This post is a write-up or clues on how to resolve the KC7 investigation case of A Scandal in Valdoria - Section 4: A Scandal . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.

Section 4: A Scandal  

Question 1: How many total emails were sent by this email sender to users at The Valdorian Times?

Table
| where <field> <operator> "valdorias_best_recruiter@gmail.com"
| count 

Question 2: When did valdorias_best_recruiter@gmail.com send an email to Ronnie McLovin?

KC7 A Scandal in Valdoria - Section 2: Welcome to Valdoria! Question 6. . Also, we can find the email address of Ronnie McLovin by checking the Employees table.

Table
| where <field> <operator> "valdorias_best_recruiter@gmail.com"
| where <field> <operator> "<Email from Section 2 Question 6>"
Table
| where <field> <operator> "valdorias_best_recruiter@gmail.com"
| where <field> <operator> "<Email from Section 2 Question 6>"

KC7 A Scandal in Valdoria - Section 2: Welcome to Valdoria! Question 6. .

Question 4: What was the subject of that email?

Table
| where <field> <operator> "valdorias_best_recruiter@gmail.com"
| where <field> <operator> "<Email from Section 2 Question 6>"

KC7 A Scandal in Valdoria - Section 2: Welcome to Valdoria! Question 6. .

We know the domain of the phishing website from question 3. To narrow our search, we will run the following query:

search "<Answer from question 3>"
| distinct $table

The results are in tables Email and OutboundNetworkEvents. After reviewing the columns in both tables, we can identify column src_ip in the OutboundNetworkEvents table. Then, from the Employees table, we can find Donnie McLovin’s IP address by running the following:

Table
| where <field> <operator> "Ronnie McLovin"

Then, search for Ronnie McLovin’s IP address in the src_ip and link in url columns.

Table
| where <field> <operator> "<Ronnie McLovin's ip_addr>" and url contains "<Answer from question 3>"

Question 6: What was the name of the .docx file that was downloaded to Ronnie’s machine?

Answer from question 5.

Question 7: When was this docx file downloaded?

Start looking at the available tables and columns in the ValdyTime database. We need to get the query using the hostname or username, which we can obtain from the Employees table.

Employees
| where <field> <operator> "Ronnie McLovin"
Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "Editorial_J0b_Openings_2024.docx"

Question 8: When was the .ps1 file dropped to Ronnie’s machine?

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "hacktivist_manifesto.ps1"

KC7 A Scandal in Valdoria - Section 3: Plenty of Phish Question 12.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "plink"

Answer from question 9 in the process_commandline column.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "plink"

Answer from question 9 in the process_commandline column.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "plink"

Question 12: How many discovery commands were run on Ronnie’s machine?

Check MITRE ATT&amp;CK ID: T1018 I used the timestamp >= with datetime (2024-01-10T08:55:51Z), which is the time of running the file C:\ProgramData\hacktivist_manifesto.ps1.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where timestamp >= datetime(2024-01-10T08:55:51Z)

Question 13: What is Ronnie’s IP address?

We saw that in the Employees table.

Table
| where <field> <operator> "Ronnie McLovin"

Question 14: What is the full URL fakestory.docx was downloaded from?

Table
| where <field> <operator> "fakestory.docx"

Question 15: What is Ronnie’s hostname?

Table
| where <field> <operator> "fakestory.docx"

Question 16: What is the sha256 hash of fakestory.docx on Ronnie’s machine?

Table
| where <field> <operator> "fakestory.docx"

Question 17: When was fakestory.docx created on Ronnie’s machine?

Table
| where <field> <operator> "fakestory.docx"

Question 18: What is the new path for the document?

The question provided us with the file that was downloaded: fakestory.docx. Let’s perform a search for the file name.

search "fakestory.docx"

Our flag is in the process_commandline.

Other ways to get our flag would be to check the timeline after discovery commands or use the hostname and the filename to find the command.

Question 19: When was this command executed to rename and move the file?

Answer from question 18.

Question 20: When was OpEdFinal_to_print.docx emailed from Ronnie’s account to Clark Kent?

Table
| where <field> <operator> "OpEdFinal_to_print.docx"

Question 21: How many minutes elapsed between when the file was moved/renamed on Ronnie machine and when the email was sent to Clark Kent?

Perform a time calculation for the events timestamp from question 19 and question 20.

Question 22: What was the subject line of this email?

Table
| where <field> <operator> "OpEdFinal_to_print.docx"

Question 23: Do you think this is the only thing the attackers did on Ronnie’s machine? (yes/no)

It wouldn’t be fun if it was yes!

Question 24: What is the domain mentioned in this alert?

In red!

Question 25: How many total commands were run in this timeframe?

Table
| where <field> <operator> (datetime(2024-01-21 07:00:00) .. datetime(2024-01-21 12:00:00))
| where hostname == "<Ronnie's Hostname>"
| order by timestamp asc

Question 26: What is the name of the .7z file that contains the stolen memes?

Investigate the process_commandline.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where process_commandline contains "7z"

Question 27: What is the name of the .7z file that contains files stolen from Ronnie’s Documents folder?

Investigate the process_commandline.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "7z"

Question 28: What is the name of the .7z file that contains files stolen from Ronnie’s Desktop folder?

Investigate the process_commandline.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "7z"

Question 29: What is the password the attackers used to encrypt all of the .7z files?

Investigate the process_commandline.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "7z"

Question 30: What is the full command the attackers ran to do this?

Investigate the process_commandline.

Table
| where <field> <operator> "<Ronnie's Hostname>"
| where <field> <operator> "7z"

CURL

Question 31: What domain was the stolen data uploaded to?

Investigate the process_commandline.

Table
| where hostname <operator> "<Ronnie's Hostname>"
| where process_commandline contains "7z"

CURL

Question 32: Was data stolen from any other devices and uploaded to hirejob.com? (yes/no)

Try searching by the domain from the answer to question 31

ProcessEvents
| where <field> <operator> "hirejob.com"
| where hostname != "<Ronnie's Hostname>"

Question 33: Type “wooo” to receive credit

wooo

Question 34: Type “shadows” to finish this module. Stay tuned for the next module to learn more about what’s lurking in the shadows 😱

shadows

Community Help

Join Discord to discuss the module KC7 Discord #valdoria .