About

Campaign Overview

Setting: Wareville, home of The Best Festival Company (TBFC)
Event: SOCMAS - the annual cyber security celebration
Threat Level: Critical
Purpose: Each mission teaches essential cybersecurity skills while uncovering clues about King Malhare's conspiracy to corrupt Christmas into EASTMAS

The Antagonist: King Malhare

Origin: HopSec Island
Motivation: Jealousy over Easter being overlooked; seeks to rebrand Christmas as EAST-mas
Operatives: Sir Carrotbane, Bandit Bunnies, and HopSec Island operatives
Endgame: EASTMAS - a corrupted version of the festival designed to sabotage TBFC operations and hold Wareville hostage

Plot Progression

Act 1: The Glitches

• System failures and password issues plague TBFC
• McSkidy detects foul play; King Malhare's name surfaces
• Initial investigations begin on isolated systems

Act 2: Escalation & Kidnapping

• McSkidy is kidnapped by King Malhare's forces
• Wareville's defenses are severely compromised
• Christmas itself becomes at risk
• Ransom demand: 1,000 HopSec Coins for McSkidy's release
• Timeline threat: SOCMAS ends tonight

Act 3: Investigation & Defense

• The TBFC SOC team mobilizes
• Multiple challenges across different attack vectors
• Focus shifts to forensic investigation and incident response

Key Investigation Targets & Findings

Primary Investigation: tbfc-web01

System Type: Linux server processing Christmas wishlists
Attack: Eggstrike malware infiltration
Evidence Location: /home/socmas/2025/eggstrike.sh
Critical Forensic Techniques:

• Hidden file discovery using ls -la to uncover .guide.txt and .bash_history
• Advanced forensics including user switching and command history analysis
• File decryption to trace attacker movements

Evidence Trail

• McSkidy's last actions before kidnapping
• King Malhare's involvement and operational plans
• Christmas wishlist system compromise details

Challenge Categories

1. Forensic Investigation & Log Analysis

• Focus: Splunk SIEM analysis to trace ransomware infiltration
• Skill: Understanding attack vectors through log data
• Objective: Prevent infrastructure compromise and resolve the hostage situation

2. Red Team & Social Engineering

• Type: Authorized penetration testing
• Team: Recon McRed, Exploit McRed, Pivot McRed
• Focus: Phishing campaigns and employee awareness testing
• Goal: Evaluate cybersecurity training effectiveness

3. System Forensics & File Analysis

• Type: Linux server investigation
• Skills: Hidden file discovery, command history analysis, user switching
• Goal: Trace attacker movements and identify compromise vectors

Access Credentials

Username: mcskidy
Password: AoC2025!
Connection: ssh mcskidy@[machine_ip]
Note: Machine IP changes upon each start

Learning Outcomes

Each challenge reinforces essential cybersecurity competencies:

• Incident Response - Responding to active threats with time pressure
• Log Analysis - Using SIEM tools to identify attack patterns
• Forensic Investigation - Tracing evidence and attacker movements
• Red Team Methodology - Understanding offensive security tactics
• Security Awareness - Identifying social engineering and phishing threats
• Linux System Administration - File permissions, command history, user switching

The Stakes

• Missing: McSkidy (leadership compromised)
• Threatened: Christmas and SOCMAS celebration
• At Risk: TBFC systems and Wareville infrastructure
• Timeline: Demands must be resolved before SOCMAS ends tonight
• Mission: Stop King Malhare's EASTMAS plan and save Christmas