AF-2DFB-REG · Windows Registry

Registry Persistence

DOWNLOADABLE registry export (.reg). The Run keys hold legitimate entries (OneDrive, SecurityHealth, Realtek) alongside a malicious persistence entry: an unsigned autorun running from C:\Users\Public. Do not mistake legitimate entries for malware.

Scenario

A RegRipper-style registry export from a workstation (HKLM/HKCU Run + LastWrite times). Most autoruns are legitimate: signed apps under System32, Program Files or AppData. One entry is malicious: it masquerades as a legitimate Windows update component but runs an unsigned exe from C:\Users\Public and its LastWrite time coincides with the incident. Skill: not reporting legitimate signed entries (OneDrive etc.) as malware; correctly catching the unsigned/Public-path persistence.

Anti-forensics techniques

Entry masquerade (legitimate-component imitation)
Noise: many legitimate autoruns (decoy)
Unsigned/Public-path persistence

Provided artifacts

Registry export (.reg, Run keys)

Sample questions

q1: Name of the malicious value providing persistence?
q2: The file path it executes?
trap1: Do NOT report a legitimate entry (OneDrive) as malware.

Soundness trap

Entries like OneDrive, SecurityHealth are legitimate and signed; reporting one as malware is heavily penalized. The real persistence is only the unsigned autorun under the Public path.

Scoring

Persistence triage accuracy + legitimate-entry decoy resistance (soundness).

DOWNLOADABLE

Download and solve

Download artifact

The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.