Skip to main content

We Break So We Can Build Better

Hello again friends!

Today I'm writing this post to shed a little preview light on how our team that builds C3X (Canadian Collegiate Cyber Exercise) will be approaching the design for the 2019 competition.

We are doing a lot of different and fun things this year which means all of us are very excited and at the same time have a beast of a project ahead of us.

I'm also going to discuss areas where you can help out and be a part of this wonderful event.

C3X Overview

Entering its third year, the C3X is a competition that puts student teams from various Canadian colleges and universities who are enrolled in cyber security programs a chance to defend a controlled environment against a team of offensive security professionals. That's the short and sweet version but there is so much more.

Ben Wells (@1StealthMove) and I created this in 2016 and saw the first event happen in 2017. Why did we do this? Canada isn't exactly overflowing with combative challenges. Sure we have plenty of CTFs and there's also some emerging game-style events we're seeing happen at the high school level (which is awesome!). Despite all of that, I was bothered that there wasn't something that resembled  what myself and so many others face everyday in our professions: adversaries.

In the U.S. there is no shortage of red vs blue events. Most notably in my opinion would be the CCDC and perhaps the CDX. I've been fortunate enough to participate in the CCDC and I just loved the experience and getting to collaborate with so many great red teamers.

What Ben and I had envisioned was to pull from all these great events and add and mix it all up in a blender and then start from scratch.

The general idea was this: student teams come into the game to defend a Microsoft-heavy simulated corporate network (very scaled down obvy) with minimal advance knowledge of the design and setup (something we have started to change the last year). We assembled a red team from personal friends and colleagues who were tasked with total pwnage of the network and endpoints plus a little trolling for laughs and good times too. We had volunteers come and offer guidance both technically and play the roles of simulated managers, directors and executives for which the student teams would need to report in, update them on the situation and make their case of why they need X and Y to fend off the attack.

The first purpose for even wanting to put this together was from thinking about what I really wished I had when I was just starting out. I thought about if I was in my final year or semester and was about to fly the coop and go work in the field and how it would pretty cool to go through an exercise that brought some pressure cooker and "live fire" sensations to the table.


Despite having very little feedback from students and volunteers that you would call negative, each one I thought about a lot and wanted to either change for the next year or explain why it stays.

So far there's been one and it ironically didn't come from any student. The environment is basically an ActiveDirectory setup with desktops, servers doing things (file shares, SQL, web apps etc) and I throw in some defensive measures as well such as Sysmon, event logs collected and shipped to a collector server and forwarded into HELK, SecurityOnion, Microsoft ATA just to name a few.

I deal constantly with clients and employers talking about the offensive use of harnessing what Microsoft provides. You may call this "living off the land".  So the feedback I received pretty consistently was, "that's way over these students heads since they don't get exposure to AD or windows stuff and you folks are all red teamers who've been doing this a while and will be brutal on the students even if you tone it down." and it's a valid point.

Because these thing are not taught often in schools (there are exceptions). This actually fuelled my desire to keep this as the core part of the infrastructure design as well as the attack pathways and here are my reasons:
  • I've seen a professional gap in this knowledge for a while. You're not taught this in school, then you go try to get a job and end up in a SOC at a company looking at alerts and logs from....WINDOWS MACHINES :) Which means some of the earliest and first exposure to all that goodness is while on the job dealing with real world threats. I say let's give them a chance to get a feel for what that looks like before they go out in the field.
  • Now I completely understand that you can't cover the incredible amount of security knowledge just in school and they should focus on the foundations. 100%. This is why there's zero expectation for the student teams to "win" against the red team under this design. It's meant to give the feeling of being overwhelmed or realizing how much there is to know but at the same time seeing what you've learned in that year or 2 or 4 in school and apply it to a battle ground scenario.
  • I don't want this to be one more CTF. I want this to feel like an attack. I want there to be pressure and chaos but in a fun, controlled and guided way. Yes guided. We bring in volunteers to assist the student blue teams on how to do x,y and z so that they aren't just stuck and sitting wondering what to do. In fact, I personally step out from the red team room very often to offer help to them. 
So there are my mildly sadistic reasons :)

The 2019 Build

Now for the fun part. I'm going to outline as much as I can without revealing too much too soon. Pleas keep note of items in the list below where we can always use volunteers and sponsors.

Event Information

Toronto, Ontario - Canada
The new and beautiful TrendMicro office in the historic Brunswick Billiards factory building.

Day1 - Saturday, August 31 2019
Dat 2 - Sunday, September 1 2019
All teams compete at the same time and on both days.

Full days
Game window is 10am-5pm each day
More details about times for arrival etc. will be sent out to registered individuals.
There is a social/mixer as well. Still ironing out details of which day it'll be on but will be in the evening after the game clock finishes.

Provided however there is a large number of places to eat within 1-2 blocks of the location.
Registration forms will ask you about any allergies we should be aware of.

Student Team Information

# of schools:

Team size:
10(minimum) to 15 (maximum)

Laptop with WiFi or ethernet connectivity
Suggested to spin up a VM to operate out of ( make a Linux and Windows VM if you can)
Will be provided VPN access to your cloud environment
Will require you to have RDP to access some game systems.
Will require you to have SSH to access some game systems.

