Unusual VPN login of susan.martin@probablyfine.thm from 37.19.201.132 (Singapore)."
The SOC handover notes did indeed mention that Susan from Marketing is in Singapore, attending a security vendor conference. It is probably just fine, but the SOC procedure tells us to verify each IP in our threat intel platform TryDetectThis. Answer the first two questions to gather more information and determine the threat level.
TryDetectThis
TryDetectThis is a threat intelligence database to check the reputation and other details of IP addresses, domains, and file hashes. To access this platform, please navigate to the following URL in your own browser:
| Access | Granted |
| URL | TryDetectThis |
Is It Really Fine
That login IP looks suspicious, doesn't it? Your teammates reached out to Susan, and she confirmed she did not log in to the company VPN. She also mentioned that while using a public Wi-Fi hotspot at a cafe, she was suddenly prompted to install a "security check" tool, which she did. The host telemetry reveals a suspicious binary with the hash b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630. Can you help us figure out what this binary exactly does and answer the remaining questions?
What is the ASN number related to the IP?
Which service is offered from this IP?
What is the filename of the file related to the hash?
What is the threat signature that Microsoft assigned to the file?
One of the contacted domains is part of a large malicious infrastructure cluster.
Based on its HTTPS certificate, how many domains are linked to the same campaign?
The file matches one of the YARA rules made by "kevoreilly".
What line is present in the rule's "condition" field?
The file is also mentioned in one of the TI reports.
What is the title of the report mentioning this hash?
Which team did the author of the malware start collaborating with in early 2024?
A Mexican-based affiliate related to the malware family also uses other infostealers.
Which mentioned infostealer targets Android systems?
The report states that the affiliates behind the malware use the services of AnonRDP.
Which MITRE ATT&CK sub-technique does this align with?
Set up your virtual environment
Phishing Books
It's another typical day at ProbablyFine Ltd. Your SOC dashboard is glowing with endless alerts, most of them false positives, as usual. Your team manages several education-sector clients, including universities, schools, and research institutes across the UK. Today, you are in charge of monitoring alerts from universities in London.
Normally, things stay quiet. These universities are very targeted by phishing attacks, but most attempts get stopped by the email filters before anyone even sees them. But today is different. You got an email from a university teacher:
Subject: MFA Removal Requests
From: Dr. Isabella <[email protected]>
Hey, ProbablyFine SOC Team,
I've been getting several emails asking me to approve my MFA.
Are you performing any tests? Should I approve these requests?
Dr. Isabella
You contact Dr. Isabella directly, and it becomes clear that she has been targeted by a phishing email designed to steal her credentials, which is why she is receiving multiple MFA requests! You advise her to reset her password immediately.
Now it's time to dig deeper: No alerts were triggered in your SIEM, so you requested the original .eml file of the phishing email to perform a manual investigation. Was this an isolated hit, or part of a larger phishing campaign targeting universities? Start the analysis machine and examine the email. Let's see what’s really going on!
Machine Access
For this challenge, you are given an instance containing the .eml file reported by Dr. Isabella. Ensure that you test and analyze the file inside the VM environment. Please start the machine by clicking the "Start Machine" button below.
You also have access to TryDetectThis, a threat intelligence database to check the reputation and other details of IP addresses, domains, and file hashes. To access this platform, please navigate to the following URL in your own browser, outside the VM environment:
| Access | Granted |
| URL | TryDetectThis |
Which specific check within the headers explains the bypass of email filters?
Answer Example: "CHECK=value"
What technique did the attacker use to make the message seem legitimate?
Which MITRE technique and sub-technique ID best fit this sender address trick?
What is the file extension of the attached file?
What is the MD5 hash of the .HTML file?
What is the landing page of the phishing attack?
Which MITRE technique ID was used inside the attached file?
What is the hidden message the attacker left in the file?
Which line in the attached file is responsible for decoding the URL redirect?
What is the first URL in the redirect chain?
What is the Threat Actor associated with this malicious file and/or URL?
What is the main target of this Threat Actor according to MITRE?
