On Tuesday August 2nd, 2022, I created a playground consisting of 23 systems. Ten Window 10 machines, ten Windows 11 machines, one Velociraptor Server and one Server 2019 Windows machine, compromised with a persistent remote access trojan that communicated to an attacker machine hosted outside of the US.
I created a few questions that I felt would be interesting and posted them as a quasi CTF/Practice with instructions on Github.
I then made the Velociraptor server publicly accessible, tweeted about it, and stated that it would be available for three days.
Interestingly enough and much to my surprise, many people took me up on the opportunity, requesting access to the server. Everyone that requested access got a chance to play around with the telemetry collected by the Velociraptor Server. The playground remained up for the promised three days and on Friday we did a walk through of many of the steps outlined in the instructions of the CTF.
Below is the walk through of the CTF/Practice questions, with a screenshot of the data. Prior to taking down the playground I used a custom created offline Velociraptor collector so that I could create a triage image of the compromised server. By the time that you read this, the infrastructure will no longer be up. Nevertheless you can follow along and find the evil by analyzing the triage image using your favorite tools of choice.
Download the triage image from here...
Watch the walk through here...