Elf Stack¶
Difficulty:
Objective¶
Task description
Help the ElfSOC analysts track down a malicious attack against the North Pole domain.
Fitzy Shortstack
Greetings! I'm the genius behind the North Pole Elf Stack SIEM. And oh boy, we’ve got a situation on our hands.
Our system was attacked—Wombley’s faction unleashed their FrostBit ransomware, and it’s caused a digital disaster.
The logs are a mess, and Wombley’s laptop—the only backup of the Naughty-Nice List—was smashed to pieces.
Now, it’s all up to you to help me trace the attack vectors and events. We need to figure out how this went down before it’s too late.
You’ll be using a containerized ELK stack or Linux CLI tools. Sounds like a fun little puzzle, doesn't it?
Your job is to analyze these logs... think of it as tracking snow tracks but in a digital blizzard.
If you can find the attack path, maybe we can salvage what’s left and get Santa’s approval.
Santa’s furious at the faction fighting, and he’s disappointed. We have to make things right.
So, let’s show these attackers that the North Pole’s defenses are no joke!
Hints¶
Elf Stack Intro
I'm part of the ElfSOC that protects the interests here at the North Pole. We built the Elf Stack SIEM, but not everybody uses it. Some of our senior analysts choose to use their command line skills, while others choose to deploy their own solution. Any way is possible to hunt through our logs!
Elf Stack WinEvent
One of our seasoned ElfSOC analysts told me about a great resource to have handy when hunting through event log data. I have it around here somewhere, or maybe it was online. Hmm.
Elf Stack Powershell
Our Elf Stack SIEM has some minor issues when parsing log data that we still need to figure out. Our ElfSOC SIEM engineers drank many cups of hot chocolate figuring out the right parsing logic. The engineers wanted to ensure that our junior analysts had a solid platform to hunt through log data.
Elf Stack Fields
If you are using your command line skills to solve the challenge, you might need to review the configuration files from the containerized Elf Stack SIEM.
Elf Stack Hard - Email1
I was on my way to grab a cup of hot chocolate the other day when I overheard the reindeer talking about playing games. The reindeer mentioned trying to invite Wombley and Alabaster to their games. This may or may not be great news. All I know is, the reindeer better create formal invitations to send to both Wombley and Alabaster.
Elf Stack Hard - Email2
Some elves have tried to make tweaks to the Elf Stack log parsing logic, but only a seasoned SIEM engineer or analyst may find that task useful.
Solution¶
As I followed the Linux forensics course FOR577 earlier this year, I decided to tackle this challenge using the command line only. We download and extract the two log files into a single folder. We filter them to have a single log file for every type of log.
cat *.log | cut -d " " -f 4 | sort | uniq
AuthLog
GreenCoat
NetflowPmacct
SnowGlowMailPxy
WindowsEvent
cat *.log | grep "AuthLog" > auth.log
cat *.log | grep "GreenCoat" > greencoat.log
cat *.log | grep "NetflowPmacct" > netflow.log
cat *.log | grep "SnowGlowMailPxy" > email.log
cat *.log | grep "WindowsEvent" > windows.log
We are then ready to tackle the questions.
Solution to question 1
Question
How many unique values are there for the event_source field in all logs?
Answer: 5
Solution to question 2
Question
Which event_source has the fewest number of events related to it?
wc -l *.log
269 auth.log
7476 greencoat.log
1398 mail.log
34679 netflow.log
2299324 windows.log
2343146 total
Answer: Authlog
Solution to question 3
Question
Using the event_source from the previous question as a filter, what is the field name that contains the name of the system the log event originated from?
cat auth.log | head
<134>1 2024-09-15T00:10:01-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-15T03:10:01.304953-04:00", "hostname": "kringleSSleigH", "service": "CRON[4863]:", "message": "pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)"}
Answer: hostname
Solution to question 4
Question
Which event_source has the second highest number of events related to it?
wc -l *.log
269 auth.log
7476 greencoat.log
1398 mail.log
34679 netflow.log
2299324 windows.log
2343146 total
Answer: NetflowPmacct
Solution to question 5
Question
Using the event_source from the previous question as a filter, what is the name of the field that defines the destination port of the Netflow logs?
cat netflow1.log | head -n1
<134>1 2024-09-15T10:37:43-04:00 kringleconnect NetflowPmacct - - - {"event_type": "purge", "ip_src": "172.24.25.93", "ip_dst": "172.24.25.25", "port_src": 29994, "port_dst": 808, "ip_proto": "tcp", "timestamp_start": "2024-09-15T10:37:43-04:00", "timestamp_end": "0000-00-00T00:00:00-00:00", "packets": 1, "bytes": 40, "src_host": "SnowSentry.northpole.local", "dst_host": ""}
Answer: port_dst
Solution to question 6
Question
Which event_source is related to email traffic?
Answer: SnowGlowMailPxy
Solution to question 7
Question
Looking at the event source from the last question, what is the name of the field that contains the actual email text?
cat mail.log | head -n1
<134>1 2024-09-15T08:26:14-04:00 SecureElfGwy SnowGlowMailPxy - - - {"From": "elf_user00@northpole.local", "To": "asnowball04@northpole.local", "Subject": "Welcome to the North Pole!", "Date": null, "Message-ID": "<532A9346-9F5F-4C29-BD40-CA171DD0E7DE@SecureElfGwy.northpole.local>", "Return-Path": "elf_user00@northpole.local", "Body": "Dear asnowball04,\n\nI wanted to inform you that we have a new team member joining us, [New Hire]. They will be joining our department as [Job Title]. Please extend a warm welcome and assist them with any necessary introductions and onboarding processes.\n\nLooking forward to working together!\n\nBest regards,\nelf_user00\n", "Received_Time": "2024-09-15T08:26:14-04:00", "ReceivedIP1": "172.24.25.25", "ReceivedIP2": "172.24.25.20"}
Answer: Body
Solution to question 8
Question
Using the 'GreenCoat' event_source, what is the only value in the hostname field?
cat greencoat.log | head -n1
<134>1 2024-09-15T05:57:55-04:00 SecureElfGwy GreenCoat - - - {"ip": "172.24.25.93", "user_identifier": "elf_user03", "timestamp": "2024-09-15T05:57:55-04:00", "method": "CONNECT", "url": "disc601.prod.do.dsp.mp.microsoft.com:443", "http_protocol": "HTTP/1.1", "status_code": 200, "response_size": 0, "protocol": "HTTPS", "additional_info": "outgoing via 172.24.25.25", "host": "SnowSentry"}
Answer: SecureElfGwy
Solution to question 9
Question
Using the 'GreenCoat' event_source, what is the name of the field that contains the site visited by a client in the network?
cat greencoat.log | head -n1
<134>1 2024-09-15T05:57:55-04:00 SecureElfGwy GreenCoat - - - {"ip": "172.24.25.93", "user_identifier": "elf_user03", "timestamp": "2024-09-15T05:57:55-04:00", "method": "CONNECT", "url": "disc601.prod.do.dsp.mp.microsoft.com:443", "http_protocol": "HTTP/1.1", "status_code": 200, "response_size": 0, "protocol": "HTTPS", "additional_info": "outgoing via 172.24.25.25", "host": "SnowSentry"}
Answer: url
Solution to question 10
Question
Using the 'GreenCoat' event_source, which unique URL and port (URL:port) did clients in the TinselStream network visit most?
cat greencoat.log | cut -d '"' -f 20 | sort | uniq -c | sort -n | tail -n 1
150 pagead2.googlesyndication.com:443
Answer: pagead2.googlesyndication.com:443
Solution to question 11
Question
Using the 'WindowsEvent' event_source, how many unique Channels is the SIEM receiving Windows event logs from?
AI usage: awk command
ChatGPT was used to generate an AWK command.
awk -F'"' '{for (i=1; i<=NF; i++) if ($i == "Channel") print $(i+2)}' windows.log | sort | uniq | wc -l
5
Answer: 5
Solution to question 12
Question
What is the name of the event.Channel (or Channel) with the second highest number of events?
awk -F'"' '{for (i=1; i<=NF; i++) if ($i == "Channel") print $(i+2)}' windows.log | sort | uniq -c | sort -n
50 Windows PowerShell
191 System
11751 Microsoft-Windows-PowerShell/Operational
17713 Microsoft-Windows-Sysmon/Operational
2268402 Security
Answer: Microsoft-Windows-Sysmon/Operational
Solution to question 13
Question
Our environment is using Sysmon to track many different events on Windows systems. What is the Sysmon Event ID related to loading of a driver?
Answer: 6
Solution to question 14
Question
What is the Windows event ID that is recorded when a new service is installed on a system?
Answer: 4697
Solution to question 1
Question
What is the event.EventID number for Sysmon event logs relating to process creation?
Answer: 1
Solution to question 2
Question
How many unique values are there for the 'event_source' field in all of the logs?
Answer: 5 (from question 1 of the silver achievement)
Solution to question 3
Question
What is the event_source name that contains the email logs?
Answer: SnowGlowMailPxy (from question 6 of the silver achievement)
Solution to question 4
Question
The North Pole network was compromised recently through a sophisticated phishing attack sent to one of our elves. The attacker found a way to bypass the middleware that prevented phishing emails from getting to North Pole elves. As a result, one of the Received IPs will likely be different from what most email logs contain. Find the email log in question and submit the value in the event 'From:' field for this email log event.
cat mail.log | cut -d '"' -f 38 | sort | uniq
172.24.25.20
172.24.25.25
34.30.110.62
ReceivedIP1
ReceivedIP2
cat mail.log | grep "34.30.110.62"
<134>1 2024-09-15T10:36:09-04:00 SecureElfGwy SnowGlowMailPxy - - - {"From": "kriskring1e@northpole.local", "To": "elf_user02@northpole.local", "Subject": "URGENT!", "Date": null, "Message-ID": "<F3483D7F-3DBF-4A92-813D-4D9738479E50@SecureElfGwy.northpole.local>", "Return-Path": "fr0sen@hollyhaven.snowflake", "Body": "We need to store the updated naughty and nice list somewhere secure. I posted it here http://hollyhaven.snowflake/howtosavexmas.zip. Act quickly so I can remove the link from the internet! I encrypted it with the password: n&nli$t_finAl1\n\nthx!\nkris\n- Sent from the sleigh. Please excuse any Ho Ho Ho's.", "Received_Time": "2024-09-15T10:36:09-04:00", "ReceivedIP1": "172.24.25.25", "ReceivedIP2": "34.30.110.62"}
Answer: kriskring1e@northpole.local
Solution to question 5
Question
Our ElfSOC analysts need your help identifying the hostname of the domain computer that established a connection to the attacker after receiving the phishing email from the previous question. You can take a look at our GreenCoat proxy logs as an event source. Since it is a domain computer, we only need the hostname, not the fully qualified domain name (FQDN) of the system.
cat greencoat.log | grep "hollyhaven"
<134>1 2024-09-15T10:36:26-04:00 SecureElfGwy GreenCoat - - - {"ip": "172.24.25.12", "user_identifier": "elf_user02", "timestamp": "2024-09-15T10:36:26-04:00", "method": "GET", "url": "http://hollyhaven.snowflake/howtosavexmas.zip", "http_protocol": "HTTP/1.1", "status_code": 200, "response_size": 1098, "protocol": "HTTP", "additional_info": "outgoing via 172.24.25.25", "host": "SleighRider"}
Answer: SleighRider
Solution to question 6
Question
What was the IP address of the system you found in the previous question?
Answer: 172.24.25.12
Solution to question 7
Question
A process was launched when the user executed the program AFTER they downloaded it. What was that Process ID number (digits only please)?
cat *.log | grep "howtosavexmas"
Look for first log not with .zip
<134>1 2024-09-15T10:37:09-04:00 SleighRider.northpole.local WindowsEvent - - - {"EventTime": "2024-09-15 10:37:09", "Hostname": "SleighRider.northpole.local", "Keywords": -9223372036854775808, "EventType": "INFO", "SeverityValue": 2, "Severity": "INFO", "EventID": 11, "SourceName": "Microsoft-Windows-Sysmon", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Version": 2, "Task": 11, "OpcodeValue": 0, "RecordNumber": 714, "ProcessID": 10014, "ThreadID": 6340, "Channel": "Microsoft-Windows-Sysmon/Operational", "Domain": "NT AUTHORITY", "AccountName": "SYSTEM", "UserID": "S-1-5-18", "AccountType": "User", "Category": "File created (rule: FileCreate)", "Opcode": "Info", "RuleName": "Downloads", "UtcTime": "2024-09-15T10:37:09-04:00", "ProcessGuid": "{face0b26-e149-6606-9300-000000000700}", "Image": "C:\\Windows\\Explorer.EXE", "TargetFilename": "C:\\Users\\elf_user02\\Downloads\\howtosavexmas\\howtosavexmas.pdf.exe", "CreationUtcTime": "2024-09-15T10:37:09-04:00", "User": "NORTHPOLE\\elf_user02", "EventReceivedTime": "2024-09-15T10:37:09-04:00", "SourceModuleName": "inSysmon", "SourceModuleType": "im_msvistalog", "ProcessId": 5680, "MoreDetails": "File created:"}
Answer: 10014
Solution to question 8
Question
Did the attacker's payload make an outbound network connection? Our ElfSOC analysts need your help identifying the destination TCP port of this connection.
cat windows.log | grep "howtosavexmas.pdf.exe" | grep "connection"
<134>1 2024-09-15T10:37:50-04:00 SleighRider.northpole.local WindowsEvent - - - {"EventTime": "2024-09-15 10:37:50", "Hostname": "SleighRider.northpole.local", "Keywords": -9214364837600034816, "EventType": "AUDIT_SUCCESS", "SeverityValue": 2, "Severity": "INFO", "EventID": 5156, "SourceName": "Microsoft-Windows-Security-Auditing", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Version": 1, "Task": 12810, "OpcodeValue": 0, "RecordNumber": 734596, "ProcessID": 4, "ThreadID": 1460, "Channel": "Security", "Category": "Filtering Platform Connection", "Opcode": "Info", "Application": "\\device\\harddiskvolume3\\users\\elf_user02\\downloads\\howtosavexmas\\howtosavexmas.pdf.exe", "Direction": "%%14593", "SourceAddress": "172.24.25.12", "SourcePort": 64543, "DestAddress": "103.12.187.43", "DestPort": 8080, "Protocol": 6, "FilterRTID": 0, "LayerName": "%%14611", "LayerRTID": 48, "RemoteUserID": "S-1-0-0", "RemoteMachineID": "S-1-0-0", "EventReceivedTime": "2024-09-15T10:37:50-04:00", "SourceModuleName": "inSecurityEvent", "SourceModuleType": "im_msvistalog", "ApplicationInformation_ProcessID": 8096, "ApplicationInformation_ApplicationName": "\\device\\harddiskvolume3\\users\\elf_user02\\downloads\\howtosavexmas\\howtosavexmas.pdf.exe", "NetworkInformation_Direction": "Outbound", "NetworkInformation_SourceAddress": "172.24.25.12", "NetworkInformation_SourcePort": 64543, "NetworkInformation_DestinationAddress": "103.12.187.43", "NetworkInformation_DestinationPort": 8443, "NetworkInformation_Protocol": 6, "FilterInformation_FilterRunTimeID": 0, "FilterInformation_LayerName": "Connect", "FilterInformation_LayerRunTimeID": 48, "MoreDetails": "The Windows Filtering Platform has permitted a connection."}
Answer: 8443
Solution to question 9
Question
The attacker escalated their privileges to the SYSTEM account by creating an inter-process communication (IPC) channel. Submit the alpha-numeric name for the IPC channel used by the attacker.
cat windows.log | grep "sleighrider" -i | grep "cmd.exe" -i
<134>1 2024-09-15T10:38:22-04:00 SleighRider.northpole.local WindowsEvent - - - {"EventTime": "2024-09-15 10:38:22", "Hostname": "SleighRider.northpole.local", "Keywords": -9187343239835811840, "EventType": "INFO", "SeverityValue": 2, "Severity": "INFO", "EventID": 7045, "SourceName": "Service Control Manager", "ProviderGuid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}", "Version": 0, "Task": 0, "OpcodeValue": 0, "RecordNumber": 1571, "ProcessID": 628, "ThreadID": 5852, "Channel": "System", "Domain": "NORTHPOLE", "AccountName": "elf_user02", "UserID": "S-1-5-21-3699322559-1991583901-1175093138-1110", "AccountType": "User", "ServiceName": "ddpvccdbr", "ImagePath": "cmd.exe /c echo ddpvccdbr > \\\\.\\pipe\\ddpvccdbr", "ServiceType": "user mode service", "StartType": "demand start", "EventReceivedTime": "2024-09-15T10:38:22-04:00", "SourceModuleName": "inSystemEvent", "SourceModuleType": "im_msvistalog", "ServiceFileName": "cmd.exe /c echo ddpvccdbr > \\\\.\\pipe\\ddpvccdbr", "ServiceStartType": "demand start", "ServiceAccount": "LocalSystem", "MoreDetails": "A service was installed in the system."}
Answer: ddpvccdbr
Solution to question 10
Question
The attacker's process attempted to access a file. Submit the full and complete file path accessed by the attacker's process.
cat windows.log | grep "sleighrider" -i | grep "howtosavexmas.pdf.exe" | grep 'EventID": 4663'
<134>1 2024-09-15T10:38:28-04:00 SleighRider.northpole.local WindowsEvent - - - {"EventTime": "2024-09-15 10:38:28", "Hostname": "SleighRider.northpole.local", "Keywords": -9214364837600034816, "EventType": "AUDIT_SUCCESS", "SeverityValue": 2, "Severity": "INFO", "EventID": 4663, "SourceName": "Microsoft-Windows-Security-Auditing", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Version": 1, "Task": 12802, "OpcodeValue": 0, "RecordNumber": 736288, "ProcessID": 4, "ThreadID": 4864, "Channel": "Security", "Category": "Kernel Object", "Opcode": "Info", "SubjectUserSid": "S-1-5-18", "SubjectUserName": "SLEIGHRIDER$", "SubjectDomainName": "NORTHPOLE", "SubjectLogonId": "0x3e7", "ObjectServer": "Security", "ObjectType": "Process", "ObjectName": "\\Device\\HarddiskVolume3\\Windows\\System32\\lsass.exe", "HandleId": "0x2e8", "AccessList": "%%4484\r\n\t\t\t\t", "AccessMask": "0x10", "ProcessName": "C:\\Users\\elf_user02\\Downloads\\howtosavexmas\\howtosavexmas.pdf.exe", "ResourceAttributes": "-", "EventReceivedTime": "2024-09-15T10:38:28-04:00", "SourceModuleName": "inSecurityEvent", "SourceModuleType": "im_msvistalog", "Subject_SecurityID": "S-1-5-18", "Subject_AccountName": "SLEIGHRIDER$", "Subject_AccountDomain": "NORTHPOLE", "Subject_LogonID": "0x3E7", "Object_ObjectServer": "Security", "Object_ObjectType": "Process", "Object_ObjectName": "\\Device\\HarddiskVolume3\\Windows\\System32\\lsass.exe", "Object_HandleID": "0x2e8", "Object_ResourceAttributes": "-", "ProcessInformation_ProcessID": "0x1fa0", "ProcessInformation_ProcessName": "C:\\Users\\elf_user02\\Downloads\\howtosavexmas\\howtosavexmas.pdf.exe", "AccessRequestInformation_Accesses": "Read from process memory", "AccessRequestInformation": ",", "AccessRequestInformation_AccessMask": "0x10", "MoreDetails": "An attempt was made to access an object."}
<134>1 2024-09-16T10:45:48-04:00 SleighRider.northpole.local WindowsEvent - - - {"EventTime": "2024-09-16 10:45:48", "Hostname": "SleighRider.northpole.local", "Keywords": -9223372036854775808, "EventType": "AUDIT_SUCCESS", "SeverityValue": 4, "Severity": "INFO", "EventID": 4663, "SourceName": "Microsoft-Windows-Security-Auditing", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Version": 1, "Task": 12800, "OpcodeValue": 0, "RecordNumber": 123456, "ProcessID": 10014, "ThreadID": 6340, "Channel": "Security", "Domain": "NT AUTHORITY", "AccountName": "SYSTEM", "UserID": "S-1-5-18", "AccountType": "User", "Category": "Object Access", "Opcode": "Info", "UtcTime": "2024-09-16T10:45:48-04:00", "ProcessGuid": "{face0b26-426e-660c-eb0f-000000000700}", "ProcessName": "C:\\Users\\elf_user02\\Downloads\\howtosavexmas\\howtosavexmas.pdf.exe", "ObjectServer": "Security", "ObjectType": "File", "ObjectName": "C:\\Users\\elf_user02\\Desktop\\kkringl315@10.12.25.24.pem", "HandleID": "0x3fc", "Accesses": "READ_CONTROL,SYNCHRONIZE,ReadData", "AccessMask": "0x120089", "EventReceivedTime": "2024-09-16T10:45:48-04:00", "SourceModuleName": "inSecurity", "SourceModuleType": "im_msvistalog"}
Answer: C:\Users\elf_user02\Desktop\kkringl315@10.12.25.24.pem (removed double slashes)
Solution to question 11
Question
The attacker attempted to use a secure protocol to connect to a remote system. What is the hostname of the target server?
cat *.log | grep "2024-09-16" | grep "10.12.25.24"
<134>1 2024-09-16T11:03:06-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T14:03:06.315201-04:00", "hostname": "kringleSSleigH", "service": "sshd[6301]:", "message": "Connection from 34.30.110.62 port 58634 on 10.12.25.24 port 802 rdomain \"\""}
Answer: kringleSSleigH
Solution to question 12
Question
The attacker created an account to establish their persistence on the Linux host. What is the name of the new account created by the attacker?
cat auth.log | cut -d '"' -f 16 | sort | uniq
Accepted key RSA SHA256:AbfXsQOO05qHNT98Rhe1B7KzURo0viFfq2/gpAWlP7E found at /home/kkringl315/.ssh/authorized_keys:1
Accepted publickey for kkringl315 from 34.30.110.62 port 41606 ssh2: RSA SHA256:AbfXsQOO05qHNT98Rhe1B7KzURo0viFfq2/gpAWlP7E
Accepted publickey for kkringl315 from 34.30.110.62 port 48202 ssh2: RSA SHA256:AbfXsQOO05qHNT98Rhe1B7KzURo0viFfq2/gpAWlP7E
Accepted publickey for kkringl315 from 34.30.110.62 port 58634 ssh2: RSA SHA256:AbfXsQOO05qHNT98Rhe1B7KzURo0viFfq2/gpAWlP7E
add 'ssdh' to group 'sudo'
add 'ssdh' to shadow group 'sudo'
changed user 'ssdh' information
Answer: ssdh
Solution to question 13
Question
The attacker wanted to maintain persistence on the Linux host they gained access to and executed multiple binaries to achieve their goal. What was the full CLI syntax of the binary the attacker executed after they created the new user account?
cat auth.log | grep "ssdh"
...
