Elf Stack⚓︎
Difficulty:
Objective⚓︎
Help the ElfSOC analysts track down a malicious attack against the North Pole domain.
Fitzy Shortstack
Greetings! I'm the genius behind the North Pole Elf Stack SIEM. And oh boy, we’ve got a situation on our hands.
Our system was attacked—Wombley’s faction unleashed their FrostBit ransomware, and it’s caused a digital disaster.
The logs are a mess, and Wombley’s laptop—the only backup of the Naughty-Nice List—was smashed to pieces.
Now, it’s all up to you to help me trace the attack vectors and events. We need to figure out how this went down before it’s too late.
You’ll be using a containerized ELK stack or Linux CLI tools. Sounds like a fun little puzzle, doesn't it?
Your job is to analyze these logs... think of it as tracking snow tracks but in a digital blizzard.
If you can find the attack path, maybe we can salvage what’s left and get Santa’s approval.
Santa’s furious at the faction fighting, and he’s disappointed. We have to make things right.
So, let’s show these attackers that the North Pole’s defenses are no joke!
General Hints⚓︎
Elf Stack Intro
I'm part of the ElfSOC that protects the interests here at the North Pole. We built the Elf Stack SIEM, but not everybody uses it. Some of our senior analysts choose to use their command line skills, while others choose to deploy their own solution. Any way is possible to hunt through our logs!
Elf Stack WinEvent
One of our seasoned ElfSOC analysts told me about a great resource to have handy when hunting through event log data. I have it around here somewhere, or maybe it was online. Hmm.
Elf Stack PowerShell
Our Elf Stack SIEM has some minor issues when parsing log data that we still need to figure out. Our ElfSOC SIEM engineers drank many cups of hot chocolate figuring out the right parsing logic. The engineers wanted to ensure that our junior analysts had a solid platform to hunt through log data.
Elf Stack Fields
If you are using your command line skills to solve the challenge, you might need to review the configuration files from the containerized Elf Stack SIEM.
Hard Mode Hints⚓︎
Elf Stack Hard - Email2
Some elves have tried to make tweaks to the Elf Stack log parsing logic, but only a seasoned SIEM engineer or analyst may find that task useful.
Elf Stack Hard - Email1
I was on my way to grab a cup of hot chocolate the other day when I overheard the reindeer talking about playing games. The reindeer mentioned trying to invite Wombley and Alabaster to their games. This may or may not be great news. All I know is, the reindeer better create formal invitations to send to both Wombley and Alabaster.
Hard Mode⚓︎
Question 1: What is the event.EventID number for Sysmon event logs relating to process creation?⚓︎
grep -ir "sysmon" log_chunk_* | grep -i "process create" | grep -i "eventID" | head -1 | grep -i "eventID"
Answer
1
Question 2: How many unique values are there for the 'event_source' field in all of the logs?⚓︎
awk -F'"' '/"Hostname"/ {for (i=1; i<=NF; i++) if ($i == "Hostname") print $(i+2)}' log_chunk_1.log log_chunk_2.log | sort -u
Answer
5
Question 3: What is the event_source name that contains the email logs?⚓︎
grep -i "email" log_chunk_1.log | head -3
Answer
SnowGlowMailPxy
Question 4: The North Pole network was compromised recently through a sophisticated phishing attack sent to one of our elves. The attacker found a way to bypass the middleware that prevented phishing emails from getting to North Pole elves. As a result, one of the Received IPs will likely be different from what most email logs contain. Find the email log in question and submit the value in the event 'From:' field for this email log event.⚓︎
First we have a look at the structure and decide that we need to find where one of the ReceivedIP1 or ReceivedIP2s is different than the others.
awk -F'"' '/"ReceivedIP1"|"ReceivedIP2"/ {for (i=1; i<=NF; i++) if ($i == "ReceivedIP1" || $i == "ReceivedIP2") print $(i+2)}' log_chunk_1.log log_chunk_2.log | sort | uniq -c
Now that we have the culprit, we can simply grep based on that IP address along with the mail server and note the From value in the result.
