HHC 2024 – Microsoft KC7

Back in the DMZ we can find Pepper Mintstix and Wunhorse Openslae next to The Great Elf Conflict. This is a link to an external KQL challenge. Wombley’s team conducted a phishing and ransomware attack against Alabaster’s team and we need to pour over the logs to identify how this was done. For this challenge solving 2 of the parts will earn silver and all 4 will grant gold.

KQL 101

  1. Just enter let's do this into the prompt
  2. Enter when in doubt take 10
  3. Run the provided kql. the answer is 90
  4. Can you find out the name of the Chief Toy Maker?
    • Shinny Upatree
Employees
| where role == "Chief Toy Maker"
  1. Just enter operator
  2. How many emails did Angel Candysalt receive?
    • 31
Employees
| where name == "Angel Candysalt"
Email
| where recipient =="angel_candysalt@santaworkshopgeeseislands.org"
| count
  1. How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org?
    • 32
Email
| where sender has "twinkle_frostington@santaworkshopgeeseislands.org"
| distinct recipient
| count
  1. How many distinct websites did Twinkle Frostington visit?
    • 4
Employees
| where name == "Twinkle Frostington"
OutboundNetworkEvents
| where src_ip == "10.10.0.36"
| distinct url
| count 
  1. How many distinct domains in the PassiveDns records contain the word green?
    • 10
PassiveDns
| where domain contains "green"
| distinct domain
| count 
  1. How many distinct URLs did elves with the first name Twinkle visit?
    • 8

Enter 8 into the badge for KQL 101 to mark the challenge complete.

let twinkle_ips =
Employees
| where name has "Twinkle"
| distinct ip_addr;
OutboundNetworkEvents  
| where src_ip in (twinkle_ips)  
| distinct url
| count

Operation Surrender: Alabaster’s Espionage

  1. Just enter in surrender
  2. Who was the sender of the phishing email that set this plan into motion?
    • surrender@northpolemail.com
Email
| where subject contains "surrender"
  1. How many elves from Team Wombley received the phishing email?
    • 22
Email
| where subject contains "surrender"
| distinct recipient
| count
  1. What was the filename of the document that Team Alabaster distributed in their phishing email?
    • Team_Wombley_Surrender.doc
Email
| where subject contains "surrender"
| distinct link
  1. Who was the first person from Team Wombley to click the URL in the phishing email?
    • Joyelle Tinseltoe
Employees
| join kind=inner (
    OutboundNetworkEvents
) on $left.ip_addr == $right.src_ip 
| where url contains "Team_Wombley_Surrender.doc"
| project name, ip_addr, url, timestamp 
| sort by timestamp asc
  1. What was the filename that was created after the .doc was downloaded and executed?
    • keylogger.exe
Employees
| where name =="Joyelle Tinseltoe"
ProcessEvents
| where timestamp between(datetime("2024-11-27T09:00:37Z") .. datetime("2024-11-28T17:20:37Z"))
| where hostname == "Elf-Lap-W-Tinseltoe"
  1. Enter your flag to continue
    • a2V5bG9nZ2VyLmV4ZQ==
let flag = "keylogger.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded

Enter a2V5bG9nZ2VyLmV4ZQ== into your badge to complete the silver medal. Keep solving the last two parts for gold

Operation Snowfall: Team Wombley’s Ransomware Raid

  1. Enter snowfall
  2. What was the IP address associated with the password spray?
    • 59.171.58.12
AuthenticationEvents
| where result == "Failed Login"
| summarize FailedAttempts = count() by username, src_ip, result
| where FailedAttempts >= 100
| sort by FailedAttempts desc
| distinct src_ip
  1. How many unique accounts were impacted where there was a successful login from 59.171.58.12?
    • 23
AuthenticationEvents
| where result == "Successful Login"
| where src_ip == "59.171.58.12"
| distinct username
| count 
  1. What service was used to access these accounts/devices?
    • RDP
AuthenticationEvents
| where result == "Successful Login"
| where src_ip == "59.171.58.12"
| distinct description
  1. What file was exfiltrated from Alabaster’s laptop?
    • Secret_Files.zip
Employees
| where name == "Alabaster Snowball"
ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"
| where process_commandline contains "copy"
  1. What is the name of the malicious file that was run on Alabaster’s laptop?
    • EncryptEverything.exe
ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"
| where process_commandline contains ".exe"
  1. Enter your flag to continue
    • RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl
let flag = "EncryptEverything.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded

Enter the encoded value to the badge to complete the task

Echoes in the Frost: Tracking the Unknown Threat

  1. Enter stay_frosty
  2. What was the timestamp of first phishing email about the breached credentials received by Noel Boetie?
    • 2024-12-12T14:48:55Z
Employees
| where name == "Noel Boetie"
Email
| where recipient == "noel_boetie@santaworkshopgeeseislands.org"
| where subject contains "breach"
  1. When did Noel Boetie click the link to the first file?
    • 2024-12-12T15:13:55Z
OutboundNetworkEvents
| where url == "https://holidaybargainhunt.io/published/files/files/echo.exe"
  1. What was the IP for the domain where the file was hosted?
    • 182.56.23.122
PassiveDns
| where domain contains "holidaybargainhunt.io"
| distinct ip
  1. What hostname was accessed?
    • WebApp-ElvesWorkshop
AuthenticationEvents
| where result == "Successful Login"
| where src_ip == "182.56.23.122"
  1. What was the script that was run to obtain credentials?
    • Invoke-Mimikatz.ps1
ProcessEvents
| where hostname == "WebApp-ElvesWorkshop"
  1. What is the timestamp where Noel executed the file?
    • 2024-12-12T15:14:38Z
ProcessEvents
| where process_commandline contains "echo.exe"
  1. What domain was the holidaycandy.hta file downloaded from?
    • compromisedchristmastoys.com
OutboundNetworkEvents
| where url contains "holidaycandy.hta"
  1. What was the first file that was created after extraction?
    • sqlwriter.exe
Employees
| where name == "Noel Boetie"
ProcessEvents
| where hostname == "Elf-Lap-A-Boetie"
| where process_commandline contains "frosty.zip"
FileCreationEvents
| where hostname == "Elf-Lap-A-Boetie"
| where timestamp >= datetime(2024-12-24T17:19:45Z)
  1. What is the name of the property assigned to the new registry key?
    • frosty
ProcessEvents
| where hostname == "Elf-Lap-A-Boetie"
| where timestamp >= datetime(2024-12-24T17:19:45Z)
  1. To obtain your FINAL flag use the KQL below with your last answer!
    • ZnJvc3R5
let finalflag = "frosty";
let base64_encoded = base64_encode_tostring(finalflag);
print base64_encoded

Enter this last value into the badge and the Gold will be unlocked.

Leave a Reply

Your email address will not be published. Required fields are marked *