PBQ — SIEM Rule Writing & Alert Correlation

PBQ HARD

SIEM Rule Writing & Multi-Stage Attack Correlation

SY0-701 Obj 4.4 · Alerting, Monitoring & SIEM

Your SIEM has generated 7 alerts across a 4-hour window. Forensics confirms a multi-stage ransomware attack with lateral movement via compromised credentials. You must: (1) select the correct Sigma detection rule for the initial access technique, (2) classify each alert by attack stage (MITRE ATT&CK), and (3) identify which two alerts represent the earliest point where automated containment would have stopped the attack chain.

📋 Reconstructed Attack Timeline (read-only context)

09:14MAIL-SRVUser jdoe opens phishing email attachment: invoice_Q4.docm Initial Access

09:15WS-JDOEWord spawns cmd.exe → PowerShell -enc [base64] downloads stager Execution

09:22WS-JDOELSASS memory read via Mimikatz — credential dump Cred Access

09:38WS-JDOEPsExec lateral movement → 3 hosts (10.0.0.31–33) Lateral Move

09:55DC-01Mimikatz dcsync — dumps all AD hashes Cred Access

11:02FILE-SRVBulk file rename: *.docx → *.locked — ransomware encryption begins Impact

11:04FILE-SRVREADME_DECRYPT.txt written to 847 directories Impact

Part 1 — Select the correct Sigma rule to detect the PowerShell stager (09:15 event)

🔍 Which Sigma rule best detects: Word spawning PowerShell with base64-encoded command?

detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: '-enc'
  condition: selection
# Detects any PowerShell with -enc flag — too broad, many false positives detection:
  selection:
    ParentImage|endswith: '\winword.exe'
    Image|endswith: '\powershell.exe'
    CommandLine|contains: '-enc'
  condition: selection
# Detects Word specifically spawning encoded PowerShell — precise parent-child chain detection:
  selection:
    Image|endswith: '\cmd.exe'
    ParentImage|endswith: '\winword.exe'
  condition: selection
# Only detects Word → cmd.exe, misses the PowerShell execution stage detection:
  keywords:
    - 'powershell'
    - 'base64'
  condition: keywords
# Keyword match only — fires on any log mentioning powershell or base64, extremely noisy

Part 2 — Classify each SIEM alert by MITRE ATT&CK stage

Alert ID	Time	Signature	Sev
#A001	09:14	Office document macro execution — .docm opened by jdoe	HIGH
#A002	09:15	Suspicious parent-child: WINWORD.EXE → powershell.exe -enc [b64]	CRITICAL
#A003	09:22	LSASS process memory access — handle opened by non-system process	CRITICAL
#A004	09:38	PsExec service created on remote host 10.0.0.31	CRITICAL
#A005	09:55	DCSync detected — replication request from non-DC host WS-JDOE	CRITICAL
#A006	11:02	Mass file rename — 3,400 files renamed in 90 seconds on FILE-SRV	CRITICAL
#A007	11:04	Ransom note written to 847 directories — README_DECRYPT.txt	CRITICAL

Part 3 — Earliest Automated Containment Decision

If your SIEM/SOAR had automated host isolation on CRITICAL alerts, which alert — if acted upon immediately — would have prevented the ransomware stage from being reached? Select the earliest critical alert that should have triggered isolation of WS-JDOE.

What SOAR automated response should trigger on #A002?

All PBQ Labs