"Confrontation" PHDays or Why we were called the "All-Seeing Eye"

    Last week, the Positive Hack Days 7 conference was held, within the framework of which the traditional (the second time, why not the tradition?) Battle of the Defenders and Attackers - The Standoff - has already taken place.

    The bottom line is ... A participant can play SOCs, city guards and villains. And if the user plays as defenders, then they are given different means of protection, and villains are gaining on segments of the city. You can rob the cows ...


    Confrontation Members

    A more detailed description of the roles of participants is on the organizer's website (Positive Technologies):

    Spoiler heading
    Attackers are free to do anything, the main thing is not to violate the logic of construction and the operation of the polygon. No task and flags, the participants themselves decide what they want to get from the city. The attackers' task is to accomplish their goals by any means convenient for them.

    The defenders can be both corporate teams and individual specialists (you can use a pseudonym). The defenders will have several specialized teams, each of which will ensure the safety of one object at the training ground - the operator, office, etc.

    The tasks of the teams include the design, installation, configuration and operation of protective equipment, as well as ensuring the safety and security of the assets of the company to which they are assigned. During the game, defenders should periodically report on incidents and work done.

    A total of 5 objects of protection are provided:

    • Telecom operator
    • Office
    • CHP and substation
    • Oil company
    • Railway company

    External SOCs

    During the Confrontation, the SOC must promptly alert defenders of attacks and propose protective measures. As well as defenders, SOC teams must publicly report on ongoing attacks and hacking methods used, provide statistics on the security of the landfill (attack trends and other metrics).


    The first general briefing of the participants of the Confrontation took place on April 12, where the organizers talked about plans to build a city that would need to be “haunted” and defended. We got the role of SOC in one of the office segments. The defenders of this segment were the SPAN team (Servionica Palo Alto Networks).


    They turned out to be trained professionals and excellent guys, with whom we quickly enough found a common language and worked together on the site of the game itself.

    Our secondary task was to monitor the city in order to identify and analyze attacks on urban infrastructure.


    Organizers completely raised the office segment of the city in the virtual infrastructure based on VMware.

    About three weeks before the start of the event, we got access (thanks to the organizers) to the virtual machine with MaxPatrol 8 for scanning and building a network map. It turned out 1719 pages of pdf report.

    A week we installed and tested our monitoring tools. We planned to use:

    • IDS for the Office.
    • IDS for the City.
    • Moloch for recording and analyzing traffic.
    • Network Analyzer to detect anomalies in Office traffic.
    • Network Analyzer to identify anomalies in the traffic of the City.
    • HIDS (host IDS) for monitoring key Office servers.
    • TIAS for log analysis, monitoring and analytics.

    Everything worked as it should. We have painted shift shifts of the monitoring group.

    Pentester said that “I’ll be on the site for 30 hours and I’ll have a good time.”

    The PR man said that "PHDays is the only opportunity to make a carbon monoxide banner."


    There was a feeling that we were ready.



    Not really.

    “Guys, there is no traffic on our sensors!” Is our motto and a call to the organizers for the first 8 hours of the Confrontation, which began at about 11-30.

    Unfortunately, due to technical difficulties, it was only at 7 p.m. that traffic was sent to both IDSs:

    • Only traffic from the DMZ was submitted to the Office, although a mirror of all traffic was required.
    • The traffic on the external perimeter of the Office and the traffic of several more vlan'ov without specification were submitted to Gorodskaya.

    In terms of volume and observed events, it was clear that not all traffic was mirrored (although it was requested to the maximum). About traffic mirror on Moloch and not worth talking about. And without it, the analysis of anomalies does not make sense.

    In fact, everything that we did the week before the event had to be redone anew right on the site. Nevertheless, it is still necessary to thank the admins of the organizers, they harnessed and helped, wherever they could.

    Valorous advocates have been trying for a long time to deploy HIDS agents for monitoring, but due to the periodic drop in infrastructure and the lack of Internet access from the infrastructure for connections to repositories, this was not possible.

    There was no direct access to the controlled infrastructure, everyone climbed through a VPN, which also did not add joy. Sadness sadness longing ... But sad ends on this!

    1. Do not forget that the Attackers were in the same conditions, and for them, space and freedom are important - from time to time they were sitting much more sad than the defenders.
    2. At least some traffic has been received - it means you can already work!
    3. Advocates for interaction are open, gaps overlap - so everything is not so bad today.

    Another interesting story was with the dynamic allocation of resources on a virtualization farm. Two SOC analysts sat side by side. Their jobs are also in virtual machines. One was flying, and the other was quietly swearing at the monitor and saying that he had never seen the console slow down.


    As a result, during the night and almost the whole day of monitoring, we managed to identify attacks and investigate the controlled segment.

