Hey everybody!
Can you believe it’s Thanksgiving again! For those of us in the U.S., that’s a big deal, and an iron-clad excuse to overindulge in turkey, cranberry sauce, and other delectable delights!
And since a lot of you may have extra time on your hands, we’re dishing up a set of forensics challenges to help you while away the hours between bingeing on your favorite holiday foods. Gobble, gobble!
For screenshots and descriptions of this week’s additions, see below.
Good luck and have fun!
The Cyber Range Team
![An image depicting a Thanksgiving dinner.](https://www.antisyphontraining.com/wp-content/uploads/2023/10/Thanksgiving-1024x574.png)
P.S. If you’re not already signed up for the BHIS Antisyphon Cyber Range, the following page has screenshots, info, and, of course, a link where you can sign up and join in the fun:
https://www.antisyphontraining.com/cyber-range/
![Stop what you're doing! We've been hacked! A memory dump of the compromised system is available here. There appear to be a couple of pieces of malware on our system, and we need you to identify them. One of them appears to be a binary backdoored with Meterpreter that is calling home. Can you find which process is responsible?](https://www.antisyphontraining.com/wp-content/uploads/2023/10/Hold-The-Phone.png)
![Sysmon is a powerful tool for logging various system activities to the windows event log service. Among its many capabilities lies the ability to record when one process accesses another. Some remote process accesses are perfectly benign; consider the open source Process Hacker, which reads other processes' memory to accurate report information about them. On the other hand, various credential stealing and injection techniques use the same underlying functions. Unfortunately, Sysmon isn't always able to tell the difference...](https://www.antisyphontraining.com/wp-content/uploads/2023/10/Needle-In-A-Haystack.png)
![Our Linux server has a backdoor! We are not sure what's triggering the backdoor, but we believe it's some password hidden in plain sight. Take a look at this pcap file, find the backdoor, and tell us the password used to trigger the backdoor.](https://www.antisyphontraining.com/wp-content/uploads/2023/10/Write-Here.png)
![We've identified a particularly cleverly named piece of malware on hacked system you investigated in the image used in Hold the Phone! They named it malware.exe. Threat intelligence reports that it was about to write critical information into a file. Can you identify the path of the file?](https://www.antisyphontraining.com/wp-content/uploads/2023/10/Prismatic.png)