I made it a goal of mine to be more involved in CCDC this past season. I was successful in execution, however I still feel like there's more headway to be made in improving the competition for all competitors. That being said, I think we have made some notable progress in how the Midwest and Mid-Atlantic competition is organized and run, however I will be the first to admit we have a long way to go still.

Pre-Gaming

This year I was invited by Dr. Durkee to get involved in the infrastructure committee for the Midwest region. I took him up on the offer mostly to understand the design processes and constraints. We started work on planning the environment back in August, with the infra team getting it properly built out in the week leading up to the first invitationals. For returning students in Midwest, Mid-Atlantic, and Rocky Mountain regions in the 2026 season, you probably noticed the environment was familiar, but different. The scored services were pretty similar, but with some tweaks.

We had planned to make a few more changes between invitationals and qualifiers, but unfortunately I was not able to attend a few meetings in November or December due to other personal commitments, so ultimately I don't know why those proposed changes fell through. Once I rejoined regular meetings around the new year, we focused our attention on the regional environment.

Invitationals

Invitationals this year went relatively smoothly. We had a relatively light hand and generally gave a lot of leeway as red team. I don't really have a whole lot to cover here. I think there were some minor hiccups on the first invitational and it was smooth sailing from there. We also saw a lot of new folks into the red team that made appearances during invitationals, which is awesome. John, the regional lead was out for most of invitationals so we had a mix of folks take things over for these.

Qualifiers

Mid-Atlantic

One of my hallmarks of expanding involvement this year was that I lead the red team outside of Minnesota and Indiana for the first time! Due to some scheduling shenanigans, I essentially had 48 hours to come up with a red team for Mid-Atlantic qualifiers. Fortunately, we had a good turn out for red team folks, which I remain grateful for. I was able to test out Mythic in the environment, and that seemed to go well. We had some other new tooling provided by new red teamers, but that's their story to tell not mine.

We ended up with 15 incident reports for this competition. Here's the team breakdown

• Team 5: 1
• Team 7: 2
• Team 8: 3
• Team 9: 1
• Team 10: 1
• Team 12: 4
• Team 13: 2
• Team 15: 1

Some general comments: for the most part the reports are an improvement over what I have seen in the past. It also seemed like every team is using a template, which is awesome! This saves a ton of time in the competition and has been something I have pushed teams to do for a few years now. Glad to see that Mid-Atlantic is doing this well! Evidence and technical analysis was also a highlight and a cut above what I usually see, so again I am pretty happy with the state of the IRs I received.

Tal0n's and Citty's shenanigans and team trolling also proved to be pretty popular amongst students. I have to give them credit for some of my favorite trolling malware, because this is hilarious.

We of course also deployed our classic nyancat payload, which is always a hit.

We also had someone flipping terminals upside down and inverting them, I can't remember who exactly was doing it. However, we ended up getting this piece of art and it's my new favorite thing we've ever done to a box.

Minnesota and Indiana

Like most years, this year the Minnesota and Indiana ended up as the first competition of the season for Midwest. Like usual, we made the yearly pilgrimage to Alexandria Technical and Community College for the competition and we had a few snags on the way. Starting with one of the most "I live in the Midwest" things possible, Lake Superior College's coach hit a deer on the way up. The second snag for us once we got up there is that Dakota State University ended up getting locked out of their rooms, as the keys that were provided for them were missing upon their arrival. Fortunately, we had a lot of nerds with lock picks available to help once it became clear that the students attempts to get in contact with coordination staff failed as they had gone to bed for the night.

Once competition day started, the Chief Judge and I were given a few minutes to speak in the morning to help set the stage for the competition. The goal was to avoid repeating an error we made last year, where the students were told that they don't have to worry about Red Team trying to get into their rooms. This time we re-framed that by requesting that students verify badges. Of course, Red Team was sitting in the front row, and the Chief Judge had his badge on, so we were taking pictures of the badge to clone it while he was talking.

As for the actual competition, this was rough for us. First off, I modified some tooling to make initial access easier, which should have helped a lot. However, I made a tactical whoopsie and set the wrong 3rd octet for teams so my initial access scripts were all targeting non-existent systems 🤦. We had some tweaks in timing too, in that we got permission to start right at the drop flag. This is a pretty significant change compared to years past, and was driven by teams getting their stuff locked down significantly faster than years before. For Mid-Atlantic I had a 15 minute delay from drop flag to Red Team start, and we had quite a few teams finish their hardening in that time, resulting in us never finding a way in. I also had my C2 domain blocked which really killed a lot of my plans.

Quick Side Note - Why this Matters

I commend teams that do a good job of keeping us out, or finding us and kicking us out. That's where the best performing teams usually showcase their technical prowess. That being said, I treat CCDC with the mindset that it needs to be a learning experience first, and competition second. Part of that learning experience comes from the ability to operate in a pressure cooker. Knowing that its a matter of time until we get into your infrastructure, and that you need to continuously monitor for us, keep paranoia and stress high while also keeping yourself calm and working efficiently. This is the number one thing that competitors should be getting from the competition.

In the real world there will be times you have to operate under intense pressure, whether its assisting an ongoing incident, a zero day drops while you are in the middle of a certification exam, debriefing executives after compromising their AD forest, or discovering a critical flaw in the architecture you are involved with. Having experience working in a high stress situation sets you apart from someone who just did their coursework. In order to create that pressure cooker, we need to be in your environment and setting stuff on fire. So while it's awesome to see that teams are getting faster at hardening and keeping us out, it's now time to tip the scales a little bit so we can keep the pressure up on blue teams. I'll have more about this later.