<134>1 2024-09-16T11:00:14-04:00 kringleSSleigH AuthLog - - - {"timestamp": "2024-09-16T14:00:14.317262-04:00", "hostname": "kringleSSleigH", "service": "sudo:", "message": " kkringl315 : TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/usr/sbin/usermod -a -G sudo ssdh"}
...
Answer: /usr/sbin/usermod -a -G sudo ssdh
Solution to question 14
Question
The attacker enumerated Active Directory using a well known tool to map our Active Directory domain over LDAP. Submit the full ISO8601 compliant timestamp when the first request of the data collection attack sequence was initially recorded against the domain controller.
cat windows.log | grep "dc01.northpole.local WindowsEvent" | grep "ldap connection" -i | head -n1
<134>1 2024-09-16T11:10:12-04:00 dc01.northpole.local WindowsEvent - - - {"LogName": "Directory Service", "Source": "Microsoft-Windows-ActiveDirectory_DomainService", "EventID": 2889, "Category": "LDAP Interface", "Level": "Information", "Keywords": "Classic", "Description": "The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.", "Computer": "dc01.northpole.local", "ClientIPaddress": "172.24.25.22:18598", "ServicePort": 389, "ServiceName": "dc01.northpole.local", "ServiceIpAddress": "172.24.25.153", "UserID": "elf_user@northpole.local", "BindType": "0 - Simple Bind that does not support signing", "Date": "2024-09-16T11:10:12-04:00"}
Answer: 2024-09-16T11:10:12-04:00
Solution to question 15
Question
The attacker attempted to perform an ADCS ESC1 attack, but certificate services denied their certificate request. Submit the name of the software responsible for preventing this initial attack.
cat windows.log | grep "dc01.northpole.local WindowsEvent" | grep "certificate" -i | grep "denied" -i
<134>1 2024-09-16T11:14:12-04:00 dc01.northpole.local WindowsEvent - - - {"LogName": "Security", "Source": "Microsoft-Windows-Security-Auditing", "Date": "2024-09-16T11:14:12-04:00", "EventID": 4888, "Category": "Certification Services - Certificate Request Denied", "Level": "Information", "Keywords": "Audit Failure", "User": "N/A", "Computer": "dc01.northpole.local", "Description": "A certificate request was made for a certificate template, but the request was denied because it did not meet the criteria.", "UserInformation_UserName": "elf_user@northpole.local", "CertificateInformation_CertificateAuthority": "elf-dc01-SeaA", "CertificateInformation_RequestedTemplate": "Administrator", "ReasonForRejection": "KringleGuard EDR flagged the certificate request.", "AdditionalInformation_RequesterComputer": "10.12.25.24", "AdditionalInformation_RequestedUPN": "administrator@northpole.local"}
Answer: KringleGuard
Solution to question 16
Question
We think the attacker successfully performed an ADCS ESC1 attack. Can you find the name of the user they successfully requested a certificate on behalf of?
cat windows.log | grep "dc01.northpole.local WindowsEvent" | grep 'EventID": 4886'
<134>1 2024-09-16T11:15:12-04:00 dc01.northpole.local WindowsEvent - - - {"LogName": "Security", "Source": "Microsoft-Windows-Security-Auditing", "Date": "2024-09-16T11:15:12-04:00", "EventID": 4886, "Category": "Certification Services - Certificate Issuance", "Level": "Information", "Keywords": "Audit Success", "User": "N/A", "Computer": "dc01.northpole.local", "Description": "A certificate was issued to a user.", "UserInformation_UserName": "elf_user@northpole.local", "UserInformation_UPN": "nutcrakr@northpole.local", "CertificateInformation_CertificateAuthority": "elf-dc01-SeaA", "CertificateInformation_CertificateTemplate": "ElfUsers", "AdditionalInformation_RequesterComputer": "10.12.25.24", "AdditionalInformation_CallerComputer": "172.24.25.153"}
Answer: nutcrakr
Solution to question 17
Question
One of our file shares was accessed by the attacker using the elevated user account (from the ADCS attack). Submit the folder name of the share they accessed.
