Monday, November 25, 2024

SANS: Holiday Hack 2024: Act 2: Microsoft KC7: Elf Conflict

Microsoft KC7: Elf Conflict

Silver

Type let's do this to begin your KQL training.

let's do this

when in doubt take 10

Employees
| take 10 

How many elves did you find? (Apparently Santa and Mrs Claus count as elves in this universe).

90

Employees
| count 

What is the name of the Chief Toy Maker?

Shinny Upatree

Employees
| where role=='Chief Toy Maker'

Type operator to continue.

operator

How many e-mails did Angel Candysalt receive? 

31

Email
| where recipient == "angel_candysalt@santaworkshopgeeseislands.org
| count

How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org? 

32

Email
| where sender has "twinkle_frostington@santaworkshopgeeseislands.org"
| distinct recipient
| count

How many distinct websites did Twinkle Frostington visit? 

4

To get the IP:

Employees
| where name == 'Twinkle Frostington'

Next, check the OutboundNetworkEvents

OutboundNetworkEvents
| where src_ip == "10.10.0.36"
| distinct url
| count

How many distinct domains in the PassiveDns records contain the word green? 

10

PassiveDns
| where domain contains 'green'
| distinct domain
| count

How many distinct URLs did elves with the first name Twinkle visit? 

8

let twinkle_ips =
Employees
| where name has "Twinkle"
| distinct ip_addr;
OutboundNetworkEvents 
| where src_ip in (twinkle_ips) 
| distinct url
| count

Answer 8 in KQL 101 in the badge.

Section 2: Operation Surrender - Alabaster's Espionage

Type surrender to continue:

surrender

Who was the sender of the phishing e-mail that set this plan into motion?

surrender@northpolemail.com

Email
| where subject contains "surrender"

How many elves from Team Wombley received the phishing email?

22

Email
| where subject contains "surrender"
| distinct recipient
| count

What was the filename of the document that Team Alabaster distributed in their phishing email?

Team_Wombley_Surrender.doc

Email
| where subject contains 'surrender'
| distinct link

Who was the first person from Team Wombley to click the URL in the phishing email? 

Joyelle Tinseltoe

Employees
| join kind=inner (
    OutboundNetworkEvents
) on $left.ip_addr == $right.src_ip // condition to match rows
| where url contains "Team_Wombley_Surrender.doc"
| project name, ip_addr, url, timestamp // project returns only the information you select
| sort by timestamp asc //sorts time ascending

What was the filename that was created after the .doc was downloaded and executed? 

keylogger.exe

ProcessEvents
| where timestamp between(datetime("2024-11-27T14:10:45Z") .. datetime("2024-11-27T14:12:45Z")) //you’ll need to modify this
| where hostname == "Elf-Lap-W-Tinseltoe"

Take your last answer and base64 encode it.

a2V5bG9nZ2VyLmV4ZQ==

let flag = "keylogger.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded

Add a2V5bG9nZ2VyLmV4ZQ== to the Operation Silver part of the Microsoft KC7 Objective in the badge.

Silver achieved.

Gold

Section 3: Operation Snowfall - Team Wombley's Ransomware Raid

Type snowfall to begin

snowfall

What was the source IP associated with the password spray? 

59.171.58.12

AuthenticationEvents
| where result == "Failed Login"
| summarize FailedAttempts = count() by username, src_ip, result
| where FailedAttempts >= 5
| sort by FailedAttempts desc

How many unique accounts were impacted where there was a successful login from 59.171.58.12? 

23

AuthenticationEvents
| where src_ip=="59.171.58.12"
| where result=="Successful Login"
| distinct username
| count

What service was used to access these accounts/devices? 

RDP

AuthenticationEvents
| where src_ip=="59.171.58.12"
| where result=="Successful Login"
| distinct description

What file was exfiltrated on Alabaster's laptop? 

Secret_Files.zip

Attackers used RDP for the password spray at 2024-12-11T01:39:50Z, they did a little recon, but they didn't exfil the file until 12/16/24

AuthenticationEvents
| where src_ip=="59.171.58.12"
| where result=="Successful Login"
| where username=="alsnowball";
Employees
| where username=="alsnowball";
ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"

What is the name of the malicious file that was run on Alabaster's laptop? 

EncryptEverything.exe

ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"

Create the flag:

let flag = "EncryptEverything.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded

Flag: RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl

Add RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl to the badge under the Microsoft KC7 Objective under Operation Snowball.

Section 4: Echos in the Frost: Tracking the Unknown Threat

Type stay frosty to begin:

stay frosty

What was the timestamp of the first phishing e-mail about breached credentils for Noel Boetie? 

2024-12-12T14:48:55Z

Email
| where recipient=="noel_boetie@santaworkshopgeeseislands.org"
| where subject contains "breach"

When did Noel Boetie click the link to the first file? 

2024-12-12T15:13:55Z

Email
| where recipient=="noel_boetie@santaworkshopgeeseislands.org"
| where subject contains "breach"
| distinct link;

https://holidaybargainhunt.io/published/files/files/echo.exe

Employees
| where name contains "Noel";
OutboundNetworkEvents
| where src_ip contains "10.10.0.9"

What was the IP for the domain where the file was hosted? 

182.56.23.122

PassiveDns
| where domain contains "holidaybargainhunt.io"

Let’s take a closer look at the authentication events. I wonder if any connection events from 182.56.23.122. If so what hostname was accessed? 

WebApp-ElvesWorkshop

AuthenticationEvents
| where src_ip=="182.56.23.122"

What was the script that was run to obtain credentials?  

Invoke-Mimikatz.ps1

In the process command line it shows powershell being used to download this script..

ProcessEvents
| where hostname=="WebApp-ElvesWorkshop"

What is the timestamp where Noel executed the file? 

2024-12-12T15:14:38Z

One of the filenames was echo.exe - Looking at the process events, that file was ran at: 2024-12-12T15:14:38Z

ProcessEvents
| where hostname=="Elf-Lap-A-Boetie"

What domain was holidaycandy.hta downloaded from? 

compromisedchristmastoys.com

OutboundNetworkEvents
| where url contains "holidaycandy.hta"

What was the first file that was created after extraction? 

sqlwriter.exe

After the holidaycandy.hta file is executed, the following registry key is created.

New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "MS SQL Writer" -Force | New-ItemProperty -Name "frosty" -Value "C:\Windows\Tasks\sqlwriter.exe" -PropertyType String -Force

Notice that sqlwriter.exe is referenced.

ProcessEvents
| where hostname=="Elf-Lap-A-Boetie"

What is the name of the property assigned to the new registry key? 

frosty

Again, a registry key is created.

New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "MS SQL Writer" -Force | New-ItemProperty -Name "frosty" -Value "C:\Windows\Tasks\sqlwriter.exe" -PropertyType String -Force

The name is frosty.

ProcessEvents
| where hostname=="Elf-Lap-A-Boetie"

Create the flag:

let flag = "frosty";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded

The flag is: ZnJvc3R5

Add ZnJvc3R5 to the Echos in the Frost part of the Microsoft KC7 Objective in the badge.

Gold Achieved.


No comments:

Post a Comment