KC7 Balloons Over Iowa - Section 2: Aliens 👽

This post is a write-up or clues on how to resolve the KC7 investigation case of Balloons Over Iowa - Section 2:Aliens 👽 . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.

Section 2: Aliens 👽

Question 1: Which email address sent a message containing the domain invasion.xyz?

Table
| where <field> <operator> "invasion.xyz"

Question 2: How many users received email with links to the domain invasion.xyz?

Table
| where <field> <operator> "invasion.xyz"
| count 

Question 3: What was the subject of the email sent in (1)?

Answer from question 1.

Table
| where <field> <operator> "invasion.xyz"

Question 4: Who received the email in (1)? (Provide the email address of any of them)

Answer from question 1.

Table
| where <field> <operator> "invasion.xyz"

Question 5: What file (name) was sent as a link in the email in (1)?

Answer from question 1.

Table
| where <field> <operator> "invasion.xyz"

The last section of the link.

Question 6: What is the IP of the user who clicked on the link from the email containing the domain invasion.xyz?

OutboundNetworkEvents
| where <field> <operator> "invasion.xyz"

Question 7: What is the name of the user from (6)?

Table
| where <field> <operator> <"Ans Q 6">

Question 8: When did the the user in (6) click on the link? Provide an exact timestamp

Table
| where <field> <operator> <"Ans Q 6">
| where <field> <operator> "invasion.xyz"

Question 9: What is the hostname of the user in (6)

Table
| where <field> <operator> <"Ans Q 7">
| project <field>

Or

Table
| where <field> <operator> <"Ans Q 7">

Question 10: Did the user in (6) download the file on the link? (yes/no)

Table
| where <field> <operator> "Flight-Crew-Information.xls"
| where <field> <operator> <"Ans Q 9">

Question 11: How many total emails were sent by the email address in (1)?

Table
| where <field> <operator> <"Ans Q 1">
| <field> <operator>
| count 

Question 12: How many unique filenames were sent by the email address in (1)?

The qurey will extract the last section of each URL in the link column to find the distinct last sections and provide the count.

• Email: This specifies the table where we will retrieve the data.

• where sender == "tethys@pocketbook.xyz": This filters the data to only include rows where the sender column is equal to "tethys@pocketbook.xyz". It narrows down the results to emails sent by a specific sender.

• project LastSection = tostring(split(link, '/')[array_length(split(link, '/')) - 1]): This creates a new column called LastSection. It uses the split() function to split the link column by the forward slash (’/’) delimiter. The array_length() function is used to determine the length of the resulting array. Finally, it subtracts 1 from the array length to get the index of the last section and assigns it to the LastSection column. The tostring() function is used to explicitly cast the value to a string data type.

• distinct LastSection: This retrieves only the unique values in the LastSection column. It removes any duplicate values, giving you a distinct list of last sections extracted from the URLs.

• count: This counts the number of distinct LastSection values. It provides a count of how many unique last sections were found.

Email
| where sender == <"Ans Q 1">
| project LastSection = tostring(split(link, '/')[array_length(split(link, '/')) - 1])
| distinct LastSection
| count 

Question 13: What domain did the email address in (1) use to target Richard Clements?

Let’s find the email address of Richard Clements.

Employees
| where name == "Richard Clements"
| project email_addr

Email
| where sender == <"Ans Q 1">
| where recipient == <"Richard Clements Email Address">
| project link

Question 14: When did Richard Clements click on the link sent by the sender in (1)?

First, find the ip_addr for Richard Clements then check for Richard clicked on the link.

Employees
| where name == "Richard Clements"
| project ip_addr

Table
| where src_ip == "<Richard's Clements ip_addr>"
| where url contains "<And Q 13>"
| project timestamp

Question 15: When did Richard Clements download the file in the link?

Table
| where hostname contains "<Richard's Clements hostname>"
| where filename contains "<Ans Q 5>"
| project timestamp

Question 16: What was the name of the file that Richard Clements downloaded (after clicking on the link?)

Table
| where hostname == "<Richard's Clements hostname>"
| where filename contains "<Ans Q 5>"
| project filename

Question 17: What file was observed on Richard Clement’s machine immediately after he downloaded file in (16)? Provide the full path

Table
| where hostname contains "<Richard's Clements hostname>"
| where timestamp > datetime(Ans Q 15)
| sort by timestamp asc
| project path
| limit 1

Question 18: What was the Sha256 hash of the file in (17)?

Table
| where hostname == "<Richard's Clements hostname>"
| where timestamp > datetime(Ans Q 15)
| sort by timestamp asc
| project path
| project sha256
| limit 1

Question 19: The hash in (18) can be found on virustotal.com. Virustotal is a malware repository used by many security researchers. What is the reported name of this file on Virustotal?

Check Virus Total .

• VirusTotal Fundamentals - Specialized tools are handy - if you know how to use them.

Question 20: What is the popular threat label for the file in (18) on Virustotal.com?

Check Virus Total .

VirusTotal Fundamentals - Specialized tools are handy - if you know how to use them.

Question 21: How many processes were spawned on Richard Clement’s machine by the file in (18)?

Table
| where hostname == "<Richard's Clements hostname>"
| where<field> <operator> "<Ans Q 18>"
| count 

Question 22: The file in (18) established a remote connection from Richard Clement’s machine to an external IP over port 443. What was this IP?

Table
| where hostname == "<Richard's Clements hostname>"
| where <field> <operator> "<Ans Q 18>"
| where process_commandline contains "443"

Question 23: Shortly after the malware ran, the attackers came back to Richard’s machine to enumerate Enterprise Admins. What command did they run?

Table
| where hostname == "<Richard's Clements hostname>"
| where process_commandline contains "Enterprise Admins"
| project process_commandline

• ID: T1087.002

Question 24: What commands did the attacks run to dump credentials on Richard’s machine?

Table
| where hostname == "<Richard's Clements hostname>"
| where timestamp > datetime(2023-03-04T07:50:39.76128Z)
| sort by timestamp asc 

• ID: S0002

Question 25: The attackers enumerated the contents of this folder (name) on Richard’s machine and dumped the contents to a text file

Table
| where hostname == "<Richard's Clements hostname>"
| where process_commandline contains "txt"

Question 26: How many machines have similar commands connecting to C2 (command and control) channels as those observed in (22)?

Table
| where <field> <operator> "rundll32.exe" and <field> <operator> ":443"
| distinct hostname
| count

• haxolotl

Question 27: How many unique implants were used to establish these C2 connections?

Table
| where <field> <operator> "rundll32.exe" and <field> <operator> ":443"
| distinct parent_process_hash
| count

• haxolotl

Question 28: One of these C2 connections was observed on hostname 0KYU-DESKTOP. When did this occur?

ProcessEvents
| where <field> <operator> "rundll32.exe" and <field> <operator> ":443"
| where hostname == "0KYU-DESKTOP"
| project timestamp

• haxolotl

Question 29: On hostname 0KYU-DESKTOP, attackers ran this command to delete data backups

Table
| where <field> <operator> "del"
| where hostname == "0KYU-DESKTOP"

Question 30: It is likely that the observed actor (the one responsible for activity seen in 29) conducted this type of destructive attack

• ID: S1068

Community Help

Join Discord to discuss the module KC7 Discord #up-up-and-away! .