In the SkillsUSA SLSC CyberSecurity competition for Washington, this Windows image was used for one of the challenges in the Endpoint Hardening category. This image can be used for general-purpose defensive cybersecurity training and forensics!
Note that online scoring won’t work and you’ll get a team ID error, but local scoring should still work!
WARNING! This image contains simulated malware which might trigger network intrusion protection!
Forensic Questions
Forensic questions need to be scored manually:
| Question | Answer | Hint |
| On your Windows VM (Windows Workstation challenge), what is the name of the vulnerable update service? | MacroSoftUpdater | Look through services.msc for unusual services. |
| What is the path to the registry key that the vulnerable service loads for settings? We believe this was tampered with. | Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MacroSoftUpdateService | This can be found by either exporting the entire HKLM registry key to a text file and then searching for “MacroSoft”, or using SysInternals Process Monitor to check what registry keys the service is using. |
| On the Windows VM (Windows Workstation challenge), a few minutes after login, a glitching video appears. If you select the video and type the Konami Code, a secret message appears. (Konami Code = up up down down left right left right b a) Where in the registry is this secret message defined? | Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecretValue | This can be found by either exporting the entire HKLM registry key to a text file and then searching for the message that appears, or using SysInternals Process Monitor to check what registry keys are accessed by the process between launch and typing the code. |
Scored Items
The following items are automatically scored on the VM:
| Type | Item |
| Penalty | Removed authorized administrators from Administrators group |
| Penalty | Removed authorized users or administrators from the computer |
| Scored | Removed unauthorized users from the computer |
| Scored | Removed unauthorized admins from the Administrators group |
| Scored | Removed unauthorized users from the rdpusers group |
| Scored | Added authorized RDP user ‘pward’ to rdpusers group |
| Scored | Removed insecure share ‘inetpub’ |
| Scored | Removed unnecessary DHCP server role |
| Penalty | Removed or broke IIS |
| Scored | Removed ASP.NET backdoor C:\inetpub\wwwroot\radish.aspx |
| Scored | Configured authorized rdpusers security policy SeRemoteInteractiveLogonRight=rdpusers |
| Scored | Configured Ctrl+Alt+Delete for login |
| Scored | Configured maximum password age |
| Scored | Configured password hashing |
| Scored | Configured password complexity requirements |
| Scored | Configured password minimum length |
| Scored | Configured account lockout threshold |
| Scored | Configured logon failure auditing |
| Scored | Disabled guest login |
| Scored | Removed pirated media (C:\inetpub\wwwroot\seed\1951126.torrent) |
| Scored | Removed malware component C:\Program Files\Windows Defender\en-US\McSwim.exe |
| Scored | Removed malware component scheduled task JustKeepSwimming |
| Scored | Removed hacking tool John The Ripper C:\john-1.9.0 |
| Scored | Removed hacking tool Wireshark |
| Scored | Removed pirating tool qBittorrent |
| Scored | Removed or zeroed malware component registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AzurePortalSetup |
| Scored | Removed or zeroed malware component registry key HKLM\SYSTEM\CurrentControlSet\Control\SecretValue |
| Scored | Removed malware component launch file C:\Windows\Media\Calligraphy\calligraphy.bat |
| Scored | Removed malware component stealth file C:\Windows\BrowserCore\invisible.vbs |
| Scored | Removed malware component launch file C:\Windows\PLA\retro.bat |
| Scored | Removed malware component exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.exe |
| Scored | Removed malware media file C:\Program Files (x86)\Windows NT\TableTextServices\en-US\M5lltY1VjpU.mpv |