UniCon 2020 included an excellent NetWars-style CTF that involved executing payloads and observing behaviour. Spanning three levels, the exercise provided a breadth of insight into malicious payload execution and how to go about analyzing the activity using tools such as Sysmon and Wireshark. The optional take-away challenge was to further examine the ‘level3.exe’ payload and submit a report on the findings.
**UPDATE** This entry ended up winning the first-place grand prize as announced by Scythe. Check out the other excellent winners here. Many thanks to Scythe for providing such great content to the community.
Data that lives only in memory is always difficult to determine for digital forensicators. Unless you get lucky with a suspect hibernating their machine at the time of activity, or find opportune memory dumps, traditional on-disk artifacts won't be of much use.