    What was recorded

    By office segment

    1. As soon as traffic was given, from the address constantly someone was breaking into one of our web-servers ( with incomprehensible and always the same credits. Checked - the activity is strange, but not dangerous. Then all night we will think about it. What they wanted remains a mystery. Apparently, something went wrong with the Attackers.
    2. Against the background of paragraph 1. scans constantly went from the same address, exploits and other unclean forces fell down. Identified NAT Attackers. It was a pity it was impossible to block - fair-play and all that.
    3. Suspicion of a compromise of our server ( from DMZ - an unhealthy interest in the mysql of the internal resource ( came from it. The defenders did not answer, how many did not ask. Nothing else was visible from this address. Compromise was not confirmed, possibly a system checker. They watched him with one eye.
    4. While monitored, we simultaneously examined our own DMZ. XSS was detected on another web server ( Until the next day, we loomed about this to the defenders. As soon as they began to massively try to implement xss, they quickly responded and prohibited special characters in the url. How none of the attackers took advantage - a mystery!
    5. On the same web server (, pureFTP was recorded. SZI blocked alien access to FTP. Everything is good.
    6. An open site repository (/.git) was found on the third web server ( and the defenders were notified. They promptly closed. Teamwork!
    7. Around 00:30 on the internal network, the subnet was activated. From there, the brute-force services in the DMZ immediately began. The defenders blocked this subnet, there was no other way. * Yes, it’s impossible to block, but the enemy cannot be left inside, all the more!
    8. Another web server (, another available / install directory. Attackers could drag the site to their database and compromise users. Defenders closed access to the folder.
    9. In the middle of the night, abnormal activity began between the user segment and the domain controller! Attacked SMB. The analysis showed that the SSI from NSD Secret Net lives its own life and tries to communicate with the main server. Ok, false positive - let's go further.
    10. On found / wp_include with all source codes. The defenders closed.
    11. From 05:00 to 07:00 lull. Pokemarili.
    12. From 8:00 they began to scan with renewed vigor, no longer trying to hide and not embarrassed in the means: nmap, sqlmap, nessus, a bunch of self-contained scanners (well, or just scripts to nmap). The scanner was especially pleased, judging by the user-agent: go-http-client - self-written, walked through a decent set of vulnerabilities.
    13. Around the mess - exploits, injections, brute force, scans. There are many, but all the same, useless and uninteresting.
    14. They saw that the node appeared. It had wordpress (almost like everywhere else) with open API access with admin credits: admin123. Picked up manually from the second attempt. Zaalerty, promptly closed.
    15. Until the last brutal access to FTP. Connections were cut by SZI.

    From the Facebook member of the SPAN team
    “I’m a safe, I don’t want to decide anything, I want to write custom signatures and watch how packets drop.”

    - Oh, send drops!


    In the city

    1. 20:26 recorded a successful brute force smb from Whose address is unknown. No luck to anyone.
    2. In general, smb, snmp, sql were hanging around the city. Attackers walked on them, as in their own. Bruteforce on all fronts.
    3. We recorded that the wordpress is open on the node (like the Telecom object) and the admin panel is open ... If there weren’t a white hat, we would have broken it ourselves.
    4. In the end, they smoothed smb from successfully again (maybe the same ones, just did not turn off the script).

    What happened and failed

    If you evaluate globally - attacking fellows! And the automated process control systems were broken, and the bank was robbed, and it seems that even the “mayor” was intercepted. As for our Office, it remained untouched, and the team of defenders completed the Confrontation with a full 100% “reputation”.

    Of course, we expected more pressure from the attackers. What were their difficulties connected with? We have three hypotheses:

    1. They did not use their entire arsenal. Confrontation is still a game and, perhaps, we were not shown all the tools to have a margin for real projects. And well-known tools and techniques were easily blocked by protective equipment.
    2. The attackers (as well as the defenders) did not have direct access to the City network, perhaps part of the arsenal simply did not take off.
    3. Attackers have difficulties when they are actively and quickly counteracted. If you act on the forehead - this is visible, but if it is thinner - then it will take more time, and the requirements for the skill are already different.

    It is very sad that there were such large-scale technical difficulties, there was little traffic. But this is still a chic space for analytics!

    By next year, we will take into account all the mistakes and understand what to demand from the organizers. Waiting for PHDays 8.



    We thank Positive Technologies (especially Victoria, Alexei, Mikhail and Tamara) for organizing this holiday.

    Thanks to the SPAN team for their defense, experience and good team play.

    Thanks to our whole team, you are very cool.

    And special thanks to the captain of the monitoring team Maxim Baymaxx for preparing this report.

    Now the tablet with the All-Seeing Eye adorns one of the walls of the Monitoring Center.


    Other blog articles

    UAC Bypass or the story of three escalations

    Report of the Information Security Monitoring Center for the I quarter of 2017

    Life without SDL. Winter 2017

    Also popular now: