Microsoft KC7: Elf Conflict
Silver
Type let's do this to begin your KQL training.
let's do this
when in doubt take 10
Employees
| take 10
How many elves did you find? (Apparently Santa and Mrs Claus count as elves in this universe).
90
Employees
| count
What is the name of the Chief Toy Maker?
Shinny Upatree
Employees
| where role=='Chief Toy Maker'
Type operator to continue.
operator
How many e-mails did Angel Candysalt receive?
31
Email
| where recipient == "angel_candysalt@santaworkshopgeeseislands.org
| count
How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org?
32
Email
| where sender has "twinkle_frostington@santaworkshopgeeseislands.org"
| distinct recipient
| count
How many distinct websites did Twinkle Frostington visit?
4
To get the IP:
Employees
| where name == 'Twinkle Frostington'
Next, check the OutboundNetworkEvents
OutboundNetworkEvents
| where src_ip == "10.10.0.36"
| distinct url
| count
How many distinct domains in the PassiveDns records contain the word green?
10
PassiveDns
| where domain contains 'green'
| distinct domain
| count
How many distinct URLs did elves with the first name Twinkle visit?
8
let twinkle_ips =
Employees
| where name has "Twinkle"
| distinct ip_addr;
OutboundNetworkEvents
| where src_ip in (twinkle_ips)
| distinct url
| count
Answer 8 in KQL 101 in the badge.
Section 2: Operation Surrender - Alabaster's Espionage
Type surrender to continue:
surrender
Who was the sender of the phishing e-mail that set this plan into motion?
surrender@northpolemail.com
Email
| where subject contains "surrender"
How many elves from Team Wombley received the phishing email?
22
Email
| where subject contains "surrender"
| distinct recipient
| count
What was the filename of the document that Team Alabaster distributed in their phishing email?
Team_Wombley_Surrender.doc
Email
| where subject contains 'surrender'
| distinct link
Who was the first person from Team Wombley to click the URL in the phishing email?
Joyelle Tinseltoe
Employees
| join kind=inner (
OutboundNetworkEvents
) on $left.ip_addr == $right.src_ip // condition to match rows
| where url contains "Team_Wombley_Surrender.doc"
| project name, ip_addr, url, timestamp // project returns only the information you select
| sort by timestamp asc //sorts time ascending
What was the filename that was created after the .doc was downloaded and executed?
keylogger.exe
ProcessEvents
| where timestamp between(datetime("2024-11-27T14:10:45Z") .. datetime("2024-11-27T14:12:45Z")) //you’ll need to modify this
| where hostname == "Elf-Lap-W-Tinseltoe"
Take your last answer and base64 encode it.
Silver achieved.
Gold
Section 3: Operation Snowfall - Team Wombley's Ransomware Raid
Type snowfall to begin
snowfall
What was the source IP associated with the password spray?
59.171.58.12
AuthenticationEvents
| where result == "Failed Login"
| summarize FailedAttempts = count() by username, src_ip, result
| where FailedAttempts >= 5
| sort by FailedAttempts desc
How many unique accounts were impacted where there was a successful login from 59.171.58.12?
23
AuthenticationEvents
| where src_ip=="59.171.58.12"
| where result=="Successful Login"
| distinct username
| count
What service was used to access these accounts/devices?
RDP
AuthenticationEvents
| where src_ip=="59.171.58.12"
| where result=="Successful Login"
| distinct description
What file was exfiltrated on Alabaster's laptop?
Secret_Files.zip
Attackers used RDP for the password spray at 2024-12-11T01:39:50Z, they did a little recon, but they didn't exfil the file until 12/16/24
AuthenticationEvents
| where src_ip=="59.171.58.12"
| where result=="Successful Login"
| where username=="alsnowball";
Employees
| where username=="alsnowball";
ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"
What is the name of the malicious file that was run on Alabaster's laptop?
EncryptEverything.exe
ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"
Create the flag:
Flag: RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl
Add RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl to the badge under the Microsoft KC7 Objective under Operation Snowball.
Section 4: Echos in the Frost: Tracking the Unknown Threat
Type stay frosty to begin:
stay frosty
What was the timestamp of the first phishing e-mail about breached credentils for Noel Boetie?
2024-12-12T14:48:55Z
Email
| where recipient=="noel_boetie@santaworkshopgeeseislands.org"
| where subject contains "breach"
When did Noel Boetie click the link to the first file?
2024-12-12T15:13:55Z
Email
| where recipient=="noel_boetie@santaworkshopgeeseislands.org"
| where subject contains "breach"
| distinct link;
https://holidaybargainhunt.io/published/files/files/echo.exe
Employees
| where name contains "Noel";
OutboundNetworkEvents
| where src_ip contains "10.10.0.9"
What was the IP for the domain where the file was hosted?
182.56.23.122
PassiveDns
| where domain contains "holidaybargainhunt.io"
Let’s take a closer look at the authentication events. I wonder if any connection events from 182.56.23.122. If so what hostname was accessed?
WebApp-ElvesWorkshop
AuthenticationEvents
| where src_ip=="182.56.23.122"
What was the script that was run to obtain credentials?
Invoke-Mimikatz.ps1
In the process command line it shows powershell being used to download this script..
ProcessEvents
| where hostname=="WebApp-ElvesWorkshop"
What is the timestamp where Noel executed the file?
2024-12-12T15:14:38Z
One of the filenames was echo.exe - Looking at the process events, that file was ran at: 2024-12-12T15:14:38Z
ProcessEvents
| where hostname=="Elf-Lap-A-Boetie"
What domain was holidaycandy.hta downloaded from?
compromisedchristmastoys.com
OutboundNetworkEvents
| where url contains "holidaycandy.hta"
What was the first file that was created after extraction?
sqlwriter.exe
After the holidaycandy.hta file is executed, the following registry key is created.
New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "MS SQL Writer" -Force | New-ItemProperty -Name "frosty" -Value "C:\Windows\Tasks\sqlwriter.exe" -PropertyType String -Force
Notice that sqlwriter.exe is referenced.
ProcessEvents
| where hostname=="Elf-Lap-A-Boetie"
What is the name of the property assigned to the new registry key?
frosty
Again, a registry key is created.
New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "MS SQL Writer" -Force | New-ItemProperty -Name "frosty" -Value "C:\Windows\Tasks\sqlwriter.exe" -PropertyType String -Force
The name is frosty.
ProcessEvents
| where hostname=="Elf-Lap-A-Boetie"
Create the flag:
Comments for Zapper
https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=%27%20OR%201=1
Yes it will. >:)
Gold