KQL Kraken Hunt
Difficulty:
Shown in Report
Use Azure Data Explorer to uncover misdeeds in Santa's IT enterprise. Go to Film Noir Island and talk to Tangle Coalbox for more information.
Objective Image
Back
Challenge

Greetings, rookie. Tangle Coalbox of Kusto Detective Agency here.
I've got a network infection case on Film Noir Island that needs your expertise.
Seems like someone clicked a phishing link within a client's organization, and trouble's brewing.
I'm swamped with cases, so I need an extra pair of hands. You up for the challenge?
You'll be utilizing the Azure Data Explorer and those KQL skills of yours to investigate this incident.
Before you start, you'll need to (create a free cluster).
Keep your eyes peeled for suspicious activity, IP addresses, and patterns that'll help us crack this case wide open.
Remember, kid, time is of the essence. The sooner we can resolve this issue, the better.
If you run into any problems, just give me a holler, I've got your back.
Good hunting, and let's bring this cyber criminal to justice.
Once you've got the intel we need, report back and we'll plan our next move. Stay sharp, rookie.

Tangle Coalbox give us following hints as well:
Do you need to find something that happened via a process? Pay attention to the ProcessEvents table!
Once you get into the Kusto trainer, click the blue Train me for the case button to get familiar with KQL.
Looking for a file that was created on a victim system? Don't forget the FileCreationEvents table.

Solution

Before we start here, we need to make some preparations:

I will skip the train me section as it is self-explanatory and serves to familiarize yourself with Kusto Query Language.

Here are the individual tasks with the respective solutions and explanations:

Welcome to SANS Holiday Hack 2023!

Here's a little puzzle to warm you up with KQL and feel the pulse of the collected data. The Geese Islands network boasts a robust team putting in some serious hustle, and you can unmistakably witness their dedication mirrored in the tasks they bring to life. The delightful keyboard clicks in the morning, truly something to love, don't you agree? Now, presenting a snappy challenge: figure out the number of Craftsperson Elf's in the organization that are working from laptops.

To do this, we look in the Employees table and filter by role and hostname

Employees
| where role == "Craftsperson Elf"
| where hostname has "LAPTOP"
| count

How many Craftperson Elf's are working from laptops?
25

Welcome to Operation Giftwrap: Defending the Geese Island network

An urgent alert has just come in, A user clicked through to a potentially malicious URL involving one user. This message hints at a possible security incident, leaving us with critical questions about the user's intentions, the nature of the threat, and the potential risks to Santa's operations. Your mission is to lead our security operations team, investigate the incident, uncover the motives behind email, assess the potential threats, and safeguard the operations from the looming cyber threat.
The clock is ticking, and the stakes are high - are you up for this exhilarating challenge? Your skills will be put to the test, and the future of Geese Island's digital security hangs in the balance. Good luck!
The alert says the user clicked the malicious link http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx

To do this, we look in the Email table and filter by the link name

Email 
| where link == "http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx"

What is the email address of the employee who received this phishing email?
alabaster_snowball@santaworkshopgeeseislands.org

What is the email address that was used to send this spear phishing email?
cwombley@gmail.com

What was the subject line used in the spear phishing email?
[EXTERNAL] Invoice foir reindeer food past due

Someone got phished! Let's dig deeper on the victim...

Nicely done! You found evidence of the spear phishing email targeting someone in our organization. Now, we need to learn more about who the victim is!
If the victim is someone important, our organization could be doomed! Hurry up, let's find out more about who was impacted!

To do this, we look in the Employees table and filter for Alabaster's email address

Employees
| where email_addr == "alabaster_snowball@santaworkshopgeeseislands.org"

What is the role of our victim in the organization?
Head Elf

What is the hostname of the victim's machine?
Y1US-DESKTOP

What is the source IP linked to the victim?
10.10.0.4

That's not good. What happened next?

The victim is Alabaster Snowball? Oh no... that's not good at all! Can you try to find what else the attackers might have done after they sent Alabaster the phishing email?
Use our various security log datasources to uncover more details about what happened to Alabaster.

First we look in the OutboundNetworkEvents table and filter according to the URL. Then we note the time and look in the FileCreationEvents table to see what happened on Alabaster's computer a few minutes before and after.