Portal Drop
You are on the day shift in the ProbablyFine when the monitoring dashboard flashes red. A new alert appears in the WAF summary, reporting a web scan on crm.trypatchme.thm followed by a suspicious file upload anomaly. The affected website is TryPatchMe's public-facing CRM portal, a valued customer who provides software patching consulting services.
That should be an easy case, since you have access to both the web access logs and the EDR console. Combined, they should give you a clear answer: either it's a False Positive, or the portal has been breached and TryPatchMe needs to patch the CRM now!
EDR and Web Logs
For this challenge, you need to download the web access logs by clicking the "Download Task Files" button above, and for some questions, you will need the EDR console below:
| Access | Granted |
| URL | EDR Console |
What is the IP address that initiated the brute force on the CRM web portal?
How many successful and failed logins are seen in the logs?
Answer Example: 42, 56
Following the brute force, which user-agent was used for the file upload?
What was the name of the suspicious file uploaded by the attacker?
At what time did the attacker first invoke the uploaded script?
Answer Example: 2025-10-24 15:35:50
What is the first decoded command the attacker ran on the CRM?
Based on the attacker’s activity on the CRM, which MITRE ATT&CK Persistence sub-technique ID is most applicable?
Which process image executes attacker commands received from the web?
What command allowed the attacker to open a bash reverse shell?
Which Linux user executes the entered malicious commands?
What sensitive CRM configuration file did the attacker access?
Which domain was used to exfiltrate the CRM portal database?
What flag do you get after completing all 12 EDR response actions?
Set up your virtual environment
Zero Tolerance
It was supposed to be a regular morning at ProbablyFine Ltd. L2 had just returned from paternity leave. L3 was hosting a live webinar on "Proactive Threat Hunting." The morning standup was the usual mix of coffee, ticket updates, and small talk about last night's football match. Then the Slack notification came through from Sales:
"NEW CLIENT ONBOARDED - VaultSecure Banking - Tier 1 Priority - Live monitoring starts NOW"
VaultSecure Banking wasn't just any client. They're a regional bank with two million customers. They had just fired their previous MSSP after a compliance audit revealed endpoints that had gone unmonitored for six months. The contract ProbablyFine signed was massive, enough to fund the company for the next two years. However, there’s a catch: a 90-day probation period with a "zero tolerance" clause - miss one critical alert, and the contract is terminated.
The Alert
You were barely skimming the onboarding docs before the SIEM lights up with a critical alert:
"CRITICAL: Suspicious Persistence Mechanism Detected - VaultSecure Banking"
You just stare at it for a second. It's been less than 4 hours since monitoring went live, and you're already staring at a critical alert. Your L2 is in back-to-back meetings with the new client. Your L3 is live on a webinar with 500 attendees. The company's future literally depends on how you handle this. For now, it's just you and this alert. It's time to show VaultSecure Banking why they chose ProbablyFine!
Machine Access
Start the lab by clicking the Start Machine button below. You will then have access to the Splunk Web Interface. Please wait 4-5 minutes for the Splunk instance to launch. To access Splunk, please follow this link:
You may also need downloadable artifacts from the compromised VM:
What is the hostname where the Initial Access occurred?
What MITRE subtechnique ID describes the initial code execution on the beachhead?
What is the full path of the malicious file that led to Initial Access?
What is the full path to the LOLBin abused by the attacker for Initial Access?
What is the IP address of the attacker's Command & Control server?
What is the full path of the process responsible for the C2 beaconing?
What is the full path, modified for Persistence on the beachhead host?
What tool and parameter did the threat actor use for credential dumping?
The threat actor executed a command to evade defenses.
What security parameter did they attempt to change?
The threat actor used a tool to execute remote commands on other machines.
What is the process ID (PID) that executed the remote command?
At what time did the threat actor pivot from the beachhead to another system?
Answer format: YYYY-MM-DD HH:MM:SS
What is the full path of the PowerShell script used by the threat actor to collect data?
What are the first 4 file extensions targeted by this script for exfiltration?
Answer format: Chronological, comma-separated
What is the full path to the staged file containing collected files?
