On 7 February 2019, Nagarro and Cybereason invite you to a 'Bring Your Own Malware' Party!

icon__where (1) Brew Dog BD57 Grünerløkka, Markveien 57 Oslo

icon__date (1) Thursday, 7 February 2019

icon__time (1) 18:00-21:00

You bring your hacking A-game, while we provide beer and snacks. Measure your hacking skills against Cybereason's EDR and hunting engine. Your goal is to compromise a corporate network without detection, landing on a client computer, before pivoting to a domain controller and obtaining a secret file from the DC.
In the end, your goal is to bring havoc to the environment, in any way you might choose. 

The main prize: noise cancelling wireless Bose Headphones!

bullet_1293457The environment consists of two Windows machines fully patched and running the Cybereason agent.
bullet_1293457 One machine is running Windows 10 and the other Windows 2016 Server.
bullet_1293457The client is joined to an Active Directory domain, and the server is the DC of the same domain.

bullet_1293457You have access to a Kali Linux server running in AWS for Command and Control and a laptop with ssh access to this server.

bullet_1293457One domain is pointing at the attack server.

bullet_1293457You have 10 minutes for the attack, with a 5 minute extension after initial compromise is achieved.

bullet_1293457You get points based on the number of activities in the kill chain you are ale to perform without detection.

bullet_1293457The scored kill chain parts are: 

Initial compromise / code execution, Privilege Escalation, Credential access, Lateral  Movement, Exfiltration (gain the secret file), Command and Control, Create havoc (destroy the environment, hide your tracks, make the attack clear)

bullet_1293457You get points for any part of the kill chain that are not detected, even if an earlier step was detected.

bullet_1293457If there is a tie, the organizers will determine the winner out of a subjective malware "coolness" factor.

bullet_1293457Do not attack anything other than the two systems, for instance the AWS infrastructure or the virtual machine host.

Details of the environment

Client machine:
bullet_1293457Windows 10 1803 fully patched.

bullet_1293457Member of a Windows AD domain

bullet_1293457The user running malware is member of local administrators

bullet_1293457A domain admin is logged into the same system

bullet_1293457The Cybereason agent is running on the system

Domain controller:
bullet_1293457Windows Server 2016

bullet_1293457Domain controller of a Windows AD domain

bullet_1293457Has SMB, RDP and WinRM available from the client

bullet_1293457Some secret file is available on the Administrator desktop

bullet_1293457The Cybereason agent is running on the system

Attack machine

bullet_1293457Kali AWS instance

bullet_1293457Fully patched on the day of the event

bullet_1293457 Has a domain pointed to it, which will be given to the contestants.

bullet_1293457No other tools pre-installed