Microsoft KC7
Difficulty:
Shown in Report
Answer two sections for silver, all four sections for gold.
Objective Image
Back
Challenge

I'm Pepper Minstix reporting from neutral ground with urgent news - Team Wombley has launched serious cyber attacks against the North Pole, including phishing, ransomware, and espionage that have already breached Alabaster's systems. We need your expertise with KQL logs to investigate and neutralize these threats, particularly the ransomware, so we can restore peace and holiday harmony!
I'm Wunorse from Team Wombley, and we're totally crushing it - we've pulled off amazing phishing attacks, ransomware, and cyber espionage that Alabaster said we couldn't do, all fueled by energy drinks and late nights! It would take a master defender to fix all our damage, but why bother with lame defense when you could join the cool side with us?

Solution
Silver medal

First, we go to http://kc7cyber.com/go/hhc24 and create an account. The modules are very well described and self-explanatory, so I will only show the questions, statements and answers here.

KQL 101

Question Statement Answer
Type let’s do this to begin your KQL training. let's do this
Once you've examined all the tables, type when in doubt take 10 to proceed. Employees
| take 10
when in doubt take 10
How many elves did you find? Employees
| count
90
Can you find out the name of the Chief Toy Maker? Employees
| where role == "Chief Toy Maker"
Shinny Upatree
Type operator to continue. operator
How many emails did Angel Candysalt receive? Employees
| where name == "Angel Candysalt"
How many emails did Angel Candysalt receive?
Email
| where recipient == "angel_candysalt@santaworkshopgeeseislands.org"
| count
31
How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org? Email
| where sender has "twinkle_frostington@santaworkshopgeeseislands.org"
| distinct recipient
| count
32
How many distinct websites did Twinkle Frostington visit? Employees
| where name == "Twinkle Frostington"

OutboundNetworkEvents
| where src_ip == "10.10.0.36"
| distinct url
| count
4
How many distinct domains in the PassiveDns records contain the word green? PassiveDns
| where domain contains "green"
| distinct domain
| count
10
How many distinct URLs did elves with the first name Twinkle visit? let twinkle_ips =
Employees
| where name has "Twinkle"
| distinct ip_addr;

OutboundNetworkEvents
| where src_ip in (twinkle_ips)
| distinct url
| count
8

Operation Surrender

Question Statement Answer
Type surrender to get started! surrender
Who was the sender of the phishing email that set this plan into motion? Email
| where subject contains "surrender"
| distinct sender
surrender@northpolemail.com
How many elves from Team Wombley received the phishing email? Email
| where subject contains "surrender"
| distinct recipient
| count
22
What was the filename of the document that Team Alabaster distributed in their phishing email? Email
| where subject contains "surrender"
| distinct link
Team_Wombley_Surrender.doc
Who was the first person from Team Wombley to click the URL in the phishing email? Employees
| join kind=inner (
OutboundNetworkEvents
) on $left.ip_addr == $right.src_ip // condition to match rows
| where url contains "Team_Wombley_Surrender.doc"
| project name, ip_addr, url, timestamp // project returns only the information you select
| sort by timestamp asc //sorts time ascending
| take 1
Joyelle Tinseltoe
What was the filename that was created after the .doc was downloaded and executed? Employees
| where name == "Joyelle Tinseltoe"

ProcessEvents
| where timestamp between(datetime("2024-11-27T13:11:45Z") .. datetime("2024-11-27T15:11:45Z")) //you’ll need to modify this
| where hostname == "Elf-Lap-W-Tinseltoe"
keylogger.exe
To obtain your flag use the KQL below with your last answer! let flag = "keylogger.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded
a2V5bG9nZ2VyLmV4ZQ==
Gold medal

Operation Snowfall

Question Statement Answer
Type snowfall to begin snowfall
What was the IP address associated with the password spray? AuthenticationEvents
| where result == "Failed Login"
| summarize FailedAttempts = count() by username, src_ip, result
| where FailedAttempts >= 5
| sort by FailedAttempts desc
59.171.58.12
How many unique accounts were impacted where there was a successful login from 59.171.58.12? AuthenticationEvents
| where src_ip == "59.171.58.12"
| where result == "Successful Login"
| summarize FailedAttempts = count() by username, src_ip, result
| count
23
What service was used to access these accounts/devices? AuthenticationEvents
| where src_ip == "59.171.58.12"
| where result == "Successful Login"
| distinct description
RDP
What file was exfiltrated from Alabaster’s laptop? AuthenticationEvents
| where src_ip == "59.171.58.12"
| where result == "Successful Login"
| where username == "alsnowball"

ProcessEvents
| where timestamp > datetime("2024-12-11T00:39:50Z")
| where hostname == "Elf-Lap-A-Snowball"
Secret_Files.zip
What is the name of the malicious file that was run on Alabaster's laptop? See above EncryptEverything.exe
Enter your flag to continue let flag = "EncryptEverything.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded
RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl

Echoes in the Frost

Question Statement Answer
Type stay frosty to begin stay frosty
What was the timestamp of first phishing email about the breached credentials received by Noel Boetie? Email
| where recipient has "Noel"
| where subject contains "credentials"
| take 10
2024-12-12T14:48:55Z
When did Noel Boetie click the link to the first file? OutboundNetworkEvents
| where url == "https://holidaybargainhunt.io/published/files/files/echo.exe"
2024-12-12T15:13:55Z
What was the IP for the domain where the file was hosted? PassiveDns
| where domain == "holidaybargainhunt.io"
| distinct ip
182.56.23.122
Let’s take a closer look at the authentication events. I wonder if any connection events from 182.56.23.122. If so what hostname was accessed? AuthenticationEvents
| where src_ip == "182.56.23.122"
WebApp-ElvesWorkshop
What was the script that was run to obtain credentials? ProcessEvents
| where hostname == "WebApp-ElvesWorkshop"
Invoke-Mimikatz.ps1
What is the timestamp where Noel executed the file? ProcessEvents
| where process_commandline contains "echo.exe"
| where username == "seadmin"
2024-12-12T15:14:38Z
What domain was the holidaycandy.hta file downloaded from? OutboundNetworkEvents
| where url contains "holidaycandy.hta"
compromisedchristmastoys.com
what was the first file that was created after extraction? ProcessEvents
| where process_commandline contains "frosty"
| where username == "noboetie"

FileCreationEvents
| where timestamp > datetime("2024-12-24T17:19:45Z")
sqlwriter.exe
What is the name of the property assigned to the new registry key? ProcessEvents
| where process_commandline contains "HKCU"
frosty
To obtain your FINAL flag use the KQL below with your last answer! let finalflag = "frosty";
let base64_encoded = base64_encode_tostring(finalflag);
print base64_encoded
ZnJvc3R5

I'm absolutely thrilled with your incredible cybersecurity work - you've masterfully analyzed KQL logs, traced phishing emails, tracked compromised accounts, and neutralized ransomware! Ho-ho-holy snowflakes, you've truly become a holiday hero by completing all four tasks and helping restore peace to the North Pole!
I'm pretty upset - I thought we were bros but you're messing with our achievements! Sure, our phishing emails were genius and we needed those accounts, but now you've dismantled our ransomware that we spent so many energy drinks creating. Whatever though, this was just practice - our real attack is gonna be totally sick later!