This post is a write-up or clues on how to resolve the KC7 investigation case of Balloons Over Iowa - Section 3: TopSecret 🤫 . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.
Section 3:
Question 1: On 2023-02-19 at 05:02, Son Johnson downloaded a suspicious Word document file. What was the name of this file?
The question provided the timestamp 2023-02-19 at 05:02 and the user name Son Johnson. When we expand the table in BalloonsOverIowa we can obserive that the table FileCreationEvents has a filename string column. However, the table FileCreationEvents doesn’t have the employee name. In order to find the word document file we will locate the hostname which is in the Employees table.
Table
| where <field> <operator> "Son Johnson"
| <operator> <field>
Table
| where <field> <operator> "<Son Johnson hostname>"
| and <field> <operator> "doc"
| and <field> >= datetime(2023-02-19 05:02)
| <operator> <field>, <field>
Do it all in one KQL using let statement.
let _victom = "Son Johnson";
let _hostname = Table
| where name == _victom
| <operator> <field>;
Table
| where <field> <operator> (_hostname)
| where <field> > datetime(2023-02-19T05:02)
| where <field> <operator> "doc"
| <operator> <field>;
File format reference for Word, Excel, and PowerPoin
Question 2: From which domain did Son Johnson download the file identified in (1)?
For Son Johnson to download the file they had to make an outbound network connection to retrieve the file. However, the OutboundNetworkEvents table doesn’t allow us to search using the username but it does allow us to do the search if we know the the src_ip which found from the Employees table.
Table
| where <field> <operator> "Son Johnson"
| <operator> <field>
Table
| where <field> <operator> <"Son Johnson ip_addr">
and <field> <operator> <"Ans Q 1">
| extend Domain = parse_url(url).Host
| <operator> Domain
KQL | Advance Series | Parsing Strings Part 1
Question 3: What IP address does the domain identified in (2) resolve to?
Table
| <field> <operator> <"Ans Q 2">
| <operator> <field>
Question 4: What time was the resolution seen in (3) recorded in Passive DNS data? (enter exact timestamp)
Table
| where <field> <operator> <"Ans Q 2">
| <operator> <field>
Question 5: What other Top Level Domain (TLD) such as .com, .org etc. is used by the domains hosted on the IP identified in (3)?
Table
| where <field> <operator> <"Ans Q 3">
and (<field> !hassuffix "com" and domain !hassuffix "org")
| <operator> <field>
Question 6: How many domains resolve to the IP identified in (3)?
Table
| where <field> <operator> <"Ans Q 3">
| <operator> <field>
| <operator>
Question 7: One of the domains identified in (6) resolves to an IP that starts with 194. What is this IP?
let _TargetDomains = PassiveDns
| where <field> <operator> <"Ans Q 3">
| project <field>;
Table
| where <field> <operator> (_TargetDomains)
and <field> != <"Ans Q 3">
| <operator> <field>, <field>
Also, we can use startwith since the question provided us with the beginning of the ip address.
let _TargetDomains = Table
| where <field> <operator> <"Ans Q 3">
| <operator> <field>;
Table
| where <field> <operator> (_TargetDomains)
and <field> <operator> "194"
| <operator> <field>, <field>
Question 8: The attackers performed reconnaisance against our organization using the IP identified in (7). As part of this reconnaissance, the attackers searched for a three-word phrase. What was this phrase?
The attached is not in the network and making connections from outside of our network.
Table
| where <field> <operator> <"Ans Q 7">
Question 9: Just before downloading the file identified in (1), Son Johnson browsed to a domain. What was this domain?
The answer is a domain name and the questions provided us with three data points:
timestampbefore the file was downloaded.- User name is Son Johnson.
- We need a domain.
We need to find the timpestamp which can locate from question 1 query and the ip_addr from the Employees table.
Table
| where src_ip == "<Son Johnson ip_addr>"
and timestamp < datetime(<Ans Q 1>)
| order by timestamp desc
I took a challenge to get the results using one query by using let.
let _initialEventTimestamp = OutboundNetworkEvents
| where src_ip == "<Son Johnson ip_addr>" and url contains "<Ans Q1>"
| project timestamp;
OutboundNetworkEvents
| where src_ip == "<Son Johnson ip_addr>" and timestamp < toscalar(_initialEventTimestamp)
| extend _DomainName = parse_url(url).Host
| project timestamp, src_ip, _DomainName
| order by timestamp desc
Question 10: What kind of attack was Son Johnson a victim of?
