I'm Pepper Minstix reporting from neutral ground with urgent news - Team Wombley has launched serious cyber attacks against the North Pole, including phishing, ransomware, and espionage that have already breached Alabaster's systems. We need your expertise with KQL logs to investigate and neutralize these threats, particularly the ransomware, so we can restore peace and holiday harmony!
I'm Wunorse from Team Wombley, and we're totally crushing it - we've pulled off amazing phishing attacks, ransomware, and cyber espionage that Alabaster said we couldn't do, all fueled by energy drinks and late nights! It would take a master defender to fix all our damage, but why bother with lame defense when you could join the cool side with us?
First, we go to http://kc7cyber.com/go/hhc24 and create an account. The modules are very well described and self-explanatory, so I will only show the questions, statements and answers here.
KQL 101
Question | Statement | Answer |
---|---|---|
Type let’s do this to begin your KQL training. | let's do this | |
Once you've examined all the tables, type when in doubt take 10 to proceed. | Employees | take 10 |
when in doubt take 10 |
How many elves did you find? | Employees | count |
90 |
Can you find out the name of the Chief Toy Maker? | Employees | where role == "Chief Toy Maker" |
Shinny Upatree |
Type operator to continue. | operator | |
How many emails did Angel Candysalt receive? | Employees | where name == "Angel Candysalt" How many emails did Angel Candysalt receive? | where recipient == "angel_candysalt@santaworkshopgeeseislands.org" | count |
31 |
How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org? | Email | where sender has "twinkle_frostington@santaworkshopgeeseislands.org" | distinct recipient | count |
32 |
How many distinct websites did Twinkle Frostington visit? | Employees | where name == "Twinkle Frostington" OutboundNetworkEvents | where src_ip == "10.10.0.36" | distinct url | count |
4 |
How many distinct domains in the PassiveDns records contain the word green? | PassiveDns | where domain contains "green" | distinct domain | count |
10 |
How many distinct URLs did elves with the first name Twinkle visit? | let twinkle_ips = Employees | where name has "Twinkle" | distinct ip_addr; OutboundNetworkEvents | where src_ip in (twinkle_ips) | distinct url | count |
8 |
Operation Surrender
Question | Statement | Answer |
---|---|---|
Type surrender to get started! | surrender | |
Who was the sender of the phishing email that set this plan into motion? | Email | where subject contains "surrender" | distinct sender |
surrender@northpolemail.com |
How many elves from Team Wombley received the phishing email? | Email | where subject contains "surrender" | distinct recipient | count |
22 |
What was the filename of the document that Team Alabaster distributed in their phishing email? | Email | where subject contains "surrender" | distinct link |
Team_Wombley_Surrender.doc |
Who was the first person from Team Wombley to click the URL in the phishing email? | Employees | join kind=inner ( OutboundNetworkEvents ) on $left.ip_addr == $right.src_ip // condition to match rows | where url contains "Team_Wombley_Surrender.doc" | project name, ip_addr, url, timestamp // project returns only the information you select | sort by timestamp asc //sorts time ascending | take 1 |
Joyelle Tinseltoe |
What was the filename that was created after the .doc was downloaded and executed? | Employees | where name == "Joyelle Tinseltoe" ProcessEvents | where timestamp between(datetime("2024-11-27T13:11:45Z") .. datetime("2024-11-27T15:11:45Z")) //you’ll need to modify this | where hostname == "Elf-Lap-W-Tinseltoe" |
keylogger.exe |
To obtain your flag use the KQL below with your last answer! | let flag = "keylogger.exe"; let base64_encoded = base64_encode_tostring(flag); print base64_encoded |
a2V5bG9nZ2VyLmV4ZQ== |
Operation Snowfall
Question | Statement | Answer |
---|---|---|
Type snowfall to begin | snowfall | |
What was the IP address associated with the password spray? | AuthenticationEvents | where result == "Failed Login" | summarize FailedAttempts = count() by username, src_ip, result | where FailedAttempts >= 5 | sort by FailedAttempts desc |
59.171.58.12 |
How many unique accounts were impacted where there was a successful login from 59.171.58.12? | AuthenticationEvents | where src_ip == "59.171.58.12" | where result == "Successful Login" | summarize FailedAttempts = count() by username, src_ip, result | count |
23 |
What service was used to access these accounts/devices? | AuthenticationEvents | where src_ip == "59.171.58.12" | where result == "Successful Login" | distinct description |
RDP |
What file was exfiltrated from Alabaster’s laptop? | AuthenticationEvents | where src_ip == "59.171.58.12" | where result == "Successful Login" | where username == "alsnowball" ProcessEvents | where timestamp > datetime("2024-12-11T00:39:50Z") | where hostname == "Elf-Lap-A-Snowball" |
Secret_Files.zip |
What is the name of the malicious file that was run on Alabaster's laptop? | See above | EncryptEverything.exe |
Enter your flag to continue | let flag = "EncryptEverything.exe"; let base64_encoded = base64_encode_tostring(flag); print base64_encoded |
RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl |
Echoes in the Frost
Question | Statement | Answer |
---|---|---|
Type stay frosty to begin | stay frosty | |
What was the timestamp of first phishing email about the breached credentials received by Noel Boetie? | Email | where recipient has "Noel" | where subject contains "credentials" | take 10 |
2024-12-12T14:48:55Z |
When did Noel Boetie click the link to the first file? | OutboundNetworkEvents | where url == "https://holidaybargainhunt.io/published/files/files/echo.exe" |
2024-12-12T15:13:55Z |
What was the IP for the domain where the file was hosted? | PassiveDns | where domain == "holidaybargainhunt.io" | distinct ip |
182.56.23.122 |
Let’s take a closer look at the authentication events. I wonder if any connection events from 182.56.23.122. If so what hostname was accessed? | AuthenticationEvents | where src_ip == "182.56.23.122" |
WebApp-ElvesWorkshop |
What was the script that was run to obtain credentials? | ProcessEvents | where hostname == "WebApp-ElvesWorkshop" |
Invoke-Mimikatz.ps1 |
What is the timestamp where Noel executed the file? | ProcessEvents | where process_commandline contains "echo.exe" | where username == "seadmin" |
2024-12-12T15:14:38Z |
What domain was the holidaycandy.hta file downloaded from? | OutboundNetworkEvents | where url contains "holidaycandy.hta" |
compromisedchristmastoys.com |
what was the first file that was created after extraction? | ProcessEvents | where process_commandline contains "frosty" | where username == "noboetie" FileCreationEvents | where timestamp > datetime("2024-12-24T17:19:45Z") |
sqlwriter.exe |
What is the name of the property assigned to the new registry key? | ProcessEvents | where process_commandline contains "HKCU" |
frosty |
To obtain your FINAL flag use the KQL below with your last answer! | let finalflag = "frosty"; let base64_encoded = base64_encode_tostring(finalflag); print base64_encoded |
ZnJvc3R5 |
I'm absolutely thrilled with your incredible cybersecurity work - you've masterfully analyzed KQL logs, traced phishing emails, tracked compromised accounts, and neutralized ransomware! Ho-ho-holy snowflakes, you've truly become a holiday hero by completing all four tasks and helping restore peace to the North Pole!
I'm pretty upset - I thought we were bros but you're messing with our achievements! Sure, our phishing emails were genius and we needed those accounts, but now you've dismantled our ransomware that we spent so many energy drinks creating. Whatever though, this was just practice - our real attack is gonna be totally sick later!