Gerhadus Stephanos was about to switch on the computer that manages one of the largest model train ecosystems in the Southern Hemisphere. However, just before he could, IT came running in. An apparent “cyber security” event at the company had forced them to shut down all systems. Sounds like a ransomware event, or “losprysware” in Afrikaans...
Can you help solve what happened? Gerhardus really needs the model trains up and running again...
If you haven't previously, sign up for an account via the following Google form: SIGN UP
Once registered, you’ll receive instructions on how to access the CTF system via email. When you sign up, you’ll get 500 points as a gift. No questions asked.
For this investigation, you will be presented with 30 questions relating to the incident together with a set of triage data from a host you are required to investigate.
Each question is worth 100 points. This means, there are 3,000 points up for grabs in the DikBek investigation.
Getting stuck? Each question has a hint that will help you to the correct answer. But, use it wisely as a hint will deduct 50 points.
Like guessing answers? Each wrong answer will result in a penalty of 10 points.
In Question 1, you will get a download link for your evidence.
The download is for a 8MB zip archive named INV_Losprys_Triage.zip (MD5: 786bce79419767fd7c4649a76e5fa7fd)
This archive contains the following two archives:
The Maize Train Transport Simulator (MTTS), Bothaville, South Africa.
Gerhardus Stephanos has been the manager of the Maize Train Transport Simulator (MTTS) for the past 5 years. MTTS has been a very successful public-private partnership between the Bothaville Maize Transport association and the South African government.
The MTTS system started as a fully fledged train simulator, using model trains to simulate optimizations in the loading and transporting of maize products.
Due to it becoming one of the largest working model train simulators in the Southern Hemisphere, its allure as a tourist attraction also grew exponentially. Recently, the MTTS Youtube live stream which shows the trains in action reached the 1 million subscriber mark. Needless to say, the continuous operation of the entire model train ecosystem at MTTS is of utmost importance.
On Monday, 24 July 2021, Gerhardus reported for duty shortly after 08:00. Instead of the usual site of trains whirring by in the simulation arena, he was met with deafening silence.
“That’s odd” he thought as he walked over to his desk to take a look at the controller computer. It was shut down. Just as he was about to switch it on, someone from IT ran in, hands waving, shouting at him to leave it off.
Long story short, there appears to have been some sort of “cyber security” event that took place at MTTS. Some even whispered that it could be Cyber War.
Either way, you, the trusty analyst, have been tasked to investigate what happened. Based on some keen analytical work, you’ve been able to narrow the cause of the incident down to a single system and are now in a position to start analyzing the provided event logs from the host. Luckily for you, Sysmon was running on that host (nudge nudge wink wink).
For your triage, you’ve been provided with all the Windows Eventlogs from the host.
Can you successfully answer all the questions and give the ‘all clear’ to the board so that the train simulator can start running again?