This post is a write-up or clues on how to resolve the KC7 investigation case of SANS Holiday Hack Challenge 2024 The Great Elf Conflict . You can use it as a helpful guide when encountering an obstacle or trying to understand a question. Different ways to answer questions might exist, so feel free to explore your path. Section 1: KQL 101 You got it 馃懢 Section 2: Section 2: Operation Surrender Alabaster鈥檚 Espionage Question 1: surrender...
This post is a walkthrough of the KC7 investigation case of KC7 HopsNStuff - Section 4: 馃嵀 Sugar Rush . You can use it as a helpful guide when encountering an obstacle or trying to understand a question. Different ways to answer questions might exist, so don鈥檛 be afraid to explore your path. Section 4: 馃嵀 Sugar Rush Question 1: IP 158.235.158.156 was observed exfiltrating data from mailboxes at HopsNStuff. How many mailboxes were affected?...
This post is a walkthrough of the KC7 investigation case of KC7 HopsNStuff - Section 3: Golden 馃悋 . You can use it as a helpful guide when encountering an obstacle or trying to understand a question. Different ways to answer questions might exist, so don鈥檛 be afraid to explore your path. Section 3: Golden 馃悋 Question 1: A law enforcement agency informed HopsNStuff that an adversary was attempting to gain access to their company....
This post is a walkthrough of the KC7 investigation case of KC7 HopsNStuff - Section 2: 馃Info馃挵 . You can use it as a helpful guide when encountering an obstacle or trying to understand a question. Different ways to answer questions might exist, so don鈥檛 be afraid to explore your path. Section 2: Question 1: Let鈥檚 take a look at our SecurityAlerts. A security alert flagged on a file that was quarantined on March 31, 2023....
This post is a write-up or clues on how to resolve the KC7 investigation case of Inside Encryptodera - Section 3: F in the chat . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution. Section 3: Question 1: What username was used to log into the DOMAIN_CONTROLLER_SERVER? AuthenticationEvents | where hostname == "DOMAIN_CONTROLLER_SERVER" | project username Question 2: What laptop did the lihenry_domain_admin account sign into?...
This post is a write-up or clues on how to resolve the KC7 investigation case of Inside Encryptodera Section 2: Crypto Conquest . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution. Section 2: Question 1: What is the filename of this note? Do you see it? It is the .txt file name. FileCreationEvents | where path contains "GIMME" | distinct filename | project filename Question 2: What kind of attack is this?...
This post is a write-up or clues on how to resolve the KC7 investigation case of Inside Encryptodera - Section 1: Offensive Odor 馃懡 . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution. Section 1: Question 1: What is Barry鈥檚 role at the company? Employees | where name contains "Barry" | project name , role Question 2: What is Barry鈥檚 email address?...
This post is a write-up or clues on how to resolve the KC7 investigation case of Balloons Over Iowa - Section 2: Aliens 馃懡 . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution. Section 4: Question 1: How many emails contained the domain database.io? Table | where <field> <operator> "database.io" | <operator> Question 2: What IP does the domain database....
This post is a write-up or clues on how to resolve the KC7 investigation case of Balloons Over Iowa - Section 3: TopSecret 馃か . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution. Section 3: Question 1: On 2023-02-19 at 05:02, Son Johnson downloaded a suspicious Word document file. What was the name of this file? The question provided the timestamp 2023-02-19 at 05:02 and the user name Son Johnson....
This post is a write-up or clues on how to resolve the KC7 investigation case of Balloons Over Iowa - Section 2:Aliens 馃懡 . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution. Section 2: Aliens 馃懡 Question 1: Which email address sent a message containing the domain invasion.xyz? Table | where <field> <operator> "invasion.xyz" Question 2: How many users received email with links to the domain invasion....