grep "34.30.110.62" log_chunk_1.log log_chunk_2.log | grep "SnowGlowMailPxy"
Answer
kriskring1e@northpole.local
Question 5: Our ElfSOC analysts need your help identifying the hostname of the domain computer that established a connection to the attacker after receiving the phishing email from the previous question. You can take a look at our GreenCoat proxy logs as an event source. Since it is a domain computer, we only need the hostname, not the fully qualified domain name (FQDN) of the system.⚓︎
This requires us to read the email that was sent and then search the "GreenCoat" logs for the link that was clicked.
grep "GreenCoat" log_chunk_1.log log_chunk_2.log | grep "http://hollyhaven.snowflake/howtosavexmas.zip"
Answer
SleighRider
Question 6: What was the IP address of the system you found in the previous question?⚓︎
Answer
172.24.25.12
Question 7: A process was launched when the user executed the program AFTER they downloaded it. What was that Process ID number (digits only please)?⚓︎
We already have the offending download so let's just see where else that shows up in the logs and see if it had any activity after the GET request that downloaded it:
grep "http://hollyhaven.snowflake/howtosavexmas.zip" log_chunk_1.log log_chunk_2.log
Answer
10014
Question 8: Did the attacker's payload make an outbound network connection? Our ElfSOC analysts need your help identifying the destination TCP port of this connection.⚓︎
This one has some very specific identifiers we'll want to incorporate: - the payload is on the domain computer that clicked the link so we know the source IP address is: 172.24.25.12; - successful network connections are typically EventID values of 5156 or 3; - outbound network connection means we will want to eliminate the internal network destination IPs: 172.24.25
grep -i '"SourceIp": "172.24.25.12"' log_chunk_1.log log_chunk_2.log | grep -i "port" | grep -E '"EventID": 5156| "EventID": 3' | grep -v '"DestinationIp": "172.24.25.'
Answer
8443
Question 9: The attacker escalated their privileges to the SYSTEM account by creating an inter-process communication (IPC) channel. Submit the alpha-numeric name for the IPC channel used by the attacker.⚓︎
The IPC channel tends to use a named pipe which shows up in the logs including \\pipe so we can grep for that piece as well as the fact that we know the user ends up being NT AUTHORITY\\SYSTEM based on the fact that this was a privilege escalation.
grep -i "\\\\pipe" log_chunk_1.log log_chunk_2.log | grep '"User": "NT AUTHORITY\\\\SYSTEM"'
Answer
ddpvccdbr
Question 10: The attacker's process attempted to access a file. Submit the full and complete file path accessed by the attacker's process.⚓︎
grep -i "sleighrider" log_chunk_1.log log_chunk_2.log | grep '"EventID": 4663' | grep -i '"ProcessID": 10014'
Answer
C:\Users\elf_user02\Desktop\kkringl315@10.12.25.24.pem
Question 11: The attacker attempted to use a secure protocol to connect to a remote system. What is the hostname of the target server?⚓︎
We know from the last question that the attacker was interested in some specific creds that look like a user's ssh creds to IP address 10.12.25.24 (the Christmas host - nice touch). Given this next task, I'm just going to grep for that IP address and ssh first.
grep -i "10.12.25.24" log_chunk_1.log log_chunk_2.log | grep -i "ssh"
Answer
kringleSSleigH
Question 12: The attacker created an account to establish their persistence on the Linux host. What is the name of the new account created by the attacker?⚓︎
This one is fairly straightforward since we know the command for adding a user on Linux is going to be useradd or adduser (depending on whether or not a home directory being created is part of the process).
grep -E "useradd|adduser" log_chunk_1.log log_chunk_2.log
Answer
sshd
Question 13: The attacker wanted to maintain persistence on the Linux host they gained access to and executed multiple binaries to achieve their goal. What was the full CLI syntax of the binary the attacker executed after they created the new user account?⚓︎
grep -i '"hostname": "kringleSSleigH"' log_chunk_1.log log_chunk_2.log | grep "COMMAND="
Answer
/usr/sbin/usermod -a -G sudo ssdh
Question 14: The attacker enumerated Active Directory using a well known tool to map our Active Directory domain over LDAP. Submit the full ISO8601 compliant timestamp when the first request of the data collection attack sequence was initially recorded against the domain controller.⚓︎
grep -i '"Hostname": "dc01.northpole.local"' log_chunk_1.log log_chunk_2.log | grep -E '"EventID": 3' | grep -iE '"DestinationPort": (389|636)'
Output
log_chunk_2.log:<134>1 2024-09-16T11:31:13-04:00 dc01.northpole.local WindowsEvent - - - {"EventTime": "2024-09-16 11:31:13", "Hostname": "dc01.northpole.local", "Keywords": -9223372036854775808, "EventType": "INFO", "SeverityValue": 2, "Severity": "INFO", "EventID": 3, "SourceName": "Microsoft-Windows-Sysmon", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Version": 5, "Task": 3, "OpcodeValue": 0, "RecordNumber": 444, "ProcessID": 6468, "ThreadID": 5888, "Channel": "Microsoft-Windows-Sysmon/Operational", "Domain": "NT AUTHORITY", "AccountName": "SYSTEM", "UserID": "S-1-5-18", "AccountType": "User", "Category": "Network connection detected (rule: NetworkConnect)", "Opcode": "Info", "RuleName": "-", "UtcTime": "2024-09-16T11:31:13-04:00", "ProcessGuid": "{f151dc49-4ef0-660c-3802-000000000900}", "Image": "C:\Windows\system32\mmc.exe", "User": "NORTHPOLE\Administrator", "Protocol": "tcp", "Initiated": true, "SourceIsIpv6": false, "SourceIp": "172.24.25.153", "SourceHostname": "dc01.northpole.local", "SourcePort": 50305, "SourcePortName": "-", "DestinationIsIpv6": false, "DestinationIp": "172.24.25.153", "DestinationHostname": "dc01.northpole.local", "DestinationPort": 389, "DestinationPortName": "ldap", "EventReceivedTime": "2024-09-16T11:31:13-04:00", "SourceModuleName": "inSysmon", "SourceModuleType": "im_msvistalog", "ProcessId": 3360, "MoreDetails": "Network connection detected:"}
So this let's us know that an LDAP connection occurred, but with only one entry, it is not telling us about enumeration activity. What EventIDs are associated with LDAP activity that may help us find what we need?
ChatGPT offers these EventIDs
Based on this, 2889 seems most relevant so we can do a search to see if there are any ldap binding events in our logs:
grep -iE 'dc01' log_chunk_1.log log_chunk_2.log | grep -iE '"EventID": 2889,'
grep -iE 'dc01' log_chunk_1.log log_chunk_2.log | grep -iE '"EventID": 2889,' | head -n 1
Answer
2024-09-16T11:10:12-04:00
Question 15: The attacker attempted to perform an ADCS ESC1 attack, but certificate services denied their certificate request. Submit the name of the software responsible for preventing this initial attack.⚓︎
grep -iE 'dc01' log_chunk_1.log log_chunk_2.log | grep -i 'cert' | grep -i 'fail'
This produced four results, but the last one is where we find our answer.
Answer
KringleGuard
Question 16: We think the attacker successfully performed an ADCS ESC1 attack. Can you find the name of the user they successfully requested a certificate on behalf of?⚓︎
We know that if the request was successful, it happened after the event we had in our last answer so I'll use that EventTime to narrow my focus. We know that ADCS ESC1 is an attack that leverages a vulnerable certificate template configuration that allows domain users to request certificates that can impersonate privileged accounts, such as a Domain Admin.
We can tackle this by identifying the first user to log in after the failed attempt using the EventID for credential validation:
grep -iE 'dc01' log_chunk_1.log log_chunk_2.log | awk '{if ($2 > "2024-09-16T11:14:12-04:00") print $0}' | grep -i '"EventID": 4776' | head -n 1
Answer
nutcrakr
Question 17: One of our file shares was accessed by the attacker using the elevated user account (from the ADCS attack). Submit the folder name of the share they accessed.⚓︎
We can modify our last command to incorporate the username we uncovered and the EventID for accessing a file share, 5140.
grep -iE 'dc01' log_chunk_1.log log_chunk_2.log | awk '{if ($2 > "2024-09-16T11:14:12-04:00") print $0}' | grep -i '"EventID": 5140' | grep "nutcrakr" | head -n 1
Answer
WishLists
Question 18: The naughty attacker continued to use their privileged account to execute a PowerShell script to gain domain administrative privileges. What is the password for the account the attacker used in their attack payload?⚓︎
Let's see what EventIDs are associated with PowerShell
Looks like we will need 4104 for this one:
grep -iE 'nutcrakr' log_chunk_1.log log_chunk_2.log | grep -i '"EventID": 4104'
Answer
fR0s3nF1@k3_s
Question 19: The attacker then used remote desktop to remotely access one of our domain computers. What is the full ISO8601 compliant UTC EventTime when they established this connection?⚓︎
RDP indicates that the logon type will be 10 (remote interactive logons) and the EventID is likely just the regular 4624 for successful logons so let's start with that.
grep -iE '"EventID": 4624' log_chunk_*.log | grep -i '"LogonType": 10'
Note: The question specifies that it wants the answer to not only be in ISO8601 format, but also specifically in UTC: YYYY-MM-DDTHH:MM:SS.sssZ
Answer
2024-09-16T15:35:57.000Z
Question 20: The attacker is trying to create their own naughty and nice list! What is the full file path they created using their remote desktop connection?⚓︎
The mention of the list being created using the remote desktop connection means that we'll use log entries after that timeframe, but also means the EventID of 4633 for creating a new file might not end up being the way to go. A search using it with a grep for "list" yields only a couple of results and they are not what we're looking for. Rather than using the EventID, let's grep for the function it's doing and try a common abbreviation for list: lst.
grep -iE 'create' log_chunk_*.log | awk '{if ($2 > "2024-09-16T11:35:57-04:00") print $0}' | grep -i 'nutcrakr' | grep -i 'lst'
Answer
C:\WishLists\santadms_only\its_my_fakelst.txt
Question 21: The Wombley faction has user accounts in our environment. How many unique Wombley faction users sent an email message within the domain?⚓︎
grep -iE '"From": "wcub.*@NORTHPOLE.local"' log_chunk_*.log | awk '{print $9}' | sort | uniq
Answer
4
Question 22: The Alabaster faction also has some user accounts in our environment. How many emails were sent by the Alabaster users to the Wombley faction users?⚓︎
So in this case we are looking for the number of emails rather than email addresses, but first, let's have a glance at the structure of Alabaster faction emails to ensure we capture all of them:
grep -iE '"From": "wcub.*@NORTHPOLE.local",' log_chunk_*.log | awk '{print $9}' | sort | uniq
grep -iE '"From": "asnow.*@NORTHPOLE.local",' log_chunk_*.log | grep -iE '"To": "wcub.*@northpole.local"' | awk '{print $9}' | wc -l
Answer
22
Question 23: Of all the reindeer, there are only nine. What's the full domain for the one whose nose does glow and shine? To help you narrow your search, search the events in the 'SnowGlowMailPxy' event source.⚓︎
We can just expand our previous command to include all emails and scan through the domains.
grep -iE '"From": ".*@NORTHPOLE.local"' log_chunk_*.log | awk '{print $9}' | sort | uniq
Answer
rud01ph.glow
Question 24: With a fiery tail seen once in great years, what's the domain for the reindeer who flies without fears? To help you narrow your search, search the events in the 'SnowGlowMailPxy' event source.⚓︎
Same list as above.
Answer
c0m3t.halleys