Kusto Detective Agency Season 2 のメモ
の続き
Case 10 It's a sEnd game
Case 9 で侵入されたマシンにトロイの木馬が仕掛けられた。そのログから目的を解析せよとのこと
回答入力欄のラベルはこれだけ。。。
If you have anything that can help, type it here
KuandaLogsのテーブル構造
とりあえずパース
適当な DetectiveId でみてみると Message に何パターンかありそうなのでパースする。
ざっとみて定型メッセージっぽいものを出してみるが、1005454件に対して、1005262件なので何件か足りない。
let EnterLog =
KuandaLogs
| where Message == "User entered the system, start collecting user encryption tokens."
| extend EventName = "SessionStart";
let ResetLog =
KuandaLogs
| where Message == "User session reset: all user encryption tokens are disposed."
| extend EventName = "SessinReset";
let OperationLog =
KuandaLogs
| where Message startswith "Operation"
| parse Message with "Operation id=" operationId " " op;
let StartOperationLog =
OperationLog
| where op startswith "started"
| parse op with "started ('" operationDetail "'). Captured user encryption token: '" token "'."
| extend EventName = "OperationStarted";
let CompleteOperationLog =
OperationLog
| where op startswith "completed"
| extend EventName = "OperationCompleted";
let parsedLogs =
union EnterLog,ResetLog,StartOperationLog,CompleteOperationLog;
parsedLogs
| count
=> 1005262
parsedLogsのうち、KuandaLogsから漏れたものをチェック
Sending an encrypted message, なパターンもあるのでこちらもパース
件数一致したのでとりあえずパースはここまで
メッセージを受信した Detective に絞る
何かしら暗号化メッセージを解読するのが問題解決につながりそうなので絞り込み
let EnterLog =
KuandaLogs
| where Message == "User entered the system, start collecting user encryption tokens."
| extend EventName = "SessionStart";
let ResetLog =
KuandaLogs
| where Message == "User session reset: all user encryption tokens are disposed."
| extend EventName = "SessinReset";
let OperationLog =
KuandaLogs
| where Message startswith "Operation"
| parse Message with "Operation id=" operationId " " op;
let StartOperationLog =
OperationLog
| where op startswith "started"
| parse op with "started ('" operationDetail "'). Captured user encryption token: '" token "'."
| extend EventName = "OperationStarted";
let CompleteOperationLog =
OperationLog
| where op startswith "completed"
| extend EventName = "OperationCompleted";
let sendEncryptedMsgLog =
KuandaLogs
| where Message startswith "Sending an encrypted message,"
| parse Message with "Sending an encrypted message, will use " func " for decoding."
| parse func with "Dekrypt(" encryptedMsg "," secondArg ")"
| extend EventName = "SendMessage";
let parsedLogs =
union EnterLog,ResetLog,StartOperationLog,CompleteOperationLog,sendEncryptedMsgLog;
let msgReceivedDetectives = sendEncryptedMsgLog
| distinct DetectiveId;
parsedLogs
| where DetectiveId in (msgReceivedDetectives)
適当な DetectiveId で見てみる
メッセージの直前のキーで複合してみる
うーん、Dekrypt関数がそのまま使えるわけではなさそう。
Dekrypt 関数の定義を見ると引数は T:(Message:string,Key:string) らしい。
ところでいつこの関数が定義されたのか調べてみたら、Case 8でつかっていた。
同じように Dekrypt を呼び出せば復号できた。
とりあえず準備が整ったので今回はここまで。
回答
セットアップ
.execute database script <|
.create table KuandaLogs (Timestamp:datetime, DetectiveId:string, Message:string)
.ingest async into table KuandaLogs (@'https://kustodetectiveagency.blob.core.windows.net/kda2c10adminlogs/log_00000.csv.gz')
.ingest async into table KuandaLogs (@'https://kustodetectiveagency.blob.core.windows.net/kda2c10adminlogs/log_00001.csv.gz')
.ingest into table KuandaLogs (@'https://kustodetectiveagency.blob.core.windows.net/kda2c10adminlogs/log_00002.csv.gz')
回答
If you have anything that can help, type it here