This post is a walkthrough of the KC7 investigation case of KC7 HopsNStuff - Section 3: Golden 🐇 . You can use it as a helpful guide when encountering an obstacle or trying to understand a question. Different ways to answer questions might exist, so don’t be afraid to explore your path.

Section 3: Golden 🐇

Question 1: A law enforcement agency informed HopsNStuff that an adversary was attempting to gain access to their company. They said the actor may have sent a PDF file called **Ginger_beer_secret_recipe.pdf ** in February of 2023. What hostname had this file first?

You aren’t alone if you started to check the Email table for links with the file name. A good tip is to use search to narrow down your search results.

search "Ginger_beer_secret_recipe.pdf"
| distinct $table

Based on the results, the table FileCreationEvents has the hostname which downloaded the file first.

FileCreationEvents
| where filename has "Ginger_beer_secret_recipe.pdf"
| where timestamp between (datetime(2023-02-01) .. datetime(2023-02-28))
| order by timestamp asc

Question 2: When was this file created on the host machine?

You got this 😉.

Question 3: How many host machines total have a file with this observed filename (Ginger_beer_secret_recipe.pdf) ?

The questions isn’t referencing the months so let’s filter that out and ‘distinct’ the hostname.

FileCreationEvents
| where filename has "Ginger_beer_secret_recipe.pdf"
| distinct hostname

Question 4: What is the role of the employees of those host machines?

let suspiciousHost = FileCreationEvents
| where filename has "Ginger_beer_secret_recipe.pdf"
| distinct hostname;
Employees
| where hostname in (suspiciousHost)
| distinct role

Question 5: Based on where the files are located on the hosts, how many files total are found within that same path? (Hint: count the total number of files across all the observed filepaths)

From the answer to the first question we have found the table that contains Ginger_beer_secret_recipe.pdf and we can start building on it.

FileCreationEvents
| where filename has "Ginger_beer_secret_recipe.pdf"

By analyzing the file path it shown the file is being downloaded to the username downloads folder. To parse the path we can use built in KQL scalar function parse_path() Docs .

path
C:\Users\alstamos\Downloads\Ginger_beer_secret_recipe.pdf
C:\Users\brkrebs\Downloads\Ginger_beer_secret_recipe.pdf
C:\Users\crflyer\Downloads\Ginger_beer_secret_recipe.pdf
C:\Users\eukaspersky\Downloads\Ginger_beer_secret_recipe.pdf

Add the following query lines to filter the distincted folder paths we need.

| project FolderPath = parse_path(path) .DirectoryPath
| distinct tostring(FolderPath)

Now, store the query to FolderTarget using a let statement. Then, we will filter for all the files in the paths.

let FolderTarget =
FileCreationEvents
| where filename has "Ginger_beer_secret_recipe.pdf"
| project FolderPath = parse_path(path) .DirectoryPath
| distinct tostring(FolderPath);
FileCreationEvents
| where path has_any (FolderTarget)
| count

The query above provides the number of files and directories in downloads folder of the nines targeted users.

Question 6: How many of those files are PDFs?

Add | where filename endswith "pdf" to the end of the query above for filter for files ending the pdf extension.

let FolderTarget =
FileCreationEvents
| where filename has "Ginger_beer_secret_recipe.pdf"
| project FolderPath = parse_path(path) .DirectoryPath
| distinct tostring(FolderPath);
FileCreationEvents
| where path has_any (FolderTarget)
| where filename endswith "pdf"

Question 7: How many distinct PDF filenames are there from the previous question?

Add | distinct filename to the end of the query above.

Question 8: Did any of the other files hit on security alerts? Answer “None” if there weren’t any, or submit any of the other filenames that did.

Add the last three lines from the answer to questions six and seven to a let statement to store the results. The question is asking for other files which doesn’t include Ginger_beer_secret_recipe.pdf which we filtered out using | where description !contains "Ginger_beer_secret_recipe.pdf".

let FolderTarget = FileCreationEvents
| where filename has "Ginger_beer_secret_recipe.pdf"
| project FolderPath = parse_path(path) .DirectoryPath
| distinct tostring(FolderPath);
let SusFiles = FileCreationEvents
| where path has_any (FolderTarget)
| where filename endswith "pdf"
| distinct filename;
SecurityAlerts
| where description !contains "Ginger_beer_secret_recipe.pdf"
| where description has_any (SusFiles)

Question 9: Were there any additional host machines identified from the answer from the previous question? Answer “None” if there weren’t any, or submit any of the other hostnames you identified.

Let’s add the query from question 3 as ‘suspiciousHost’ variable and the file we found from question 4 to a ‘maliciousFile’ variable. Then, we will filter out the ‘suspiciousHost’ and look for ‘maliciousFile’ the ‘Employees’ table.

let suspiciousHost = FileCreationEvents
| where filename has "Ginger_beer_secret_recipe.pdf"
| distinct hostname;
let maliciousFile = 
FileCreationEvents
| where filename contains "Brewery_layout.pdf"
| distinct hostname;
Employees
| where hostname !in (suspiciousHost) and hostname in (maliciousFile)

Source

Question 10: Let’s investigate where the two suspicious pdf files came from. How many emails had a reference to the file(s)?

