
Back in the DMZ we can find Pepper Mintstix and Wunhorse Openslae next to The Great Elf Conflict. This is a link to an external KQL challenge. Wombley’s team conducted a phishing and ransomware attack against Alabaster’s team and we need to pour over the logs to identify how this was done. For this challenge solving 2 of the parts will earn silver and all 4 will grant gold.
KQL 101
- Just enter
let's do this
into the prompt - Enter
when in doubt take 10
- Run the provided kql. the answer is
90
- Can you find out the name of the Chief Toy Maker?
Shinny Upatree
Employees
| where role == "Chief Toy Maker"
- Just enter
operator
- How many emails did Angel Candysalt receive?
31
Employees
| where name == "Angel Candysalt"
Email
| where recipient =="angel_candysalt@santaworkshopgeeseislands.org"
| count
- How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org?
32
Email
| where sender has "twinkle_frostington@santaworkshopgeeseislands.org"
| distinct recipient
| count
- How many distinct websites did Twinkle Frostington visit?
4
Employees
| where name == "Twinkle Frostington"
OutboundNetworkEvents
| where src_ip == "10.10.0.36"
| distinct url
| count
- How many distinct domains in the PassiveDns records contain the word green?
10
PassiveDns
| where domain contains "green"
| distinct domain
| count
- How many distinct URLs did elves with the first name Twinkle visit?
- 8
Enter 8 into the badge for KQL 101 to mark the challenge complete.
let twinkle_ips =
Employees
| where name has "Twinkle"
| distinct ip_addr;
OutboundNetworkEvents
| where src_ip in (twinkle_ips)
| distinct url
| count
Operation Surrender: Alabaster’s Espionage
- Just enter in
surrender
- Who was the sender of the phishing email that set this plan into motion?
surrender@northpolemail.com
Email
| where subject contains "surrender"
- How many elves from Team Wombley received the phishing email?
22
Email
| where subject contains "surrender"
| distinct recipient
| count
- What was the filename of the document that Team Alabaster distributed in their phishing email?
Team_Wombley_Surrender.doc
Email
| where subject contains "surrender"
| distinct link
- Who was the first person from Team Wombley to click the URL in the phishing email?
Joyelle Tinseltoe
Employees
| join kind=inner (
OutboundNetworkEvents
) on $left.ip_addr == $right.src_ip
| where url contains "Team_Wombley_Surrender.doc"
| project name, ip_addr, url, timestamp
| sort by timestamp asc
- What was the filename that was created after the .doc was downloaded and executed?
keylogger.exe
Employees
| where name =="Joyelle Tinseltoe"
ProcessEvents
| where timestamp between(datetime("2024-11-27T09:00:37Z") .. datetime("2024-11-28T17:20:37Z"))
| where hostname == "Elf-Lap-W-Tinseltoe"
- Enter your flag to continue
a2V5bG9nZ2VyLmV4ZQ==
let flag = "keylogger.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded
Enter a2V5bG9nZ2VyLmV4ZQ==
into your badge to complete the silver medal. Keep solving the last two parts for gold
Operation Snowfall: Team Wombley’s Ransomware Raid
- Enter
snowfall
- What was the IP address associated with the password spray?
59.171.58.12
AuthenticationEvents
| where result == "Failed Login"
| summarize FailedAttempts = count() by username, src_ip, result
| where FailedAttempts >= 100
| sort by FailedAttempts desc
| distinct src_ip
- How many
unique
accounts were impacted where there was a successful login from 59.171.58.12?23
AuthenticationEvents
| where result == "Successful Login"
| where src_ip == "59.171.58.12"
| distinct username
| count
- What service was used to access these accounts/devices?
RDP
AuthenticationEvents
| where result == "Successful Login"
| where src_ip == "59.171.58.12"
| distinct description
- What file was exfiltrated from Alabaster’s laptop?
Secret_Files.zip
Employees
| where name == "Alabaster Snowball"
ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"
| where process_commandline contains "copy"
- What is the name of the malicious file that was run on Alabaster’s laptop?
EncryptEverything.exe
ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"
| where process_commandline contains ".exe"
- Enter your flag to continue
RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl
let flag = "EncryptEverything.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded
Enter the encoded value to the badge to complete the task
Echoes in the Frost: Tracking the Unknown Threat
- Enter
stay_frosty
- What was the timestamp of first phishing email about the breached credentials received by Noel Boetie?
2024-12-12T14:48:55Z
Employees
| where name == "Noel Boetie"
Email
| where recipient == "noel_boetie@santaworkshopgeeseislands.org"
| where subject contains "breach"
- When did Noel Boetie click the link to the first file?
2024-12-12T15:13:55Z
OutboundNetworkEvents
| where url == "https://holidaybargainhunt.io/published/files/files/echo.exe"
- What was the IP for the domain where the file was hosted?
182.56.23.122
PassiveDns
| where domain contains "holidaybargainhunt.io"
| distinct ip
- What hostname was accessed?
WebApp-ElvesWorkshop
AuthenticationEvents
| where result == "Successful Login"
| where src_ip == "182.56.23.122"
- What was the script that was run to obtain credentials?
Invoke-Mimikatz.ps1
ProcessEvents
| where hostname == "WebApp-ElvesWorkshop"
- What is the timestamp where Noel executed the file?
2024-12-12T15:14:38Z
ProcessEvents
| where process_commandline contains "echo.exe"
- What domain was the
holidaycandy.hta
file downloaded from?compromisedchristmastoys.com
OutboundNetworkEvents
| where url contains "holidaycandy.hta"
- What was the first file that was created after extraction?
sqlwriter.exe
Employees
| where name == "Noel Boetie"
ProcessEvents
| where hostname == "Elf-Lap-A-Boetie"
| where process_commandline contains "frosty.zip"
FileCreationEvents
| where hostname == "Elf-Lap-A-Boetie"
| where timestamp >= datetime(2024-12-24T17:19:45Z)
- What is the name of the property assigned to the new registry key?
frosty
ProcessEvents
| where hostname == "Elf-Lap-A-Boetie"
| where timestamp >= datetime(2024-12-24T17:19:45Z)
- To obtain your FINAL flag use the KQL below with your last answer!
ZnJvc3R5
let finalflag = "frosty";
let base64_encoded = base64_encode_tostring(finalflag);
print base64_encoded
Enter this last value into the badge and the Gold will be unlocked.
Leave a Reply