OutboundNetworkEvents
| where url == "http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx"

FileCreationEvents
| where hostname == "Y1US-DESKTOP"
| where timestamp between (datetime("2023-12-02T10:05:00Z") .. datetime("2023-12-02T10:20:00Z"))

What time did Alabaster click on the malicious link? Make sure to copy the exact timestamp from the logs!
2023-12-02T10:12:42Z

What file is dropped to Alabaster's machine shortly after he downloads the malicious file?
giftwrap.exe

A compromised host! Time for a deep dive.

Well, that's not good. It looks like Alabaster clicked on the link and downloaded a suspicious file. I don't know exactly what giftwrap.exe does, but it seems bad.
Can you take a closer look at endpoint data from Alabaster's machine? We need to figure out exactly what happened here. Word of this hack is starting to spread to the other elves, so work quickly and quietly!

First we look in the ProcessEvents table to see what else was happening on Alabaster's computer at the time. We then use the keyword net to search for processes that may have been used to scan the network drives.

ProcessEvents
| where hostname == "Y1US-DESKTOP"
| where timestamp between (datetime("2023-12-02T10:05:00Z") .. datetime("2023-12-02T12:20:00Z"))

ProcessEvents
| where process_commandline has "net"
| where parent_process_hash == "614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f"

The attacker created an reverse tunnel connection with the compromised machine. What IP was the connection forwarded to?
113.37.9.17

What is the timestamp when the attackers enumerated network shares on the machine?
2023-12-02T16:51:44Z

What was the hostname of the system the attacker moved laterally to?
NorthPolefileshare

A hidden message

Wow, you're unstoppable! Great work finding the malicious activity on Alabaster's machine. I've been looking a bit myself and... I'm stuck. The messages seem to be garbled. Do you think you can try to decode them and find out what's happening?
Look around for encoded commands. Use your skills to decode them and find the true meaning of the attacker's intent! Some of these might be extra tricky and require extra steps to fully decode! Good luck!
If you need some extra help with base64 encoding and decoding, click on the Train me for this case button at the top-right of your screen.

So let's search the ProcessEvents table for commands that contain the keyword enc. As there are only a few entries, we need to filter by time period.
We use https://www.base64decode.org/ to decode the payload.
And then we also ask the AI to make the mangled commands readable for us: Can you decrypt that statement? xy

ProcessEvents
| where hostname == "Y1US-DESKTOP"
| where process_commandline has "enc"

When was the attacker's first base64 encoded PowerShell command executed on Alabaster's machine?
2023-12-24T16:07:47Z

What was the name of the file the attacker copied from the fileshare? (This might require some additional decoding)
NaughtyNiceList.txt

The attacker has likely exfiltrated data from the file share. What domain name was the data exfiltrated to?
giftbox.com

The final step!

Wow! You decoded those secret messages with easy! You're a rockstar. It seems like we're getting near the end of this investigation, but we need your help with one more thing...
We know that the attackers stole Santa's naughty or nice list. What else happened? Can you find the final malicious command the attacker ran?

For this we can use the output from the previous query and decode the Base64 payload again.

ProcessEvents
| where hostname == "Y1US-DESKTOP"
| where process_commandline has "enc"

What is the name of the executable the attackers used in the final malicious command?
downwithsanta.exe

What was the command line flag used alongside this executable?
--wipeall

Congratulations!

Congratulations, you've cracked the Kusto detective agency section of the Holiday Hack Challenge!
By now, you've likely pieced together the broader narrative of the alert we received. It all started with Wombley Cube, a skilled Craftsperson, and a malicious insider, who sent an email to the esteemed head elf, Alabaster Snowball. This seemingly innocent email contained a dangerous link leading to the malicious domain, MadElvesNorthPole.org. Alabaster Snowball, from his PC, unwittingly clicked on the link, resulting in the download and execution of malicious payloads. Notably, you've also discerned Wombley Cube's ulterior motive: to pilfer a copy of Santa's naughty or nice list and erase the data on the share drive containing critical information to Santa's operations. Kudos to you!
To earn credit for your fantastic work, return to the Holiday Hack Challenge and enter the secret phrase which is the result of running this query:

Copy
print base64_decode_tostring('QmV3YXJlIHRoZSBDdWJlIHRoYXQgV29tYmxlcw==')

And that results in: Beware the Cube that Wombles

Tangle Coalbox tells us now
I had my doubts, but you've proven your worth.
That phishing scheme won't trouble our client's organization anymore, thanks to your keen eye and investigatory prowess.
So long, Gumshoe, and be careful out there.