KC7 Balloons Over Iowa - Section 4: Helpdesk ☎️

This post is a write-up or clues on how to resolve the KC7 investigation case of Balloons Over Iowa - Section 2: Aliens 👽 . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.

Section 4:

Question 1: How many emails contained the domain database.io?

Table
| where <field> <operator> "database.io"
| <operator>

Question 2: What IP does the domain database.io resolve to?

Table
| where <field> <operator> "database.io"
| project ip

Question 3: How many domains resolve to the same IP as database.io?

Table
| where <field> <operator> "<Ans Q 2>"
| distinct <field>
| <operator>

let _Susdomains =
Table
| where <field> <operator> "<Ans Q 2>"
| distinct <field>;
Table
| where <field> <operator> (_Susdomains)
| <field>

Question 5: What was the most prevalent sender of the emails found in question 4?

let _Susdomains =
Table
| where ip has "176.167.219.168"
| <operator> <field>;
Table
| where <field> <operator> (_Susdomains)
| summarize _EmailCount = count() by sender
| order by _EmailCount desc

Question 6: How many total emails were sent by the sender found in question 5?

Table
| where <field> <operator> "<Ans Q 5>"
| count

Question: What was the most prevalent email subject used by the sender found in question 5?

Table
| where <field> <operator> "<Ans Q 5>"
| distinct subject

Question 8: Which user named Carolyn clicked on a link containing the domain hardware.com? (Provide full name)

let _userclick =
Table
| where <field> <operator> "hardware.com"
| distinct src_ip;
Table
| where <field> <operator> (_userclick) and <field> <operator> "Carolyn"
| project name

Table
| where <field> <operator> "caschaeffer"
| project src_ip, result

Question 10: How many accounts did the attacker try to log into (successfully or unsuccessfully) from the IP in question 9?

Table
| where <field> <operator> <"Ans Q 9">
| count

Question 11: What filename did they save the data to?

Table
| where <field> <operator> <"Ans Q 9">
| count

Question 12: When did the attackers exfiltrate data from Carolyn’s email?

Table
| where <field> <operator> <"Ans Q 9">
| project url

Question 13: What IP does the domain hardware.com resolve to?

Table
| where <field> <operator> "hardware.com"
| distinct domain

Question 14: What is the first URL the attackers browsed to from this IP?

Table
| where <field> <operator> <"Ans Q 9">
| project timestamp

Question 15: Which stage of an attack does the behavior seen in question 14 belong to?

TA0043

Community Help

Join Discord to discuss the module KC7 Discord #up-up-and-away! .

Section 4:#

Question 1: How many emails contained the domain database.io?#

Question 2: What IP does the domain database.io resolve to?#

Question 3: How many domains resolve to the same IP as database.io?#

Question 4: How many emails contained domains sharing the same IP as database.io?#

Question 5: What was the most prevalent sender of the emails found in question 4?#

Question 6: How many total emails were sent by the sender found in question 5?#

Question: What was the most prevalent email subject used by the sender found in question 5?#

Question 8: Which user named Carolyn clicked on a link containing the domain hardware.com? (Provide full name)#

Question 9: What attacker IP was used to login to Carolyn’s account after she clicked the link?#

Question 10: How many accounts did the attacker try to log into (successfully or unsuccessfully) from the IP in question 9?#

Question 11: What filename did they save the data to?#

Question 12: When did the attackers exfiltrate data from Carolyn’s email?#

Question 13: What IP does the domain hardware.com resolve to?#

Question 14: What is the first URL the attackers browsed to from this IP?#

Question 15: Which stage of an attack does the behavior seen in question 14 belong to?#

Community Help#