cat windows.log | grep "dc01.northpole.local WindowsEvent" | grep 'nutcrakr' | grep "share"
<134>1 2024-09-16T11:18:43-04:00 dc01.northpole.local WindowsEvent - - - {"EventTime": "2024-09-16 11:18:43", "Hostname": "dc01.northpole.local", "Keywords": -9214364837600034816, "EventType": "AUDIT_SUCCESS", "SeverityValue": 2, "Severity": "INFO", "EventID": 5140, "SourceName": "Microsoft-Windows-Security-Auditing", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Version": 1, "Task": 12808, "OpcodeValue": 0, "RecordNumber": 498420, "ProcessID": 4, "ThreadID": 5692, "Channel": "Security", "Category": "File Share", "Opcode": "Info", "SubjectUserSid": "S-1-5-21-3699322559-1991583901-1175093138-1112", "SubjectUserName": "nutcrakr", "SubjectDomainName": "NORTHPOLE", "SubjectLogonId": "0xd8fdb3", "ObjectType": "File", "IpAddress": "34.30.110.62", "IpPort": 53378, "ShareName": "\\\\*\\WishLists", "ShareLocalPath": "\\??\\C:\\WishLists", "AccessMask": "0x1", "AccessList": "%%4416\r\n\t\t\t\t", "EventReceivedTime": "2024-09-16T11:18:43-04:00", "SourceModuleName": "inSecurityEvent", "SourceModuleType": "im_msvistalog", "Subject_SecurityID": "S-1-5-21-3699322559-1991583901-1175093138-1112", "Subject_AccountName": "nutcrakr", "Subject_AccountDomain": "NORTHPOLE", "Subject_LogonID": "0xD8FDB3", "NetworkInformation_ObjectType": "File", "NetworkInformation_SourceAddress": "34.30.110.62", "NetworkInformation_SourcePort": 53378, "NetworkInformation": ",", "ShareInformation_ShareName": "\\\\*\\WishLists", "ShareInformation_SharePath": "\\??\\C:\\WishLists", "AccessRequestInformation_AccessMask": "0x1", "AccessRequestInformation_Accesses": "ReadData (or ListDirectory)", "AccessRequestInformation": ",", "MoreDetails": "A network share object was accessed."}
Answer: WishLists
Solution to question 18
Question
The naughty attacker continued to use their privileged account to execute a PowerShell script to gain domain administrative privileges. What is the password for the account the attacker used in their attack payload?
cat windows.log | grep 'Payload' | grep "nutcrakr" -i
<134>1 2024-09-16T11:33:12-04:00 SleighRider.northpole.local WindowsEvent - - - {"ContextInfo": " Severity = Informational\r\n Host Name = Default Host\r\n Host Version = 5.1.19041.1\r\n Host ID = 4571e982-1bfd-4d83-97f2-ce85d3e41b9d\r\n Host Application = powershell\r\n Engine Version = 5.1.19041.1\r\n Runspace ID = dd0ca0e4-fdfe-49be-ada7-2931df92cca6\r\n Pipeline ID = 1\r\n Command Name = Set-StrictMode\r\n Command Type = Cmdlet\r\n Script Name = \r\n Command Path = \r\n Sequence Number = 30\r\n User = NORTHPOLE\\elf_user02\r\n Connected User = \r\n Shell ID = Microsoft.PowerShell\r\n", "UserData": "", "Payload": "Add-Type -AssemblyName System.DirectoryServices\n$ldapConnString = \"LDAP://CN=Domain Admins,CN=Users,DC=northpole,DC=local\"\n$username = \"nutcrakr\"\n$pswd = 'fR0s3nF1@k3_s'\n$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'\n$propGUID = [guid]'00000000-0000-0000-0000-000000000000'\n$IdentityReference = (New-Object System.Security.Principal.NTAccount(\"northpole.local\\$username\")).Translate([System.Security.Principal.SecurityIdentifier])\n$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None\n$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] \"GenericAll\"), ([System.Security.AccessControl.AccessControlType] \"Allow\"), $propGUID, $inheritanceType, $nullGUID\n$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $pswd\n$secOptions = $domainDirEntry.get_Options()\n$secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl\n$domainDirEntry.RefreshCache()\n$domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)\n$domainDirEntry.CommitChanges()\n$domainDirEntry.dispose()\n$ldapConnString = \"LDAP://CN=Domain Admins,CN=Users,DC=northpole,DC=local\"\n$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $pswd\n$user = New-Object System.Security.Principal.NTAccount(\"northpole.local\\$username\")\n$sid=$user.Translate([System.Security.Principal.SecurityIdentifier])\n$b=New-Object byte[] $sid.BinaryLength\n$sid.GetBinaryForm($b,0)\n$hexSID=[BitConverter]::ToString($b).Replace('-','')\n$domainDirEntry.Add(\"LDAP://<SID=$hexSID>\")\n$domainDirEntry.CommitChanges()\n$domainDirEntry.dispose()", "Provider_Name": "Microsoft-Windows-PowerShell", "Provider_Guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", "EventID": 4103, "Version": 1, "Level": 4, "Task": 106, "Opcode": 20, "Keywords": "0x0", "TimeCreated_SystemTime": "2024-09-16T11:33:12-04:00", "EventRecordID": 55410, "Correlation_ActivityID": "{17aa0df9-5d3d-46e9-bce0-55b7a5be4b43}", "ParentProcessID": 928, "ThreadID": 2859, "Channel": "Microsoft-Windows-PowerShell/Operational", "Computer": "SleighRider.northpole.local", "Security_UserID": "S-1-5-21-3699322559-1991583901-1175093138-1110"}
Answer: fR0s3nF1@k3_s
Solution to question 19
Question
The attacker then used remote desktop to remotely access one of our domain computers. What is the full ISO8601 compliant UTC EventTime when they established this connection?
