On August 20, 2020 we ran our first SCYTHE User Conference, UniCon, our very own unicorn conference. It was a day packed with amazing speakers, lightning talks, briefings, the release of the Marketplace, and a brand new Capture the Flag called “Know Your Payload”. This post will focus on the CTF which was created in collaboration between SCYTHE, the C2 Matrix, SANS, and CounterHack. The scoreboard was hosted by Netwars.
We have a brand new CTF that will debut. This one is for the entire Purple Team, whether you are Red Team, Security Operations, Hunt Team, or Digital Forensics and Incident Response. We all need to know what our payloads do before deploying them in an environment. We will create various synthetic malware and you will need to tell us what they do!
We’ve detected malicious activity on an endpoint after a recruiter downloaded a resume.doc which executed some sort of malware. We were able to take that endpoint offline before it could do any major damage (we think), but we’d like you to investigate what exactly the executable does. This CTF will be 3 levels and require you to run 3 different pieces of synthetic malware and analyze what it does. Level 1 and 2 are question/answer format while level 3 asks you to go way deeper. More details coming soon!
Players registered or logged in to Netwars and provided an Access Code to get into the Know Your Payload CTF.
Rules were simple and displayed before starting the game
The game play was simple and the Netwars platform allowed us to explain to the player what would occur. At a high level:
As SCYTHE has THE best swag, we had to give it away for everyone participating and some better swag for the winners so we offered various prizes:
To win the grand prize, the player had to perform full forensic analysis of level3.exe and document it. The winners were announced at the “SANS Tech Tuesday Workshop - C2Matrix - Know Your Tool CTF” where full walkthroughs were provided.
We had many submissions and it was truly hard to pick the best. Below are the 3 winners as described in the Prizes section:
We want to thank everyone from SCYTHE, the C2 Matrix, SANS, and CounterHack for the support creating this CTF. It was an attempt at something new and it went very well. We hope to build this out and run it again at another conference!
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.