Security Challenges

What are Security Challenges?

Security Challenges are optional achievements you earn in DetectX Swift v1.080 and later. On this page you will find instructions and tips for completing each challenge.

You can also ask questions and discuss the challenges in the Sqwarq Slack group’s #security-challenges channel.

These achievements help you learn more about macOS security and troubleshooting with DetectX Swift and contribute to the Expertise level displayed in the application’s main interface.



The task

After enabling each challenge, your task is to find the dummy “malware” that has been installed. The dummies are, of course, harmless, but they use similar techniques as genuine malware to achieve persistence and stealth execution.

The dummies have been constructed in such a way that they avoid DetectX Swift’s built-in search tool, but you can still use DetectX Swift’s capabilities to find and remove them.

In so doing, you increase your knowledge of how to use DetectX Swift to its fullest capabilities and boost your understanding of macOS security.


How to enable the Security Challenges

In DetectX Swift, v1.080 or higher:

  • Click the Expertise button at the bottom left of the main application window.
  • Click one of the Security Challenge icons in the upper pane of the Expertise window.
  • In the lower pane, if the Challenge is available, click Activate to start the challenge.



Security Challenge 1 (Level: Entry)

After clicking the Activate button, the dummy files are installed and a file appears on your Desktop called ‘Security Challenge 1.txt’. The dummy will write a short string of data to this file at regular intervals. Your challenge is to find out what is causing the file to be updated.

To complete the challenge and earn the achievement, supply three correct pieces of information in the lower pane of the Expertise window for Security Challenge 1:

  • Persistence path
  • Executable path
  • Command executed

path should be the full path beginning with either “/” for files outside of your home folder or “~/” for files within.

When all three fields are correct, the files will be automatically removed and the challenge is complete.

You can end the challenge and deactivate the dummy files at any time by clicking the Deactivate button.

You can restart the challenge at any time by clicking Activate again.



Tips for SC1

The ‘Persistence path’ field requires the path to the file that runs the executable file on a given schedule or trigger.

  • Check DetectX Swift’s History for recently added items.
  • If you found the path in DetectX, but don’t see it in the Finder, this article might help.

The ‘Executable path’ field requires the path to the file that runs the command that writes to the ’Security Challenge 1.txt’ file on your Desktop.

  • In the Persistence file, you’ll find the executable path is encoded. Identify the part that is encoded and see if you can reverse the encoding.
  • The man pages for openssl and base64 should help you.
  • Note that the encoding has been applied twice. You’ll need to decode twice, too!

The ‘Command executed’ field requires the command within the executable file that causes data to be written to the ‘Security Challenge 1.txt’.

  • The command is the plain text version of the final line in the executable file.
  • Use the same technique that you used to reverse the encoding in the persistence file to reveal the plain text command in the executable.



Security Challenge 2 (Level: Intermediate)

Forthcoming…



Security Challenge 3 (Level: Advanced)

Forthcoming…