Design a site like this with
Get started

KC7 – Intrusion Analysis – Data Customization

In my first post, KC7 – Intrusion Analysis, about KC7 I went over setting up the server to generate your own realistic randomized data and how to upload it into your Azure Data Explorer Cluster. I then introduced the KC7 – Scoreboard and how to set it up so that participants can reach it as well as managing it from an admin perspective and using it from the perspective of a player.

This is a great resource for those wanting to get some hands-on experience in Intrusion Analysis and Threat Intel with realistic data in a tool that actual security professionals would use. I am therefore writing this 3rd blog post to go over how to customize the base config files to generate different randomized data.

The customizations will include:

  • Victim company Information (Name, # employees, Employee Titles, Website paths, etc…)
  • Threat actors (Name, attacks, email themes, TLDs, filenames, malware, etc..)
  • Malware (name, filenames, paths, recon processes, c2 processes)
  • Seed Text (For emails)

The game randomly generates realistic data from the data provided once you download the Cyber Challenger git repository. This allows for generating data for multiple games for the same group. The creators of KC7 have also gone to the effort of creating additional KC7 challenge scenarios. Maybe you have gone through all of these options’ multiple times already, need something more customized or just want to give back to the community. We are going to go over how you can do that in the sections below.

Victim Company Information

In order to customize the company information there are two files we need to concern ourselves with. They are:



This is the primary configuration file for the company where most of the configuration will happen. Let’s take a look at the existing one:

name: Envolve Labs
count_employees: 1000
  - title: Chief Executive Officer
    limit: 1
  - title: Chief Financial Officer
    limit: 1
  - title: Chief Marketing Officer
    limit: 1
  - title: Chief Information Security Officer
    limit: 1
  - title: Vice President
    limit: 10
  - title: IT associate
    limit: 999
  - title: Finance associate
    limit: 999
  - title: Marketing associate
    limit: 999
  - title: Human Resources associate
    limit: 999
  - title: Medical Researcher
    limit: 499
  - title: Lab Technician
    limit: 499
  - title: Trial Administrator
    limit: 100

Let’s go over each category. You can make these whatever you want. They could Harry Potter themed if you were going to run this for a group of high school students. However, if you are using this for training at a company maybe you want it to be your actual company information.

If I am not mistaken these first three are static, meaning that this will be the same every time the game is run.

  • name: What you want the name of the company to be.
  • domain: What you want the company’s domain to be.
  • count_employees: The number of employees you want to be in the company.

I believe these next two categories have some degree of randomness built in. I would have to look at the code further, but I believe all the role titles will exist each game but the number of them will vary if the limit is over 1.

  • roles: This section defines the roles and a range for the potential number of employees filling that role. I believe that as long as they are listed here and have a limit of at least 1 they will always be included in the data.
	Title: The job title for an employee.
	Limit: The maximum # of employees that can have this title.
  • partners: Partner domains that likely do business with the company.

Once you make your changes do not forget to save the file.


This is the file that takes the company domain from the previous file and add the paths to make it look like a realistic website. Let’s take a look at the existing one.


Add, leave, remove or change these to suit the theme of the game you are building. Do not forget to save the file when you are done.

Threat Actors

In order to customize the threat actors, we might face in the game data we need to concern ourselves with their configuration files which are stored in the following directory:


Listing the contents of this directory we see:

Each threat actor has their own YAML config file. The ones ending with .bak will not be used to generate threat actor activity in the game. To configure a new threat actor, create a YAML config file with the name you want the threat actor to have. So, if we wanted to add the threat group known as “Pink Puppy” to the game we would create a file named “pinkpuppy.yaml”.

Depending on your requirements you can make this a bit silly with something like a Star Wars theme if you are creating this for some students. However, if you are using this to train your security staff you may want to make it more realistic. In this case you could work with your CTI and IR teams to incorporate the actors and malware your company may be facing.

Let’s take a look at the pre-existing actor of “itinium.yaml”.

name : Itinium
effectiveness: 80
count_init_passive_dns: 10
max_wave_size: 3
  - recon:browsing
  - delivery:supply_chain
  - email:malware_delivery
  - software
  - update
  - mobile
  - verify
  - security
  - install
  - notice
  - scan
  - alert
  - helpdesk
  - support
  - admin
  - it
  - notifications
  - noreply
  - info
  - "RE: Purchase Order 12393" 
  - A suspicious login attempt was observed for your account
  - Missed call - New voicemail
  - New heldesk procedures - READ NOW
  - envolve helpdesk
  - how to get it support
  - are macros enabled - envolve
  - it support process
  - helpdesk ticket system
  - password expiration policy
  - default password EnvolveLabs
  - Software_Update
  - Critical_Security_Path
  - Patch_instructions
  - EnvolveLabs_Research_Tool
  - com
  - io
  - info
spoof_email: False
  - unhelpfuldesk

All potential fields available as identified in the file, located at:


As long as the fields and their values are in the format above (YAML) then the order of them should not matter.