Our suspicious pdf files are Ginger_beer_secret_recipe.pdf and Brewery_layout.pdf. We can find the number of emails with a reference to the files by searching the ‘Email’ table and filtering the link column.

let maliciousFiles = dynamic(["Ginger_beer_secret_recipe.pdf","Brewery_layout.pdf"]);
Email
| where link has_any (maliciousFiles)

Question 11: How many Outbbound connections referenced the file(s)?

let maliciousFiles = dynamic(["Ginger_beer_secret_recipe.pdf","Brewery_layout.pdf"]);
OutboundNetworkEvents
| where url has_any (maliciousFiles)

let maliciousFiles = dynamic(["Ginger_beer_secret_recipe.pdf","Brewery_layout.pdf"]);
OutboundNetworkEvents
| where url has_any (maliciousFiles)
| project domain = tostring(parse_url(url).Host)
| distinct domain

Question 13: How many unique file(s) are referenced from the identified domains?

let maliciousDomains = dynamic([
    "moneybags.us",
    "moneybags.org",
    "moneybags.net",
    "moneybags.biz",
    "getyabreadup.org",
    "getyabreadup.com",
    "getrichorbouncetrying.org",
    "getrichorbouncetrying.net",
    "getrichorbouncetrying.com",
    "getrichorbouncetrying.biz",
    "betterthansilver.us",
    "betterthansilver.org",
    "betterthansilver.net",
    "betterthansilver.biz",
    "abunslife.us",
    "abunslife.org",
    "abunslife.net",
    "abunslife.com",
    "abunslife.biz"
]);
OutboundNetworkEvents
| where url has_any(maliciousDomains)
| project file = parse_path(tostring(parse_url(url).Path)).Filename
| where isnotempty(file)
| distinct tostring(file)

Question 14: Based on your investigation, HopsNStuff may have been a victim of what type of initial attack?

What is the ID for (T1189)[https://attack.mitre.org/techniques/T1189/] called in MITRE ATT&CK? It is not an exact match of the name.

Question 15: Let’s investigate this activity further. What’s the parent_process_hash of the tool that was used to steal user credentials?

Question 16: Investigate the running processes. There are suspicious processes conducting reconnaissance. How many unique directory paths are these suspicious processes located in on infected host machines? (Find the recon command, and go identify its process parent file on disk)

Question 17: How many distinct filenames are located in these directory paths?

Question 19: Which IP address appears to be located in South America? Hint: Check AbuseIPDB or MaxMind GeoIP2 Database

Question 20: How many IP addresses appear to be located in Asia?

Question 21: What file may have been used to exfiltrate data?

Question 22: How many unique domains were used for exfiltration? Answer 0 if you did not find any.

Question 23: Let’s look at the most recent exfiltration activity and the domain used in Questions 21-22. What IP address does this domain resolve to? (Hint: choose the IP address closest to when the date of activity occured)

Question 24: Law enforcement agents say the threat actor may have searched for “egg” on the HopsNStuff’s website. How many distinct IP addresses do this?

Question 25: Law enforcement agents also tell you that the threat actor may have used a batch file but REFUSE to elaborate any further. They tell you it’s classified. What command might they be referring to?

Question 26: A very specific APT defined by Mandiant has used the exact same cmd.exe command used by this attacker and the same credential stealer for lateral movement. Which APT group is this?

Question 27: What is the name of one of non-Linux backdoors used by the APT group from question 25?

Question 28: How many DNS records have domains with the word “moneybags”?

Question 29: On February 8, 2023, Robert Boyce’s machine had a file created with a single letter for its name. Search the hash of this file on VirusTotal. When was it first submitted?

Question 30: Employee Cindy Lozano reported some strange activity with her email account. A weird file was seen in her Sent folder but she deleted it right away without looking at the name. What was the name of this file?

Question 31: Do you think this activity is linked to Section 2? Yes/No (It’s free points, but log down what you answered for future discussions).

Question 32: On what date did this actor send their earliest email? YYYY-MM-DD

let susIPs = 
    InboundNetworkEvents
    | where url has_any ("login_user", "mailbox_senderfolder")
    | distinct src_ip;
let susDomains = 
    PassiveDns
    | where ip in (susIPs)
    | distinct domain;
Email
| where link has_any(susDomains)
| top 1 by timestamp asc

Question 33: On what date did this actor send their most recent email? YYYY-MM-DD

Question 34: What was the earliest time of day that this actor sent an email? (#AM/PM)

Question 35: What was the latest time of day that this actor sent an email? (#AM/PM)

Community Help

Join Discord to discuss the module KC7 Discord #easter-eggstravaganza .