Question 11: How many different domains did the attackers use in this kind of attack? (The attack type identified in [10])
Table
| where url has "<Ans Q 9?redirect>"
| distinct url
| count
Question 12: How many employees at Balloons Over Iowa were victims of this kind of attack? (The attack type identified in [10])
Table
| where url has "<Ans Q 9>?redirect"
| distinct src_ip
| count
Question 13: How many different employee roles did the attackers target using this type of attack? (The attack type identified in [10])
let _EmployeeIP =
Table
| where url has "<Ans Q 9>?redirect"
| distinct src_ip;
Table
| where ip_addr in (_EmployeeIP)
| distinct role
Question 14: You have received an alert that this employees’ device, - hostname 3CIU-LAPTOP - may have malware on it involving this hash: 4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3 that was the parent of suspicious processes. What is the name of the file?
Table
| <field> <operator> == "4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3"
| where hostname == "3CIU-LAPTOP"
| distinct parent_process_name
Question 15: What is the username associated with the device found in 14?
Ans from question 14.
Table
| <field> <operator> == "4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3"
| where hostname == "3CIU-LAPTOP"
| distinct username
Question 16: What is the role of (15) in the organization?
Take the username or the hostname form our previous query and querying for it on the Employees table.
Table
| where hostname has "3CIU-LAPTOP"
| project role
Question 17: You observe that this the file (from 14) is launching a process on 3CIU-LAPTOP named rundll32.exe with an external IP address. What is that IP address?
Table
| where parent_process_hash == "4c199019661ef7ef79023e2c960617ec9a2f275ad578b1b1a027adb201c165f3"
| where | <field> <operator> "3CIU-LAPTOP"
| where process_name has "rundll32.exe"
| project process_commandline
Question 18:
Question 19: Investigating compromised devices in the org you find malicious activity using a tool called rclone. What domain is listed in its command line on Julie Well’s device?
Table
| where process_commandline contains "rclone"
| where username contains "wells"
| project process_commandline
Question 20: What IP address does (19) resolve to?
Table
| where <field> <operator> "131.102.77.156"
Question 21: How many total domains have also resolved to this IP (the one found in 20)?
Table
| where <field> <operator> "131.102.77.156"
| count
Question 22: What does the command found in (19) represent? (Hint: It’s a MITRE ATT&CK Tactic)
Search for attacks using rclone.exe at attack.miter.org.
Question 23: How many other devices on the org had similar threat activity using rclone on them?
Table
| where <field> <operator> "rclone"
| distinct hostname
| count
Question 24: The attackers disabled Defender (antivirus) on some devices in the network. How many systems did they do this on?
Table
| where <field> <operator> "cmd.exe powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true"
| distinct <field>
| count
Question 25: A member of your investigation team reported that host GWB7-DESKTOP was compromised. What is the timestamp of the earliest suspicious process event you observe on this device? (Paste full timestamp)
Table
| where <field> <operator> "GWB7-DESKTOP"
| where <field> < datetime(2023-02-07T16:57:39.580296Z)
| sort by <field> asc
Question 26: What is the command and control (C2) IP address observed on GWB7-DESKTOP
The ip address *rundll32.exe8 is in the process_commandline in the results of ans to Q 25.
Question 27: What is the timestamp of the earliest Passive DNS resolution seen on the IP found in (26)?
Table
| where <field> <operator> "179.175.35.248"
| sort by <field> asc
Question 28: Which of the domains hosted on the IP found in (26) resolve to the most number of unique IPs? If there is a tie, enter any one of the domains.
let _domainlist = Table
| where <field> == "179.175.35.248"
| distinct <field>;
PassiveDns
| where <field> <operator> (_domainlist)
| summarize _count_of_associated_domains = count() by <field>
| order by _count_of_associated_domains desc
Question 29: What is the domain using the “.air” TLD that resolves to the IP found in (26)?
let _domainlist = Table
| where <field> <operator> "179.175.35.248"
| distinct <field>;
PassiveDns
| where <field> <operator> (_domainlist)
| summarize _count_of_associated_domains = count() by <field>
| order by _count_of_associated_domains desc
| where <field> <operator> "air"
Question 30: The domain found in (29) resolves to an IP that starts with “144.” What is the hostname on which this IP was used for command and control?
Table
| where <field> <operator> "144."
| project <field>
Community Help
Join Discord to discuss the module KC7 Discord #up-up-and-away! .