Set up your virtual environment
The Crown Jewel
You are on a shift, looking at the new alert coming from Imperium Labs - a company under MSSP monitoring long before you joined the team. It's hard to say what the company's primary focus is, but it has a global presence and undoubtedly has secrets to protect, especially those on heavily secured GitLab and Jira servers which store proprietary source code and project data.
The Alert
The alert you are looking at is called Reverse Shell Outbound Connection Detected, not something you see every day. Fortunately, you were able to obtain the raw PCAPs and Splunk logs for this event. Can you analyze the network traffic and logs to reconstruct and stop a sophisticated attack aimed at stealing the "Crown Jewel" data?
Machine Access
To access the VM, click the Start Machine button below. Please give the VM up to five minutes to start and piece together the attack chain:
- Detailed network traffic capture
challenge.pcapthat you can find on thenetwork_trafficfolder on the VM's Desktop - Pre-ingested Splunk logs (
index=network_logs), which can be accessed atMACHINE_IP:8000
From which internal IP did the suspicious connection originate?
What outbound connection was detected as a C2 channel? (Answer example: 1.2.3.4:9996)
Which MAC address is impersonating the gateway 10.10.10.1?
What is the non-standard User-Agent hitting the Jira instance?
How many ARP spoofing attacks were observed in the PCAP?
What's the payload containing the plaintext creds found in the POST request?
What domain, owned by the attacker, was used for data exfiltration?
After examining the logs, which protocol was used for data exfiltration?
Set up your virtual environment
Promotion Night
It was a glorious Friday at ProbablyFine Ltd. After weeks of sales calls and PoC demos, the team finally signed a contract with DeceptiTech - a major tech company recently hit with ransomware and in need of an MSSP. Monitoring was set to begin on Monday, but some of their clouds and on-premises systems had already been onboarded into the SIEM.
To celebrate the win, the entire SOC team headed out for a big teambuilding.
Everyone except you - the Level 1 analyst covering the night shift, just in case.
The shift was quiet. Too quiet. Then a critical alert appeared: "Potential Ransom Note on DC-01". You blinked. Then blinked again. Then called your Level 2. No answer - just the automated message saying it's probably fine. Now, it's up to you to triage the alert alone. Tonight will either earn you the quickest promotion ever or be your last day at ProbablyFine. Good luck!
Machine Access
For this challenge, you are given a Splunk instance containing the scenario index. To access Splunk, click the Start Machine button below. Please give the VM up to five minutes to start and access it with this link from AttackBox or your VPN-connected device:
What was the network share path where ransomware was placed?
What is the value ransomware created to persist on reboot?
What was the most likely extension of the encrypted files?
Which MITRE technique ID was used to deploy ransomware?
What ports of SRV-ITFS did the adversary successfully scan?
What is the full path to the malware that performed the Discovery?
Which artifact did the adversary create to persist on the beachhead?
What is the MD5 hash of the embedded initial shellcode?
Which C2 framework was used by the adversary in the intrusion?
What hostname did the adversary log in from on the beachhead?
What was the UNC path that likely contained AWS credentials?
From which IP address did the adversary access AWS?
Which two sensitive files did the adversary exfiltrate from AWS?
What file did the adversary upload to S3 in place of the wiped ones?
Work in a SOC
Six incidents in your very first monitoring week, what a way to kick off your SOC role! Your reports are already in review by ProbablyFine seniors, and if this pace keeps up, that promotion might come sooner than expected. We hope you resolved each incident and are ready for life in a SOC as a battle-hardened analyst. Please share your First Shift experience in the form below:
Competitive Results
For the top 10 participants, see the scoreboard on the screenshot below. The challenges will be available for some time, but the prizes are defined according to the first four hours of the event:
[Come back on Monday!]
Thanks for Playing
From all of the TryHackMe team, a massive thank you for participating in this CTF! We hope you enjoyed the challenges and had a great time solving them. It was a pleasure having you all on board!
~ TryHackMe
Thanks for playing!
Ready to learn Cyber Security? Create your free account today!
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in