At this year’s YellowHat conference in Almere, the Dutch security community had the chance to participate in a Capture The Flag (CTF) competition organized by one of the conference sponsors - Blue Raven. Mehmet from Blue Raven did a great job setting up a CTF with realistic scenarios and datasets, which made it a lot of fun to solve the challenges.
Foreword
Being a big fan of CTFs and digital forensics and incident response (DFIR) in general, I couldn’t resist the temptation to participate. After numerous attempts to solve the first challenge and an enlightening tip from a colleague, I made some progress and solved the first 12 challenges.
To avoid running out of time, I decided to try something unconventional for the remaining challenges - I used AI to help me solve them. Professor Smoke aka Henning Rauch teased the new Microsoft Fabric Real-Time Intelligence (RTI) capabilities during his talk at YellowHat1, so I thought this would be a great opportunity to test these out in a real-world scenario. Little did I know that the outcome would be surprising!
Preconditions
Azure Data Explorer
Because the CTF data was stored in an Azure Data Explorer (ADX) cluster, the prerequisite for using the Fabric RTI MCP server was already met, because we can query data in Eventhouse and ADX. Besides that I had already set up GitHub Copilot within Visual Studio Code in agent mode from previous AI ramblings.
Original image source: Microsoft2
Dataset
The actual dataset used in the CTF consisted of Microsoft Defender XDR Advanced Hunting Data, Entra ID Logs and collected Windows Security Events:
Azure Fabric RTI MCP Server Setup
The setup of Azure Fabric RTI Model Context Protocol (MCP) server is straightforward and well-documented within the Microsoft Fabric RTI MCP GitHub repository.
Just make sure to set up the MCP server within your Visual Studio Code MCP Server configuration file (mcp.json) to point to your ADX cluster and database where the CTF data is stored.
‘AI Assisted’ CTF Time
After successfully testing the MCP server connection and making sure it was selected as a tool within GitHub Copilot, I was ready to start solving the remaining CTF challenges with AI assistance.
Malicious Service Modification
The first flag involved a malicious Windows service modification. While within the DeviceEvents table no service modifications were visible, the adversary had modified the ImagePath of a legitimate service to point to a malicious executable. This was captured by MDE as part of the DeviceRegistryEvents table.
GitHub Copilot and Fabric RTI made it look so easy, because they spotted the modification right away, besides another service modification, which was used for a later flag:
Furthermore, it also noticed the typosquatting, which I had overlooked:
Under the hood, the following KQL query was submitted:
DeviceRegistryEvents
| where RegistryKey has "Services"
| where RegistryValueName == "ImagePath"
| where ActionType == "RegistryValueSet"
| where RegistryValueData has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe", "\\temp\\", "\\appdata\\", "\\users\\", "WebService")
| project
Timestamp,
DeviceName,
RegistryKey,
RegistryValueData,
PreviousRegistryValueData,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| sort by Timestamp desc
Uncovering C2 Communication
Another flag required to identify the command and control (C2) communication initiated from a tampered FileZilla client used by the adversary. Again, Fabric RTI and GitHub Copilot made it easy to identify the suspicious network connections by looking for known C2 patterns in the DeviceNetworkEvents table.
Due to the context of a previous flag, Copilot extended the query with two notable additions:
- Timestamp filter to only include events after a DLL hijacking took place on the target system
- InitiatingProcessFileName filter to only include network connections initiated by
filezilla.exe, the tampered FileZilla client
DeviceNetworkEvents
| where DeviceName has "workstation04"
| where Timestamp > datetime(2025-12-23T15:44:00Z)
| where InitiatingProcessFileName == "filezilla.exe"
| where RemoteUrl != ""
| project Timestamp, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessSHA1
| sort by Timestamp asc
While the suggested answer included both legitimate and malicious domains, it was easy to spot the actual C2 domain used by the adversary:
Data Exfiltration via Archives
As part of the attack, the adversary exfiltrated data and one of the flags was about identifying the folder path which caught the attacker’s attention.
Again, Copilot and Fabric RTI provided a very accurate KQL query to identify the exfiltrated data by looking for archive creation events within the DeviceFileEvents table:
DeviceFileEvents
| where DeviceName == "srv03.otrf.local"
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FileName endswith ".zip"
or FileName endswith ".rar"
or FileName endswith ".7z"
or FileName endswith ".tar"
or FileName endswith ".gz"
| project
Timestamp,
DeviceName,
ActionType,
FolderPath,
FileName,
FileSize,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountName
| order by Timestamp desc
| take 50
Furthermore, subsequently enriched context information was queried by also checking the DeviceProcessEvents table to identify the full command line used to create the archive.
Conclusion
While first solving half of the flags (12) ‘manually’, GitHub Copilot and Fabric RTI helped me to solve the remaining flags (13) in no time. The AI suggestions were surprisingly accurate and context-aware. This brings the use of AI in DFIR to a whole new level, as it can significantly speed up the investigation process.
Additional Insights
- I used GitHub Copilot with the ‘Auto’ model selection, while Claude Sonnet 4.5 got selected the most as underlying LLM.
- One flag required to identify additional suspicious activities by a specific user. While AI detected the malicious mailbox rule creation, it overlooked the fact that the user had also consented to an OAuth application, even after specifically prompting for it. (Unfortunately I forgot to take a screenshot of this one; sorry!)
- If I remember correctly, out of the 13 flags solved with AI, 9 were solved with the first suggestion, 3 required additional interpretation and prompts due to multiple results and the OAuth app related one wasn’t really answered.
Personal Note
On a personal note, I believe solving a CTF with AI defeats the purpose of learning and training one’s problem-solving and analytical skills. However, it was a fun experiment to see how well AI can assist in solving complex challenges, and it certainly exceeded my expectations!
Due to the increased velocity I believe the role of AI in DFIR and incident analysis will become more prominent in the near future. For investigators with less KQL or domain-specific knowledge, AI can serve as a valuable learning aid, helping them to understand complex concepts and techniques by providing context-aware suggestions and explanations. For seasoned investigators, AI can act as a force multiplier, automating routine tasks and providing insights that may not be immediately apparent, thus allowing them to focus on more complex aspects of the investigation, and bringing in their expertise about specific platforms, environments and threat actor TTPs.