FieldData TypeNotes
nameStringName of the threat actor.
effectivenessIntegerUsed to help decide email authenticity or generated inbound email. In other words, how convincing the email is.
attacksStringThe type of attacks the threat actor can perform. They are of the form: attack_type:attack_name

See below for specific examples.
domain_themesStringThemes for actor domains.
sender_themesStringThemes for emails the actor sends.
subjectsStringSubjects for the emails the actor can send.
file_namesStringFile names used by the actor.
file_extensionsStringFile extensions used by the actor.
tldsStringTop Level Domains such as .com, .io, .info
malwareStringName of the malware used by the actor. For any malware named here it must also have an associated .yaml file. We will go over this in the next section of the blog below.
recon_search_termsStringRecon terms the actor uses.
sender_emailsStringEmail addresses used by the actor.
spoof_emailBooleanTrue or False
count_init_passive_dnsIntegerSpecifies the # of DNS records for the actor.
count_init_emailIntegerSpecifies the initial # of emails from actors at the initial start of the game.
count_init_browsingIntegerSpecifies the # of web requests to actor domains from employees.
max_wave_sizeIntegerSpecifies the number of email waves from the actor as the game progresses. Each wave will have multiple emails.

As of the time of this writing I believe these are the current supported attack types.

  • delivery:supply_chain
  • email:credential_phishing
  • email:malware_delivery
  • identity:password_spray
  • recon:browsing
  • remote_exploitation:proxyshell


What would threat actors be without the malware they use. Therefore, we likely want to create some malware that suits the actors.

In order to customize the malware the actors may use in the game data we need to concern ourselves with their configuration files which are stored in the following directory:


Listing the contents of this directory we see:

Each malware has its own YAML config file. To configure a new piece of malware, create a YAML config file with the name you want the malware to have. NOTE: This is the name you will have to place in the malware section of the actor config you want to use it. So, if we wanted to add a piece of malware known as “kitten” to the game we would create a file named “kitten.yaml”.

Just like with the malware you can customize these to the audience for which you are creating the game data.

Let’s take a look at the pre-existing malware of “unhelpfuldesk.yaml”.

name: unhelpfuldesk
  - updater.dll
  - recordsvr.exe
  - svhost.exe
  - infector.exe
  - C:\ProgramData\Microsoft\Applications\
  - C:\Windows\system32\
  - C:\ProgramData\USOShared\
  - name: cmd.exe
    process: whoami
  - name: ping.exe
    process: ping
  - name: cmd.exe
    process: net user Administratr
  - name: ligolo.exe
    process: ligolo.exe {ip_address}
  - name: putty.exe
    process: putty.exe -ssh root@{ip_address}
  - name: cmd.exe
    process: reg add HKLM\SYSTEM\CurrentCOntroLSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
  - name: schtasks.exe
    process: schtasks /create /sc minute /mo 1 /tn "ttttask" /tr C:\Windows\system32\infector.exe /ru "SYSTEM"

Let’s break these down:

  • name: The name of your malware. Should be the same as listed in your actor config that uses this malware.
  • filenames: The filenames the malware uses. Depending on your audience you may want to make these more or less obvious.
  • paths: The file paths in which the malware can be found on the infected system.
  • recon_processes: This field has 2 sub-fields for each process used: name: the executable such as cmd.exe it can use. process: the action the executable takes such as pinging an IP address or running the whoami command.
  • c2_processes: This field has 2 sub-fields for each process used: name: the executable such as cmd.exe it can use. process: the action the executable takes such as “reg add HKLM\…….UseLogonCredential /t REG_DWORD /d 1 /f” to modify the registry and create the UseLogonCredential with a value of 1 to allow for storage of plaintext passwords in memory.

But this is just a file name. It won’t have a hash or be able to show up as malicious if it is checked in something like VirusTotal (VT).

Don’t worry. The game developers have you covered. There is a list of known malicious hashes from VT elsewhere in the code that will get assigned to the malware as it is used in the game data. This way, the participants can actually check the hashes on VT and see the results of actual malicious malware without any actual risk.

Seed Text

This is the text the game pulls from to create various themed text you will see throughout the game and should likely reflect the field of the business. For instance, in the training material for this game we see the following:

The seed file is located at “cyber-challenger/app/game_configs/gameplay/seed_text.txt

Here is a snippet of the contents of the file.

This does not have to be something you write yourself. You can find some articles, blogs or news about the industry of the company you are creating and put it in this file. Just make sure it is sufficiently long so there is plenty of text to pull from. This file has 104 blocks of text (including blank lines, according to vim).

In Summary

There is a lot of potential to customize the game data to suit those that will be participating. Yes, it will take a bit of time and effort but doing so will add to learning experience and fun. The great thing about it is that you can run multiple games for the same audience without having to change the config files for the next time. Just reset the game and have it generate new random data using what is in the config files.

There are some additional ways to customize the game data but what I have provided above should be more than enough for most use cases. I will likely cover the other ways in a future post.

I hope some of you find this helpful and that the scenarios you create with this will not only help train our existing cyber defenders but also garner interest from and create future defenders.

Thank you,


One thought on “KC7 – Intrusion Analysis – Data Customization

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: