Orienting

Heading into the tunnels, there are levels with ladders going between them. One level down I’ll find the entrance to the Tolkien Ring, with Grinchum lurking nearby:

image-20230103163850228

😏 My…

Preciousesss….

Don’t worry, you are hidden. You are safe.

Wireshark Phishing

Challenge

Inside the ring in a kitchen, I find Sparkle Redberry, who asks me to look at a packet capture (PCAP) file:

image-20230103164029522

Hey there! I’m Sparkle Redberry. We have a bit of an incident here.

We were baking lembanh in preparation for the holidays.

It started to smell a little funky, and then suddenly, a Snowrog crashed through the wall!

We’re trying to investigate what caused this, so we can make it go away.

Have you used Wireshark to look at packet capture (PCAP) files before?

I’ve got a PCAP you might find interesting.

Once you’ve had a chance to look at it, please open this terminal and answer the questions in the top pane.

Thanks for helping us get to the bottom of this!

The Cranberry Pi offers a split terminal with a terminal in the bottom and questions in the top:

image-20230103164332174

I’ll enter “yes” in the top terminal to get started.

Solution

Q1

1. There are objects in the PCAP file that can be exported by Wireshark and/or Tshark. What type of objects can be exported from this PCAP?

In Wireshark, under File > Export Objects there are five different types of object that can be exported:

image-20230103164905505

Selecting on (for example, DICOM…) shows the objects that are identified and can be exported:

image-20230103164955086

In this case, there are no DICOM objects. In fact, four of the types are empty, but HTTP is not:

image-20230103165037781

Entering “http” solves the question.

Q2

2. What is the file name of the largest file we can export?

From the image above, the largest is 808 kb, which has a filename of app.php.

Q3

3. What packet number starts that app.php file?

From the same image above, I’ll see the Packet column (on the far left) says 687.

Q4

4. What is the IP of the Apache server?

I’ll assume the Apache server is likely the one serving app.php. Double-clicking on the row in the export dialog will jump to that point in the PCAP. I’ll save app.php to my system for analysis later, and close the file export dialog.

I’ll right-click, Follow > TCP Stream, and in the window that pops up, examine the HTTP traffic.

There are several HTTP requests and responses in this single stream. Looking at the HTTP response headers, I’ll see the Server header (third line from the top) is “Apache”:

HTTP/1.1 200 OK
Date: Sat, 24 Dec 2022 17:31:06 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 423
Keep-Alive: timeout=5, max=75
Content-Type: text/html; charset=UTF-8

Following the TCP stream also adds a filter to the main view for that stream:

image-20230103165550249

This stream is between 192.185.57.242 on port 80 and 10.9.24.101 on port 60511:

image-20230103165636082

The Apache web server would be listening on port 80, so the answer is 192.185.57.242.

Q5

5. What file is saved to the infected host?

Turning back to app.php, I’ll open it in VSCode to take a look. There’s a bit of code at the top, and then a huge blob of base64 encoded text. It shows up nicely in the preview pane in VSCode:

image-20230103170748820

That’s only a fraction of the blob, before the end:

image-20230103171015317

The file is entirely JavaScript. The following code is just after the blob is decoded and stored in byteCharacters:

    let byteNumbers = new Array(byteCharacters.length);
    for (let i = 0; i < byteCharacters.length; i++) {
        byteNumbers[i] = byteCharacters.charCodeAt(i);
    }
    let byteArray = new Uint8Array(byteNumbers);
    
    // now that we have the byte array, construct the blob from it
    let blob1 = new Blob([byteArray], {type: 'application/octet-stream'});

    saveAs(blob1, 'Ref_Sept24-2020.zip');
	
})();

It’s looping over the decoded bytes, getting the binary value for each byte, and then creating a “blob” from it. It saves that blob as Ref_Sept24-2020.zip. That solves the question.

Q6

6. Attackers used bad TLS certificates in this traffic. Which countries were they registered to? Submit the names of the countries in alphabetical order separated by a commas (Ex: Norway, South Korea).

This Wireshark forum post shows how to extract certificate information from a PCAP using tshark -nr ssl.pcapng -2 -R "ssl.handshake.certificate" -V. The country code is stored in one of the RDNSequence fields:

$ tshark -nr suspicious.pcap -2 -R "ssl.handshake.certificate" -V | grep RDNSequence
                                RDNSequence item: 1 item (id-at-countryName=US)
                                RDNSequence item: 1 item (id-at-stateOrProvinceName=Washington)
                                RDNSequence item: 1 item (id-at-localityName=Redmond)
                                RDNSequence item: 1 item (id-at-organizationName=Microsoft Corporation)
                                RDNSequence item: 1 item (id-at-organizationalUnitName=Microsoft IT)
                                RDNSequence item: 1 item (id-at-commonName=Microsoft IT TLS CA 4)
                                RDNSequence item: 1 item (id-at-commonName=edge.microsoft.com)
                                RDNSequence item: 1 item (id-at-countryName=IE)
                                RDNSequence item: 1 item (id-at-organizationName=Baltimore)
                                RDNSequence item: 1 item (id-at-organizationalUnitName=CyberTrust)
...[snip]...

Adding a grep on countryName gives what I’m looking for:

$ tshark -nr suspicious.pcap -2 -R "ssl.handshake.certificate" -V | grep RDNSequence | grep countryName
                                RDNSequence item: 1 item (id-at-countryName=US)
                                RDNSequence item: 1 item (id-at-countryName=IE)
                                RDNSequence item: 1 item (id-at-countryName=US)
                                            RDNSequence item: 1 item (id-at-countryName=US)
                                RDNSequence item: 1 item (id-at-countryName=IL)
                                RDNSequence item: 1 item (id-at-countryName=IL)
                                RDNSequence item: 1 item (id-at-countryName=US)
                                RDNSequence item: 1 item (id-at-countryName=IE)
                                RDNSequence item: 1 item (id-at-countryName=US)
                                RDNSequence item: 1 item (id-at-countryName=US)
...[snip]...

I’ll use cut to get just the country codes:

$ tshark -nr suspicious.pcap -2 -R "ssl.handshake.certificate" -V | grep RDNSequence | grep countryName | cut -d= -f2
US)
IE)
US)
US)
IL)
IL)
US)
IE)
US)
US)
...[snip]...

I can see all of them (with counts):

$ tshark -nr suspicious.pcap -2 -R "ssl.handshake.certificate" -V | grep RDNSequence | grep countryName | cut -d= -f2 | sort | uniq -c | sort -nr
     48 US)
     10 IE)
      8 SS)
      2 IL)

Those translate to “Ireland, Israel, South Sudan, United States”, and that string (in that order) solves the question.

Q7

7. Is the host infected (Yes/No)?

I could take a look at the sample myself, but the quick way to this answer (besides just guessing both yes and no) is to triage based on what is known about the sample. I’ll get the MD5 hash of the .scr file:

$ md5sum Ref_Sept24-2020.scr 
d594e8a2098a81c9bfa24f3c17c992e6  Ref_Sept24-2020.scr

Searching for that in VirusTotal shows this page, which includes information on the Relations tab about the IPs it connects to:

image-20230103210801995

On the Behavior tab, there’s more information:

image-20230103210844972

I do see a bunch of TCP 443 traffic in the PCAP, but none of those IPs. There is UDP traffic on port 1900 to 239.255.255.250:

image-20230103211134553

Still, that’s no smoking gun.

Googling for the filename leads to this page on malware-traffic-analysis.net:

image-20230103211243974

Scrolling down the page a bit, there’s an image of Wireshark:

img

I’ll set that same filter, and see this is literally the same PCAP:

image-20230103211700172

Clearly there’s C2 activity going on here. So the answer is yes. On entering that, the terminal closes and the challenge is complete.

image-20230103211948647

Windows Event Logs

Hints

Talking to Sparkle provides information about the next terminal:

You got it - wonderful!

So hey, when you’re looking at the next terminal, remember you have multiple filetypes and tools you can utilize.

Conveniently for us, we can use programs already installed on every Windows computer.

So if you brought your own Windows machine, you can save the files to it and use whatever method is your favorite.

Oh yeah! If you wanna learn more, or get stuck, I hear Eric Pursley’s talk is about this very topic.

It also unlocks two hints in my badge:

  • The hardest steps in this challenge have hints. Just type hint in the top panel!
  • New to Windows event logs? Get a jump start with Eric’s talk!

Challenge

The badge now has a task to:

Talk to Dusty Giftwrap for the next objective.

I’ll find Dusty just down the hall next to a terminal:

image-20230103212154167

Hi! I’m Dusty Giftwrap!

We think the Snowrog was attracted to the pungent smell from the baking lembanh.

I’m trying to discover which ingredient could be causing such a stench.

I think the answer may be in these suspicious logs.

I’m focusing on Windows Powershell logs. Do you have much experience there?

You can work on this offline or try it in this terminal.

Golly, I’d appreciate it if you could take a look.

This completes the task, and unlocks the next:

image-20230103212346893

Investigate the Windows event log mystery in the terminal or offline. Get hints for this challenge by typing hint in the upper panel of the Windows Event Logs terminal.

The terminal presents another split terminal with questions and workspace:

image-20230103212501795

Solution

Q1

1. What month/day/year did the attack take place? For example, 09/05/2021.

One way to get a feel quickly for the data is to just look at all the dates in the logs. The most common date format in these event logs is MM/DD/YYYY. So I can use a regex to take a look. \d{1,2}\/\d{1,2}\/\d{4} will get one to two digits, a slash, one to two digits, a slash, and then four digits. I’ll use grep -oP, where the -o says only show the match, not the full line, and the -P say to use Perl-style regex (which allows for things like \d as any digit).

With the results, I want to get a histogram, so I’ll use sort to get them sorted, then uniq -c to remove repeated lines and count the number total, and then sort -nr to sort from bigged to smallest based on those counts.

elf@c8985bab5d68:~$ cat powershell.evtx.log | grep -oP '\d{1,2}\/\d{1,2}\/\d{4}' | sort | uniq -c | sort -nr
   3540 12/24/2022
   2811 12/22/2022
   2088 12/13/2022
   1422 11/19/2022
    240 11/11/2022
    181 12/4/2022
     46 10/13/2022
     36 12/18/2022
     36 11/25/2022
     34 10/31/2022
      4 5/16/2018
      1 3/18/2015
      1 11/13/2022

The most common date in the logs is , which also solves the challenge.

Q2

2. An attacker got a secret from a file. What was the original file’s name?

One way to get the contents of a file is the call Get-Content. There’s a few of these in the logs:

elf@c8985bab5d68:~$ cat powershell.evtx.log | grep -i "get-content "
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'

Each time they are reading from .\Recipe, and “Recipe” solves the question.

Q3

3. The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.

This is what’s happening in the output above. The “last” time is actually the first to show up (event logs are in reverse chronological order), so $foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} solves the question.

Q4

4. After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.

I’ll look for lines that have $foo in them with grep:

elf@c8985bab5d68:~$ cat powershell.evtx.log | grep -i "\$foo"
$foo | Add-Content -Path 'Recipe'
$foo | Add-Content -Path 'Recipe.txt'
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
$foo | Add-Content -Path 'Recipe.txt'
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
$foo | Add-Content -Path 'Recipe.txt'
$foo | Add-Content -Path 'recipe_updated.txt'
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'} $foo | Add-Content -Path 'recipe
_updated.txt'
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'reci
pe_updated.txt'

Same logic as before, the first line, $foo | Add-Content -Path 'Recipe' solves the question.

Q5

5. The attacker ran the previous command against one file multiple times. What is the name of this file?

In the output above, Recipe.txt shows up three times, and that solves the question.

Q6

6. Were any files deleted? (Yes/No)

Looking for Remove-Item doesn’t find anything, but a grep with various aliases in PowerShell that call the same thing finds some invocations of del:

elf@15f0cbec20c3:~$ cat powershell.evtx.log | grep -i -e "remove-item " -e "del " -e "^rm " -e " rm "
del .\recipe_updated.txt
del .\Recipe.txt

“yes” solves.

Q7

7. Was the original file (from question 2) deleted? (Yes/No)

Recipe does not show up in this list. “no” solves.

Q8

8. What is the Event ID of the logs that show the actual command lines the attacker typed and ran?

I’ll take a look at some of the command I’ve identified already, and use -B to show lines before the match and -A to show lines after. It looks like one line before the command shows the log id:

elf@15f0cbec20c3:~$ cat powershell.evtx.log | grep -A 3 -B 3 "del "
Verbose 12/24/2022 3:05:51 AM   Microsoft-Windows-PowerShell    4105    Starting Command      "Started invocation of ScriptBlock ID: 5cc8d632-8b47-42d8-af27-8e1da0fdcdc2
Runspace ID: 4181eda9-20e6-4eb9-8869-fe5fa6d5e663"
Verbose 12/24/2022 3:05:51 AM   Microsoft-Windows-PowerShell    4104    Execute a Remote Command       "Creating Scriptblock text (1 of 1):
del .\recipe_updated.txt

ScriptBlock ID: 5cc8d632-8b47-42d8-af27-8e1da0fdcdc2
Path: "
--
Verbose 12/24/2022 3:05:42 AM   Microsoft-Windows-PowerShell    4105    Starting Command      "Started invocation of ScriptBlock ID: b0d4f117-b6d4-449b-a179-2c59d6b4f548
Runspace ID: 4181eda9-20e6-4eb9-8869-fe5fa6d5e663"
Verbose 12/24/2022 3:05:42 AM   Microsoft-Windows-PowerShell    4104    Execute a Remote Command       "Creating Scriptblock text (1 of 1):
del .\Recipe.txt

ScriptBlock ID: b0d4f117-b6d4-449b-a179-2c59d6b4f548
Path: "

This holds up with Get-Content as well:

elf@15f0cbec20c3:~$ cat powershell.evtx.log | grep -i -B 1 "get-content " 
Verbose 12/24/2022 3:04:37 AM   Microsoft-Windows-PowerShell    4104    Execute a Remote Command       "Creating Scriptblock text (1 of 1):
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
--
Verbose 12/24/2022 3:04:10 AM   Microsoft-Windows-PowerShell    4104    Execute a Remote Command       "Creating Scriptblock text (1 of 1):
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
--
Verbose 12/24/2022 3:03:10 AM   Microsoft-Windows-PowerShell    4104    Execute a Remote Command       "Creating Scriptblock text (1 of 1):
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
--
Verbose 12/24/2022 3:02:45 AM   Microsoft-Windows-PowerShell    4104    Execute a Remote Command       "Creating Scriptblock text (1 of 1):
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
--
Verbose 12/24/2022 3:01:20 AM   Microsoft-Windows-PowerShell    4104    Execute a Remote Command       "Creating Scriptblock text (1 of 1):
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'

All of the logs are 4104, which is the answer.

Q9

9. Is the secret ingredient compromised (Yes/No)?

I already saw above that the attacker was replacing “honey” with “fish oil”, which seems like a yes (which solves).

Q10

  1. What is the secret ingredient?

Entering “honey” solves and exits the terminal, completing the task:

image-20230103215845013

Terminal - Suricata Regatta

Hints

Dusty is pleased with my success, and offers resources for the next challenge:

Say, you did it! Thanks a million!

Now we can mix in the proper ingredients and stop attracting the Snowrog!

I’m all set now! Can you help Fitzy over there wield the exalted Suricata?

It can be a bit mystifying at first, but this Suricata Tome should help you fathom it.

I sure hope you can make it work!

It also unlocks a hint in my badge:

  • This is the official source for Suricata rule creation!

Challenge

The badge now has a task to talk to Fitzy Shortstack, who is down the hall under pressure from an “abominable Snowrog”:

image-20230103220221003

Hm?.. Hello…

Sorry, I don’t mean to be uncharaceristically short with you.

There’s just this abominable Snowrog here, and I’m trying to comprehend Suricata to stop it from getting into the kitchen.

I believe that if I can phrase these Suricata incantations correctly, they’ll create a spell that will generate warnings.

And hopefully those warnings will scare off the Snowrog!

Only… I’m quite baffled. Maybe you can give it a go?

This completes the task:

image-20230103220416873

And reveals the next:

Help detect this kind of malicious activity in the future by writing some Suricata rules. Work with Dusty Giftwrap in the Tolkien Ring to get some hints.

The Cranberry Pi presents the challenge, giving background on a Dridex infection captured in a PCAP (the same one as above).

image-20230103220611555

The home directory in the terminal has a few files:

elf@471f51794c66:~$ ls
HELP  logs  rule_checker  suricata.rules  suricata.rules.backup  suspicious.pcap

rule_checker is the binary to validate progress and give challenges. I’ll add rules to suricata.rules.

Solution

Rule 1

First, please create a Suricata rule to catch DNS lookups for adv.epostoday.uk.

Whenever there’s a match, the alert message (msg) should read Known bad DNS lookup, possible Dridex infection. Add your rule to suricata.rules

Once you think you have it right, run ./rule_checker to see how you’ve done! As you get rules correct, rule_checker will ask for more to be added.

I’ll add the following rule to the end of suricata.rules:

alert dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection"; dns_query; content:"adv.epostoday.uk"; sid:00000001;)

This rule looks for DNS traffic to / from any source / destination ip / port with the target domain in the content, and gives the required message. Each Suricata rule must have a unique sid, so I’ll start at 1.

Running ./rule_checker shows success, but reports failure for the second challenge:

elf@471f51794c66:~$ ./rule_checker
4/1/2023 -- 03:09:57 - <Notice> - This is Suricata version 6.0.8 RELEASE running in USER mode
4/1/2023 -- 03:09:57 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
4/1/2023 -- 03:09:57 - <Notice> - Signal Received.  Stopping engine.
4/1/2023 -- 03:09:57 - <Notice> - Pcap-file module read 1 files, 5172 packets, 3941260 bytes
First rule looks good!

STINC thanks you for your work with that DNS record! In this PCAP, it points to 192.185.57.242.
Develop a Suricata rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal systems over HTTP.
When there's a match, the message (msg) should read Investigate suspicious connections, possible Dridex infection

For the second indicator, we flagged 0 packet(s), but we expected 681. Please try again!

Rule 2

In this PCAP, it points to 192.185.57.242. Develop a Suricata rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal systems over HTTP. When there’s a match, the message (msg) should read Investigate suspicious connections, possible Dridex infection

I’ll add another rule to the file:

alert http 192.185.57.242 any <> any any (msg:"Investigate suspicious connections, possible Dridex infection"; sid:00000002;)

This one looks at HTTP traffic in either direction (<>) where one IP is the malicious IP.

The checker shows the first two rules are good:

elf@471f51794c66:~$ ./rule_checker 
4/1/2023 -- 03:13:18 - <Notice> - This is Suricata version 6.0.8 RELEASE running in USER mode
4/1/2023 -- 03:13:18 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
4/1/2023 -- 03:13:18 - <Notice> - Signal Received.  Stopping engine.
4/1/2023 -- 03:13:18 - <Notice> - Pcap-file module read 1 files, 5172 packets, 3941260 bytes
First rule looks good!

Second rule looks good!

We heard that some naughty actors are using TLS certificates with a specific CN.
Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya.
When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection

For the third indicator, we flagged 0 packet(s), but we expected 1. Please try again!

Rule 3

We heard that some naughty actors are using TLS certificates with a specific CN. Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya. When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection

This link has a list of TLS keywords that will be valuable here. I’ll look for content in the tls.cert_subject field, which will include the common name:

alert ip any any -> any any (msg:"Investigate bad certificates, possible Dridex infection"; tls.cert_subject; content:"heardbellith.Icanwepeh.nagoya"; sid:00000003;)

This solves:

elf@471f51794c66:~$ ./rule_checker 
4/1/2023 -- 03:16:41 - <Notice> - This is Suricata version 6.0.8 RELEASE running in USER mode
4/1/2023 -- 03:16:41 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started.
4/1/2023 -- 03:16:41 - <Notice> - Signal Received.  Stopping engine.
4/1/2023 -- 03:16:41 - <Notice> - Pcap-file module read 1 files, 5172 packets, 3941260 bytes
First rule looks good!

Second rule looks good!

Third rule looks good!

OK, one more to rule them all and in the darkness find them.
Let's watch for one line from the JavaScript: let byteCharacters = atob
Oh, and that string might be GZip compressed - I hope that's OK!
Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection

For the fourth indicator, we flagged 0 packet(s), but we expected 1. Please try again!

Rule 4

OK, one more to rule them all and in the darkness find them. Let’s watch for one line from the JavaScript: let byteCharacters = atob Oh, and that string might be GZip compressed - I hope that’s OK! Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection

The big challenge is matching on compressed data. This link includes the HTTP keywords, including file_data, which:

If the HTTP body is a flash file compressed with ‘deflate’ or ‘lzma’, it can be decompressed and file_data can match on the decompress data.

This rule will match on that content in file_data:

alert http any any -> any any (msg:"Suspicious JavaScript function, possible Dridex infection"; file_data; content:"let byteCharacters = atob"; sid:00000004;)

Running ./rule_checker now closes the terminal and completes it.

image-20230103223727594

Story

I’ve recovered the Tolken Ring:

image-20230104134423640

The Story is now at 34%:

image-20230103222344799

Five Rings for the Christmas king immersed in cold

Each Ring now missing from its zone

The first with bread kindly given, not sold

Fitzy is inspired, and yells, as the Snowrog retreats:

Woo hoo - you wielded Suricata magnificently! Thank you!

Now to shout the final warning of power to the Snowrog…

YOU…SHALL NOT…PASS!!!

Out in the tunnels, Grinchum isn’t pleased:

image-20230104130320714

😒Who took you, Precious? How did they take you? Mustn’t happen again.

🙂 Oh, hello, humanses. Maybe we can offer help?

😏 Yes… Grinchum will help the humanses.

We are trying to distract them from finding the rest of you, Preciouses, with talk of hints and coinses.

🙂 Have you found the coffers yet? The ones at the end of hidden paths?

😏 There’s hintses in them, and coinses, they’re veeerrryy special.

🙂 Just look hard, for little, bitty, speckles or other oddities.

Don’t worry, they will not look for you, Preciouses. Shhh…

🙂 Go on, humanses. Start searching!