VERB-NOUN SUSPECTS
This cmdlet uses the verb 'Set' and lets you change your current working directory in PowerShell similar to the cd command in a standard terminal."
What is Set-Location?
You run this single command in a Windows terminal. What does it return?
What is the current logged-in username (and domain)
Running Get-EventLog to review login history after a suspected breach
What is a Blue Team technique? (Defenders use logs to investigate incidents.)
"Fill in the blank to sort processes by CPU usage, highest first.
What is Sort-Object?
One failed login for the Administrator account. At this level, this is most likely this — a common, non-alarming occurrence
What is a single failed login attempt (or user error)?
In PowerShell, every command follows a Verb-Noun structure. This cmdlet whose verb means to retrieve returns a list of all currently running processes on a machine.
What is Get-Process?
Running this PowerShell cmdlet with no arguments returns this — the one thing that tells you exactly where you are in the file system
What is the current working directory path?
"Using net user hacker /add to create a hidden account on a compromised machine."
What is a Red Team technique?
Add the flag that makes Get-ChildItem search all subfolders, not just the top level."
What is -Recurse?
"847 failed logins in ten minutes, all targeting the Administrator account from one IP. What type of attack is this?"
What is a brute force attack?
This cmdlet's verb means to test or check. It's commonly used by sysadmins to verify whether a remote machine is reachable on the network PowerShell's version of ping, with more options
What is Test-NetConnection?
This cmdlet outputs a table. Each row represents one of these — objects that exist on the local machine and can be used to log in.
What are local user accounts?
Running Get-Process and Stop-Process to identify and kill a suspicious executable
What is a Blue Team technique? (Incident responders terminate malicious processes.)
Get-Process | Where-Object { $_.CPU -gt ___ }
What is 50?
net user backdoor P@ssw0rd123 /add
net localgroup administrators backdoor /add
What is creating a hidden admin account (for persistence / maintaining access)?
This cmdlet invokes — that's its verb — a web request. Security teams use it to test endpoints, and attackers have been known to use it to download malicious payloads from remote servers.
What is Invoke-WebRequest?
This pipeline returns a filtered table. Name the two columns a contestant would see in the output.
What are InterfaceAlias and IPAddress?
"Using Invoke-WebRequest to download a script from a remote server, then executing it directly in memory without writing it to disk."
What is a Red Team technique? (This is called a fileless attack — it evades antivirus by never touching the hard drive.)
Complete this pipeline to count how many failed login events exist in the Security log
What is Measure-Object?
A Word document spawned a PowerShell process running an encoded command. What type of attack does this indicate?"
What is a macro-based attack (or malicious Office macro / phishing document)?
This two-word PowerShell cmdlet uses the verb 'Get' and retrieves detailed information about Windows Event Logs. Paired with the right filters, it's one of the first tools a defender reaches for during an incident
What is Get-EventLog?
This command filters the Security event log for Event ID 4625. What activity does that specific Event ID indicate?
What is a failed login attempt?
This one's tricky. Scanning your own network with Test-NetConnection across a range of ports to identify open services before an attacker does.
What is a Blue Team technique? (Proactive vulnerability scanning — also called defensive reconnaissance.)
Get-ChildItem C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (______).AddDays(-1) } |
Select-Object FullName, LastWriteTime
What is Get-Date?
23:47 - powershell.exe launched
23:47 - Invoke-WebRequest to 185.220.x.x
23:48 - New file: C:\Temp\update.exe
23:48 - update.exe executed
23:49 - net user /add called
23:49 - Scheduled task created: "WindowsUpdate"
What is: the attacker downloaded a malicious executable, ran it, created a backdoor user, and established persistence via a scheduled task?