I was back at SANS October Singapore this year. Not much changed compared to the past year, the venue was the same, food was the same, even some of the course participants were familiar. This year, I signed up for the FOR508 course, as well as both NetWars Core and Defense. It was really tiring having 3 days of consecutive back to back CTF challenges, NetWars Core on Thursday and Friday nights and FOR508 on Saturday. Nevertheless I prevailed, winning all 3 challenge coins in the process.
Coming from a pentesting and red teaming background does have its advantage when doing threat hunting and digital forensics. I was very familiar with all the lateral movement and persistency techniques covered in the first few days of the course. However, what is rather interesting is the acquisition of these artefacts. When performing red teaming, you can easily use "reg query" or "Get-WmiObject" to enumerate the entries on a live system. With forensics, the system could be offline, hence different tools have to be used to parse the registry hives or WMI repository on disk to enumerate these entries. I also found the content on NTFS timestamping behaviour as well as the lesser known artefacts such as $I30 and $UsnJrnl to be quite useful. This is especially so since the timestamps are rather non-intuitive and I was very confused by it when I first encountered it.
The initial levels of NetWars Core were rather annoying. There were huge background stories (wall of text), snippets of information everywhere and binaries that beeped for a few seconds before returning the output. I guess I was used to the more straightforward crackme style of challenges (e.g. FLARE-On). It could be rather exciting especially if you are a Star Wars fan and were playing at leisure. But with only 6 hours in total, I wouldn't want to process so much extraneous information or wait for the binary to return an output. Once I got to level 3, things started getting more exciting with the pentest challenge. I only managed to make it halfway through level 3, nevertheless the effort was enough to place me in the top 5. I will definitely be returning to crack the rest of level 3 and move to level 4.
Suprise suprise! After getting the USB key, I realised that the challenge was exactly the same as the previous year. It was a rather leisurely game as I could recall the solutions for some of the more tricky questions. This year I finally managed to finish all the questions, netting me a second coin with a score of 774. I will likely not be returning anymore, not at least until the challenge gets updated.