cat windows.log | grep 'eventid": 4624' -i | grep 'logontype": 10' -i
<134>1 2024-09-16T11:35:57-04:00 dc01.northpole.local WindowsEvent - - - {"EventTime": "2024-09-16 11:35:57", "Hostname": "dc01.northpole.local", "Keywords": -9214364837600034816, "EventType": "AUDIT_SUCCESS", "SeverityValue": 2, "Severity": "INFO", "EventID": 4624, "SourceName": "Microsoft-Windows-Security-Auditing", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Version": 2, "Task": 12544, "OpcodeValue": 0, "RecordNumber": 530313, "ActivityID": "{D72392BD-843F-0000-1F93-23D73F84DA01}", "ProcessID": 704, "ThreadID": 1124, "Channel": "Security", "Category": "Logon", "Opcode": "Info", "SubjectUserSid": "S-1-5-18", "SubjectUserName": "DC01$", "SubjectDomainName": "NORTHPOLE", "SubjectLogonId": "0x3e7", "TargetUserSid": "S-1-5-21-3699322559-1991583901-1175093138-1112", "TargetUserName": "nutcrakr", "TargetDomainName": "NORTHPOLE", "TargetLogonId": "0xdd425e", "LogonType": 10, "LogonProcessName": "User32 ", "AuthenticationPackageName": "Negotiate", "WorkstationName": "DC01", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "TransmittedServices": "-", "LmPackageName": "-", "KeyLength": 0, "ProcessName": "C:\\Windows\\System32\\svchost.exe", "IpAddress": "10.12.25.24", "IpPort": 0, "ImpersonationLevel": "%%1833", "RestrictedAdminMode": "%%1843", "TargetOutboundUserName": "-", "TargetOutboundDomainName": "-", "VirtualAccount": "%%1843", "TargetLinkedLogonId": "0xdd41af", "ElevatedToken": "%%1843", "EventReceivedTime": "2024-09-16T11:35:57-04:00", "SourceModuleName": "inSecurityEvent", "SourceModuleType": "im_msvistalog", "Subject_SecurityID": "S-1-5-18", "Subject_AccountName": "DC01$", "Subject_AccountDomain": "NORTHPOLE", "Subject_LogonID": "0x3E7", "LogonInformation_LogonType": 10, "LogonInformation_RestrictedAdminMode": "No", "LogonInformation_VirtualAccount": "No", "LogonInformation_ElevatedToken": "No", "NewLogon_SecurityID": "S-1-5-21-3699322559-1991583901-1175093138-1112", "NewLogon_AccountName": "nutcrakr", "NewLogon_AccountDomain": "NORTHPOLE", "NewLogon_LogonID": "0xDD425E", "NewLogon_LinkedLogonID": "0xDD41AF", "NewLogon_NetworkAccountName": "-", "NewLogon_NetworkAccountDomain": "-", "NewLogon_LogonGUID": "{00000000-0000-0000-0000-000000000000}", "ProcessInformation_ProcessID": "0x994", "ProcessInformation_ProcessName": "C:\\Windows\\System32\\svchost.exe", "NetworkInformation_WorkstationName": "DC01", "NetworkInformation_SourceNetworkAddress": "10.12.25.24", "NetworkInformation_SourcePort": 0, "DetailedAuthenticationInformation_LogonProcess": "User32", "DetailedAuthenticationInformation_AuthenticationPackage": "Negotiate", "DetailedAuthenticationInformation_TransitedServices": "-", "DetailedAuthenticationInformation_PackageNameNTLMonly": "-", "DetailedAuthenticationInformation_KeyLength": 0, "MoreDetails": "An account was successfully logged on.\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\nThe authentication information fields provide detailed information about this specific logon request.\n- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n- Transited services indicate which intermediate services have participated in this logon request.\n- Package name indicates which sub-protocol was used among the NTLM protocols.\n- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."}
Answer: 2024-09-16T15:35:57.000Z
Solution to question 20
Question
The attacker is trying to create their own naughty and nice list! What is the full file path they created using their remote desktop connection?
cat windows.log | grep 'logonid": "0xDD425E' -i | grep "command" -i | grep "WishLists"
<134>1 2024-09-16T11:36:28-04:00 dc01.northpole.local WindowsEvent - - - {"EventTime": "2024-09-16 11:36:28", "Hostname": "dc01.northpole.local", "Keywords": -9223372036854775808, "EventType": "INFO", "SeverityValue": 2, "Severity": "INFO", "EventID": 1, "SourceName": "Microsoft-Windows-Sysmon", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Version": 5, "Task": 1, "OpcodeValue": 0, "RecordNumber": 641, "ProcessID": 6468, "ThreadID": 4816, "Channel": "Microsoft-Windows-Sysmon/Operational", "Domain": "NT AUTHORITY", "AccountName": "SYSTEM", "UserID": "S-1-5-18", "AccountType": "User", "Category": "Process Create (rule: ProcessCreate)", "Opcode": "Info", "RuleName": "-", "UtcTime": "2024-09-16T11:36:28-04:00", "ProcessGuid": "{f151dc49-502c-660c-8702-000000000900}", "Image": "C:\\Windows\\System32\\notepad.exe", "FileVersion": "10.0.17763.1697 (WinBuild.160101.0800)", "Description": "Notepad", "Product": "Microsoft\u00ae Windows\u00ae Operating System", "Company": "Microsoft Corporation", "OriginalFileName": "NOTEPAD.EXE", "CommandLine": "\"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\WishLists\\santadms_only\\its_my_fakelst.txt", "CurrentDirectory": "C:\\WishLists\\santadms_only\\", "User": "NORTHPOLE\\nutcrakr", "LogonGuid": "{f151dc49-500d-660c-5e42-dd0000000000}", "LogonId": "0xdd425e", "TerminalSessionId": 2, "IntegrityLevel": "Medium", "Hashes": "MD5=5394096A1CEBF81AF24E993777CAABF4,SHA256=A28438E1388F272A52559536D99D65BA15B1A8288BE1200E249851FDF7EE6C7E,IMPHASH=C8922BE3DCDFEB5994C9EEE7745DC22E", "ParentProcessGuid": "{f151dc49-500f-660c-5902-000000000900}", "ParentProcessId": 1364, "ParentImage": "C:\\Windows\\explorer.exe", "ParentCommandLine": "C:\\Windows\\Explorer.EXE", "ParentUser": "NORTHPOLE\\nutcrakr", "EventReceivedTime": "2024-09-16T11:36:28-04:00", "SourceModuleName": "inSysmon", "SourceModuleType": "im_msvistalog", "ProcessId": 9152, "MoreDetails": "Process Create:"}
Answer: C:\WishLists\santadms_only\its_my_fakelst.txt
Solution to question 21
Question
The Wombley faction has user accounts in our environment. How many unique Wombley faction users sent an email message within the domain?
