Unicorn Library

SCYTHE Library: UniCon CTF - Know Your Payload

Written by Jorge Orchilles | Aug 25, 2020 4:00:00 AM

On August 20, 2020 we ran our first SCYTHE User Conference, UniCon, our very own unicorn conference. It was a day packed with amazing speakers, lightning talks, briefings, the release of the Marketplace, and a brand new Capture the Flag called “Know Your Payload”. This post will focus on the CTF which was created in collaboration between SCYTHE, the C2 Matrix, SANS, and CounterHack. The scoreboard was hosted by Netwars.

We have a brand new CTF that will debut. This one is for the entire Purple Team, whether you are Red Team, Security Operations, Hunt Team, or Digital Forensics and Incident Response. We all need to know what our payloads do before deploying them in an environment. We will create various synthetic malware and you will need to tell us what they do! 

Narrative

We’ve detected malicious activity on an endpoint after a recruiter downloaded a resume.doc which executed some sort of malware. We were able to take that endpoint offline before it could do any major damage (we think), but we’d like you to investigate what exactly the executable does. This CTF will be 3 levels and require you to run 3 different pieces of synthetic malware and analyze what it does. Level 1 and 2 are question/answer format while level 3 asks you to go way deeper. More details coming soon!

Game Play

Players registered or logged in to Netwars and provided an Access Code to get into the Know Your Payload CTF. 

Rules were simple and displayed before starting the game

  • Please don't attack any of the infrastructure. It's all out-of-scope!
  • Be careful running our payloads. It's relatively inert, but it should still be contained to non-production, Windows 10 virtual machine

The game play was simple and the Netwars platform allowed us to explain to the player what would occur. At a high level:

  • You will be required to download a different payload per level
  • Level1.zip - password: level1
  • Level2.zip - password: level2
  • Level3.zip - password: level3
  • Some challenges do not require execution, but many will
  • Level 1 and Level 2 only heartbeat/beacon home
  • Level 3 does more...
  • Hints available in game

Prizes

As SCYTHE has THE best swag, we had to give it away for everyone participating and some better swag for the winners so we offered various prizes:

  • Participation Prize: Stickers for everyone that registered for the UniCon CTF. 
  • Shirt for everyone that gets to level 3. 
  • 3 Grand prizes: Best Technical Write Up, Creative Write Up, and a Random Write Up 

To win the grand prize, the player had to perform full forensic analysis of level3.exe and document it. The winners were announced at the “SANS Tech Tuesday Workshop - C2Matrix - Know Your Tool CTF” where full walkthroughs were provided.

Statistics

  • 112 registered 
  • 87 scored points
  • 70 got to level 2
  • 54 got to level 3
  • 270 Active Empire Agents
  • 122 Active PoshC2 Agents

Winners

We had many submissions and it was truly hard to pick the best. Below are the 3 winners as described in the Prizes section:

Conclusion

We want to thank everyone from SCYTHE, the C2 Matrix, SANS, and CounterHack for the support creating this CTF. It was an attempt at something new and it went very well. We hope to build this out and run it again at another conference!

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.