Gerhardus Stephanos was about to switch on the computer that manages one of the largest model train ecosystems in the Southern Hemisphere. However, just before he could, IT came running in. An apparent “cyber security” event at the company had forced them to shut down all systems. Sounds like a ransomware event, or “losprysware” in Afrikaans…
Can you help solve what happened? Gerhardus really needs the model trains up and running again…
NOTE AND TIPS:
In this challenge, you’ll be tasked to investigate events on a compromised host.
These events were orchestrated using known TTPs used by attackers in current Ransomware attacks.
Please be aware that malicious domains contained in the logs could still be live, and should be treated with the necessary caution. The same goes for malicious powershell scripts etc.
Want to read more on real world intrusions? Check out the great work from the folks over at https://thedfirreport.com/
HOW IT WORKS:
If you haven’t previously, sign up for an account via the following Google form: SIGN UP
Once registered, you’ll receive instructions on how to access the CTF system via email. When you sign up, you’ll get 500 points as a gift. No questions asked.
For this investigation, you will be presented with 30 questions relating to the incident together with a set of triage data from a host you are required to investigate.
Each question is worth 100 points. This means, there are 3,000 points up for grabs in the DikBek investigation.
Getting stuck? Each question has a hint that will help you to the correct answer. But, use it wisely as a hint will deduct 50 points.
Like guessing answers? Each wrong answer will result in a penalty of 10 points.
In Question 1, you will get a download link for your evidence.
The download is for a 8MB zip archive named INV_Losprys_Triage.zip (MD5: 786bce79419767fd7c4649a76e5fa7fd)
This archive contains the following two archives:
This archive contains all the Windows event logs contained on the host in question.
Luckily, someone installed Sysmon on the host… This data can be processed by any tool of your choosing, or even manually reviewed.
This archive contains a CSV output file after processing all the event logs with the latest version of Eric Zimmerman’s Evtx Explorer (EvtxECmd) You can get more information about the tool here (https://ericzimmerman.github.io/#!index.md)
Note: Best would be to import the CSV file into a tool such as Excel or Eric Zimmerman’s EZViewer tool, available here: https://ericzimmerman.github.io/#!index.md
Make sure to sort it according to date…
It is up to you if you want to reprocess the raw EVTX logs, or use the provided Eventlog Explorer CSV file. Either is sufficient to answer all the questions.
The Maize Train Transport Simulator (MTTS), Bothaville, South Africa.
Gerhardus Stephanos has been the manager of the Maize Train Transport Simulator (MTTS) for the past 5 years. MTTS has been a very successful public-private partnership between the Bothaville Maize Transport association and the South African government.
The MTTS system started as a fully-fledged train simulator, using model trains to simulate optimizations in the loading and transporting of maize products.
Due to it becoming one of the largest working model train simulators in the Southern Hemisphere, its allure as a tourist attraction also grew exponentially. Recently, the MTTS Youtube live stream which shows the trains in action reached the 1 million subscriber mark. Needless to say, the continuous operation of the entire model train ecosystem at MTTS is of utmost importance.
On Monday, 24 July 2021, Gerhardus reported for duty shortly after 08:00. Instead of the usual site of trains whirring by in the simulation arena, he was met with deafening silence.
“That’s odd” he thought as he walked over to his desk to take a look at the controller computer. It was shut down. Just as he was about to switch it on, someone from IT ran in, hands waving, shouting at him to leave it off.
Long story short, there appears to have been some sort of “cyber security” event that took place at MTTS. Some even whispered that it could be Cyber War.
Either way, you, the trusty analyst, have been tasked to investigate what happened. Based on some keen analytical work, you’ve been able to narrow the cause of the incident down to a single system and are now in a position to start analyzing the provided event logs from the host. Luckily for you, Sysmon was running on that host (nudge nudge wink wink).
For your triage, you’ve been provided with all the Windows Eventlogs from the host.
Can you successfully answer all the questions and give the ‘all clear’ to the board so that the train simulator can start running again?