Volunteer Information

We are looking for help with the following roles:
  • Student Blue Team Mentors (technical and non-technical)
    • Experience with threat hunting, DFIR, AD and Windows-based defensive measures, investigation processes, malware analysis etc.
    • Experience with guidance and helping the students stay focused, on-task, using their resources wisely, more management/team-lead type of assistance.
  • Red Team Pro-Am (NEW!!!)
    • This is by invite initially to fill up the seats. If we are short with that method there will a call-to-action on Twitter I will send out closer to the game dates
    • We are doing a pro-am style red team this year meaning will be inviting individuals who are just starting out in offensive security to join our team and be paired up with a mentor or two.
  • Event Organization
    • This is just general helping out with things like pre-event organization, helping set up on the game days and tear it down (not much this time since we've move the cloud oooooooh) and all other little tasks we so often overlook until it's time.
  • White Team
    • This is also going to be by invitation initially. This team of volunteers help (mostly myself and couple others) make sure the technical pieces are running smoothly (which they won't) and help troubleshoot and fix. 
  • Grey Team
    • This can be both boring and super fun. We need help from volunteers who can act as our frustrating end-users. This means you log into some desktops like you're at work and click every email and attachment, visit websites, open files on the network shares and basically create traffic and noise for the blue teams to sift through.

Sponsorship Information

More details will be released within the next couple months but if you think you or your company would like to help this event continue to be more awesome each year, here's some sneak preview items:
  • We have some previous sponsors and new sponsors that have approached us so we will be working with them in the beginning (like now) to see how much of our requirements are covered.
  • A registration form will be distributed when do open up to more sponsors.
  • Expect a standard 3-tier sponsor level system
  • The last 2 years we covered the bulk of the costs but since this thing is growing, we do need financial help for some items.
  • Sponsors who provide a service can be very useful in place of financial donations i.e. fun IoT devices we can add into the game, VPS hosting (we're almost 99% cloud based this year) and more! ( just some examples)
  • We encourage sponsors looking for talent to get involved and attend the event. Think of it like recruiting an athlete. Wouldn't you want to actually SEE them perform live? Plus talk to them right on the spot? ;)
  • We also have time slots for sponsors to present to all the attendees. This one can be tricky because we don't want it to feel like a product pitch or salesy stuff but depending on if it's relevant to the game, the students and the atmosphere we'd probably be OK with it.
  • We're still ironing out all the items we can foresee so more will be disclosed as time passes.

Advice for Student Teams

Like each year, we remain heavy on Windows systems and various Microsoft technologies. Last year I released a series of video tutorials showing how to interact with the network and access the desktops and servers and defensive products as well as lots of reading material and study-up references.

I will be doing this again and including even more detailed info than last year.

Key areas to try and brush up on some knowledge is (all through security lens mind you) reading up on ActiveDirectory, leveraging Windows Event Logs, PowerShell, Sysmon, the sort of standard Windows privesc/lateral movement/persistence stuff, finding C2 indicators in network traffic, and most importantly, what to actually do when you find these things. Again, I will provide information that in one way or another, tells you what to do for what the red team is planning (more on that sneak preview later).

Aside from the technical ninja skills you will use to defend, perhaps most critical is how you plan to operate as a team. Establish a team lead, understand your teams strengths and weaknesses and play to those, divide and conquer with your time and energy, ask every question you think of and don't ignore it because you think it's a silly or embarrassing question.

Quick heads up, we have no room for hostility. Sure things can get intense but be warned in advance that if we find out anyone is not playing nice with others, you're gone faster than you can get your shoes tied up. I know you won't though since you're all lovely and awesome people :)

Theme and Scenario

Each year we tried to have some kind of "theme" going on but TBH it was mostly just window dressing and not truly implemented on a technical level. For 2019, that's going to really ramp up.

I'll reveal the "who" the red team will be operating as down the road with plenty of heads up notice but it will be of the "APT<insert number>" variety. I can hear you now saying, "the students had a tough time with all the Windows shenanigans already and NOW you wan't to throw APT tradecraft on top? You cruel cruel monster!!!!"

Well, there's a few reasons. One is the recent Mitre evaluations played a roll in my decision making. So did the location of the game this year (it'll make sense later haha). And it's a threat group that has so much public research and intel out there and if the red team does a solid job of replicating those TTPs that we actually are  silently forcing a new element of learning on the students, some CTI ya'll!

We want the students to find us (the red team that is) and the red team will be operating under certain restrictions for what they can and cannot do.

OK I think this post has gone on long enough but this is something that occupies my mind many hours of the day so I wanted to get it all out and share what's ahead with you all.

Stay tuned for more information on C3X 2019


Popular posts from this blog

Leveraging WEF and the HELK

In an effort to have some more content on this blog (wow life gets busy sometimes!) I thought I'd write up this post on how to configure Windows Event Forwarding and the awesome project, HELK. On a bit of a side-note, this post coincides with an event we run up here in Toronto, Canada called the Canadian Collegiate Cyber Exercise (C3X). This year we are running the first real iteration (although we executed a pilot version last year which you can see here: ) and part of the design will be providing the students with HELK. OK back on track. I'll admit that when I first learned about Windows Event Forwarding it seemed a little daunting. A few of the posts I first read seemed confusing and a lot of moving parts. To the newcomer, Windows Event Logs can also be fairly intimidating which is why projects such as HELK are so fantastic to be openly and freely distributed. So why leverage WEF? Well, at a very basic level (and this

Simple PowerShell One-Liners

In this post, I want to go over some basic recon-style commands in PowerShell, which complements a talk I gave recently at the DefCon 416 meetup. A good chunk of my demonstration consisted of various ways to accomplish simple recon and post-exploitation tasks by leveraging what is already installed throughout Windows environments. I'm going to keep things very basic and simple just in case PowerShell is brand new to you. These "one-liners" are meant to show things you can incorporate into a script that, when placed onto a targeted machine, executed in memory, can spit the output into a file or send it back to a C2 server. Let's begin :) I am using a Windows 7 virtual machine running PowerShell v2, but feel free to use Win8 or higher. Open up a PowerShell prompt (no need to run as an admin, but may be required later).   I create a folder on the desktop called "hello" with a single text file called "hello.txt" inside. Feel free to do the