Back to The Recap

Like Mid-Atlantic we saw teams moving faster than ever and it's been fantastic. Six years ago Red Team had an hour delay in Minnesota. When I started on the Red Team three years ago, it was 30 minutes. Teams are getting faster and more effective. I love to see it. We also noticed a significant uptick in Incident Report submissions this year, which again is awesome to see.

We got 36 incident reports this year in the Minnesota and Indiana qualifiers:

• Team 1: 7
• Team 2: 7
• Team 5: 6
• Team 8: 6
• Team 9: 3
• Team 11: 1
• Team 12: 1
• Team 13: 1
• Team 14: 3
• Team 15: 1

Now, the quality of the Incident Reports are another matter. We saw overall improvement, but things still are not where I want them to be. I have a work in progress blog post for incident reports where I want to commend and condemn some of the ones I received this past year, to help teams improve.

Qualifier Aftermath

Minnesota and Indiana qualifiers went fairly smoothly. Scoring took a bit longer than usual because there were significantly more IRs than in years past. I then recruited some red team and white team folks to help me with debriefs this year. For those who aren't in MN or IN competitions, I provide an individualized team debrief to teams who request them. I don't do this outside those competitions mostly due to the fact that they take up a ton of time. This year we met with 12 teams I believe. These are some of my favorite conversations with teams, as they are where I can make the most impact. I give teams a run-down on what went wrong, and very targeted tips on what they can do to improve for next time. I didn't take part in the wildcards this year because I was off eating cake. I passed some notes onto the regional team and started prepping for regionals while handling those debriefs.

Regionals

I participated on the red team for regionals for the first time this year! Unfortunately, I could not be on-site, however I am aiming to be next year. One thing that was kind of nice about regionals was not having to worry as much about running stuff, grading IRs, making sure my teammates are logging their actions properly. I could sit back and focus on trolling teams instead. Like with the state competition I was rolling Mythic and Apollo, except this time it turned out to be actually useful because my domain wasn't blocked. I spent most of the time messing with teams and DCSyncing creds before handing them back off to our favorite initial access broker, tal0n. Generally speaking I just wanted to be a nuisance and make the scoreboard go blinky red.

I had a good time with teams chatting with me via screenshots and notepad.

One thing that did surprise me though, was that only a single team found Apollo and wrote an IR for it. Apollo is a deliberately noisy payload designed for training scenarios, so it was perfect for CCDC. I also learned that Malwarebytes doesn't care about Apollo at all. I had it running on Team 11's system and was being noisy by running cmd and powershell commands directly from Apollo. The only time it gave me issues was when I tried to kill malwarebytes, or inject shellcode into it. I also had a team break my screenshot utility which was just mean 😦. How am I supposed to see your responses to trolling you without being able to read your posts?

Post-Season Aftermath

Infrastructure

Fortunately, I have a much better idea now of some of the mechanics involved in why things have been stagnant in the Midwest environment for so long. The team that puts it together has literally been the same team for ~20 years with a lot of people who are either school faculty, staff, or have been in the same role for a very long time. Now, this isn't to say that the infrastructure volunteers are bad at their jobs, not at all. What I've found out is that they need some additional people working on infrastructure, and new ideas. If you are a return student who participated in Midwest, Mid-Atlantic, or Rocky Mountain this year you may have noticed the infra is different, yet familiar.

We had the same scored services, but different underlying applications powering them, generally speaking. Also Active Directory was kind of real this year, which as a guy who enjoys trashing Windows, this made me happy. In the future I would love to see everything tied into AD, since that's a pretty reasonable expectation in a modern company. We are hoping to make some significant changes next year on the infrastructure side, but nothing is set in stone as of yet. If our plans work out, things will be a massive improvement for teams in the future. We already plan to start infrastructure development much earlier than we did this year, which should give us more runway to adapt if something falls through.

Red Team

Next I want to discuss some of the red teams stuff that changed this year. I approach the competition from a lens that it needs to train students first, and be a competition second. I try to ground advice in reality, and push teams in a way that the best solution is the most realistic solution. This means however, that we need to up the bar in the infrastructure game, as well as the red team game. This means that we need to significantly improve our tradecraft on the red team side, especially on Windows. Introducing widespread C2 usage this year is the first step, but I have some plans to cook up over the summer for next season.

As mentioned, I brought Mythic with Apollo and Poseidon for this year. This allowed us to be significantly more flexible in our operational capabilities, and will serve as a fantastic platform as infrastructure grows. Teams will need to learn how to hunt C2s, and if you use RedefiningReality's Defender's Toolkit, you should be able to find Apollo pretty easily, once you get C2 hunting methodology down. I am also working on a tool to help students install and orchestrate Mythic, and I hope to have v1 released soon™️

Looking Forward to Next Year

I love the momentum we have leaving this year and going into next, and I want to capture that momentum to continue pushing Midwest forward. Since Midwest covers 3 regions, it's a pretty significant number of students that fall in our purview, and I take teaching y'all seriously. Personally speaking, I want to get some tools developed and ready to go for next year. I hope to help out in a Western invitational or maybe regionals, in addition to Midwest. Midwest is still my primary region and where I will remain at home, but I want to explore Wasabi and co's madness. I may also reach out and see if I can help out with the Nationals red team in 2027.

We have made improvements and I think they are generally positive. However, as I said before I understand we have a long way to go. I will continue to push this competition to be as helpful for students as I possibly can. I hope teams enjoyed their competition season, and I look forward to being a pain in your ass again next year. If you want a place to hang out with current and former CCDC students, volunteers, and red teamers, come check out the Unofficial CCDC Discord server. I'll see you there.