Case Overview:

Your bedroom door bursts open, shattering your pleasant dreams. Your mad scientist of a boss begins dragging you out of bed by the ankle. He simultaneously explains between belches that the FBI contacted him. They found his recently-developed Szechuan sauce recipe on the dark web. As you careen past the door frame you are able to grab your incident response “Go-Bag”. Inside is your trusty incident thumb drive and laptop.

Note: Some files may be corrupted just like in the real world. If one tool does not work for you, find another one.


Thanks, th3c0rt3x for reviewing the challenge.


# Question Weight Solved
1 What’s the Operating System of the Server? 50 40

2 What’s the Operating System of the Desktop? 50 38

3 What was the IP address assigned to the domain controller? 50 36

4 What was the timezone of the Server? 100 36

5 What was the initial entry vector (how did they get in)?. Provide protocol followed by the attack name. 100 29

6 What was the malicious process used by the malware? 100 28

7 Which process did malware migrate to after the initial compromise? 100 25

8 Identify the IP Address that delivered the payload. 100 28

9 What IP Address was the malware calling to? 100 24

10 Where did the malware reside on the disk? 100 27

11 What's the name of the attack tool you think this malware belongs to? 100 27

12 One of the involved malicious IP's is based in Thailand. What was the IP? 100 23

13 Another malicious IP once resolved to . What is this IP? 100 22

14 What are the names of the two files exfiltrated by the attacker (comma-separated without space)? 150 21

15 The attacker performed some lateral movements and accessed another system in the environment via RDP. What is the hostname of that system? 150 23

16 Other than the administrator, which user has logged into the Desktop machine? 200 26

17 What was the password for "jerrysmith" account? 200 17

18 What was the original filename for Beth’s secrets? 200 23

19 What was the content of Beth’s secret file? 200 22

20 The malware tried to obtain persistence in a similar way to how Carbanak malware obtains persistence. What is the corresponding MITRE technique ID? 300 24