cat mail.log | cut -d '"' -f 4 | grep ".local" | sort | uniq
asnowball04@northpole.local
asnowball_05@northpole.local
asnowball08@northpole.local
asnowball09@northpole.local
elf_user00@northpole.local
elf_user01@northpole.local
elf_user02@northpole.local
elf_user03@northpole.local
elf_user04@northpole.local
elf_user05@northpole.local
elf_user06@northpole.local
elf_user07@northpole.local
elf_user08@northpole.local
elf_user09@northpole.local
elf_user10@northpole.local
elf_user11@northpole.local
kriskring1e@northpole.local
wcub101@northpole.local
wcub303@northpole.local
wcub808@northpole.local
wcube311@northpole.local
Answer: 4
Solution to question 22
Question
The Alabaster faction also has some user accounts in our environment. How many emails were sent by the Alabaster users to the Wombley faction users?
Answer: 22
Solution to question 23
Question
Of all the reindeer, there are only nine. What's the full domain for the one whose nose does glow and shine? To help you narrow your search, search the events in the 'SnowGlowMailPxy' event source.
cat mail.log | grep 'rudolph' -i
...
<134>1 2024-09-16T11:58:37-04:00 SecureElfGwy SnowGlowMailPxy - - - {"From": "RudolphRunner@rud01ph.glow", "To": "elf_user05@northpole.local", "Subject": "Diversity and Inclusion Initiatives at The North Pole", "Date": null, "Message-ID": "<A1E38EA6-50AF-47FA-A3FE-4C16B0084B2A@SecureElfGwy.northpole.local>", "Return-Path": "NorthPolePostmaster@northpole.exchange", "Body": "elf_user05,\n\nI wanted to update you on the latest progress with our\n", "Received_Time": "2024-09-16T11:58:37-04:00", "ReceivedIP1": "172.24.25.25", "ReceivedIP2": "172.24.25.20"}
...
Answer: rud01ph.glow
Solution to question 24
Question
With a fiery tail seen once in great years, what's the domain for the reindeer who flies without fears? To help you narrow your search, search the events in the 'SnowGlowMailPxy' event source.
cat mail.log | grep 'c0m3t' -i
...
<134>1 2024-09-16T11:55:19-04:00 SecureElfGwy SnowGlowMailPxy - - - {"From": "StockingStitcher@c0m3t.halleys", "To": "elf_user09@northpole.local", "Subject": "Training Opportunities at The North Pole", "Date": null, "Message-ID": "<48025832-AF6A-49D9-9664-AB3A0CFC0356@SecureElfGwy.northpole.local>", "Return-Path": "NorthPolePostmaster@northpole.exchange", "Body": "Dear elf_user09,\n\nI hope this email finds you motivated and ready for new challenges! As we continue to strive for excellence at The North Pole, I wanted to bring to your attention the exciting training opportunities available to all employees. \n\nInvesting in our professional development is crucial to stay ahead in the ever-evolving world of technology. Therefore, I would like to inform you about a series of upcoming training sessions and workshops designed to enhance our skills and knowledge.\n\n1. Professional Growth Workshop:\nDate: [Date]\nTime: [Time]\nLocation: [Venue]\nTopic: Building Effective Communication Skills for Team Collaboration\n\nThis workshop aims to strengthen our ability to effectively communicate and collaborate within our teams. It will provide practical tips and techniques to improve interpersonal skills, overcome communication barriers, and foster a collaborative work environment.\n\n2. Technical Webinar:\nDate: [Date]\nTime: [Time]\nLocation: Online (Webinar Link will be shared separately)\nTopic: Deep Dive into Data Encryption and Security Best Practices\n\nIn this technical webinar, we will explore the latest advancements in data encryption and security. Our experts will discuss current trends, best practices, and demonstrate how we can leverage this knowledge to enhance our projects' security and protection against cyber threats.\n\n3. Leadership Development Program:\nDates: [Date 1], [Date 2], [Date 3], [Date 4]\nTime: [Time]\nLocation: [Venue]\nTheme: Leading with Innovation and Adaptability\n\nThe Leadership Development Program is tailored for high-potential individuals aspiring to take on leadership roles. This program will cover various aspects of effective leadership, including fostering innovation, adaptability, and managing change. Participants will gain insights from experienced leaders within our organization and have the chance to engage in interactive discussions and case studies.\n\nTo register for any of these training opportunities, please click on the provided link: [Registration Link]. Kindly note that seats are limited, and registrations will be accepted on a first-come, first-served basis.\n\nRemember, learning never stops, and continuous improvement is key to our success. I encourage you to take advantage of these training initiatives and further augment your capabilities.\n\nIf you have any questions or require further information, please do not hesitate to reach out to me or our dedicated HR team at [HR Contact Information].\n\nTogether, let's unlock our potential and embrace the path of endless possibilities!\n\nWarm regards,\n\nStockingStitcher\n", "Received_Time": "2024-09-16T11:55:19-04:00", "ReceivedIP1": "172.24.25.25", "ReceivedIP2": "172.24.25.20"}
...
Answer: c0m3t.halleys
Response¶
Fitzy Shortstack
Fantastic job! You worked through the logs using the ELK stack like a pro—efficient, quick, and spot-on. Maybe, just maybe, this will turn Santa’s frown upside down!
Unbelievable! You dissected the attack chain using advanced analysis—impressive work! With determination like yours, we might just fix the mess and get Santa smiling again.
Bravo! You pieced it all together, uncovering the attack path. Santa’s gonna be grateful for your quick thinking and tech savvyness. The North Pole owes you big time!