Antisyphon Cyber Range: Forensic Follies

Posted on By

Hey everybody! 

We hope your holiday season was amazing and awesome and filled with mirth and merriment! Now that the holidays are over, it’s time to get back to work! To help you get back into the swing of things, we have some forensics fun for you. 

For screenshots and descriptions of this week’s additions, see below. 

Good luck and have fun!  
The Cyber Range Team 

P.S. If you’re not already signed up for the BHIS Antisyphon Cyber Range, the following page has screenshots, info, and, of course, a link where you can sign up and join in the fun:

https://www.antisyphontraining.com/cyber-range/ 

It's quite obvious, even to an average user, when KoVCxCjx.exe is running amongst the other processes. Wouldn't it be nice if we could just open a thread to another process? We've taken this process dump that we think our attacker had injected some code into. Take a look and find that flag!
That is one oddly named process.!
PLEASEEEE HELPPPP MEEEEE!!!! I stayed up super late last night working on an insanely cool presentation about some of my favorite meme templates to share with my friends. I was so tired last night that I forgot to lock my computer when I went to sleep, and one of my roommates decided to pull a prank. Somehow, he hid an image inside my presentation without putting it on any slides. Can you find it?
Dratted roommates… messing with my presentation.
Woah! Looks like someone was running some sort of password stealing program on one of our systems when it crashed. Fortunately, we had crash dumps enabled, so we managed to grab this dump of the program. Can you take a look and see if they were able to find anything? Note: Flag will be the NTLM hash of the password for Administrator
Somehow I don’t think this hash will be very tasty.
Even with the relative stability of operating systems these days, given the size of our enterprise, we still get a fair amount of blue screens/crashes. Normally, it’s not the sign of anything bad. We thought it might be interesting though to do an analysis of crashes in the tail. What is causing some of the lowest frequency crashes in our environment? Could it be evidence of some malware in our environment? We’d like you to take a look at this crash dump. Perhaps you’ll be able to see if there was anything malicious running on the system that caused the crash.
Thank goodness for crash dumps!
Cyber Range Updates Tags: