KC7 HopsNStuff - Section 4: 🍭 Sugar Rush

This post is a walkthrough of the KC7 investigation case of KC7 HopsNStuff - Section 4: 🍭 Sugar Rush . You can use it as a helpful guide when encountering an obstacle or trying to understand a question. Different ways to answer questions might exist, so don’t be afraid to explore your path.

Section 4: 🍭 Sugar Rush

Question 1: IP 158.235.158.156 was observed exfiltrating data from mailboxes at HopsNStuff. How many mailboxes were affected?

The question provided the IP address 158.235.158.156 which we ill use to filer InboundNetworkEvents table.

InboundNetworkEvents
| where src_ip has "158.235.158.156"

By analyzing the url column we notice some login activities.

Let’s filter for those activities.

| where url has "login"

We have the IP address and we are looking for successful logins which are logged in AuthenticationEvents.

AuthenticationEvents
| where src_ip == "158.235.158.156"
| where result has "successful"

Question 3: Whose account was first accessed by IP 158.235.158.156?

AuthenticationEvents
| where src_ip == "158.235.158.156"
| where result has "successful"
| top 1 by timestamp asc

Question 4: What was the subject of the email that the user in (3) received leading to their account being compromised?

First, I need to find the email address of lebedford in the ‘Employees’ table.

Employees
| where username has "lebedford"
| project email_addr

Then, we check the results of the inbound emails in the Email table.

Email
| where recipient has "leonard_bedford@hopsnstuff.com"

I’m presented with 57 results and I would like to reduce the number of logs to analyze by filtering for the timetamp for activites before the login event from the answer to question three.

Email
| where recipient has "leonard_bedford@hopsnstuff.com"
| where timestamp <= datetime(2023-03-01T10:26:28Z)

By viewing the log results and checking the verdict column I can identify two ‘SUSPICIOUS’ events before the timestamp.

Question 5: How many actor email addresses were observed associated with the subject in (4)?

By running the following query we will find that 11 emails were send with the subject [EXTERNAL] Exclusive Invitation to our Candy Themed Beer Festival.

Email
| where subject has "[EXTERNAL] Exclusive Invitation to our Candy Themed Beer Festival"

When we add | distinct sender we get the number 3 but it is not the right answer. The questions is ascking for the number of actors. In other works is is asking for the number of the email addresses uses in this phishing attack. By looking at the other columns in the Email table I found the reply-to column which has one more email address that isn’t in the Senders column.

Sender	reply_to
tasting_beer@yahoo.com	tasting_beer@yahoo.com
candyfestivals@yahoo.com	craftbeer@yahoo.com
beer.beer@yahoo.com	-

Just for KQLing

let sender_results = 
    Email
    | where subject has "[EXTERNAL] Exclusive Invitation to our Candy Themed Beer Festival"
    | distinct sender;
let reply_to_results = 
    Email
    | where subject has "[EXTERNAL] Exclusive Invitation to our Candy Themed Beer Festival"
    | distinct reply_to;
reply_to_results
| union sender_results
| summarize by email_address = iff(isnotempty(reply_to), reply_to, sender)
| distinct email_address

In this query:

We first store the distinct reply_to and sender results in separate variables using the let statement.
Then, we use the union operator to combine the results of both queries into one table.
Next, we use the summarize function to group the results by the email address and choose either the reply_to or sender value based on which one is not empty.
Finally, we use the distinct function to get only unique email addresses in the final output.

Question 6: How many actor domains were observed associated with the subject in (5)?

Email
| where subject has "[EXTERNAL] Exclusive Invitation to our Candy Themed Beer Festival"
| extend actorDomain = tostring(parse_url(link).Host)
| distinct actorDomain

Question 7: How many IP addresses were associated via PassiveDNS with the domains in (6)?

We will build on the query from question six by filtering for the PassiveDns table.

let domainDNS = Email
| where subject has "[EXTERNAL] Exclusive Invitation to our Candy Themed Beer Festival"
| extend actorDomain = tostring(parse_url(link).Host)
| distinct actorDomain;
PassiveDns
| where domain in (domainDNS)
| distinct ip

Question 8: How many top level domains (TLDs) are used by this actor (based on your observations so far)?

They are easy to find from the qurey in question six.

Just for KQLing

In this query, we are filtering email subjects that contain the phrase “[EXTERNAL] Exclusive Invitation to our Candy Themed Beer Festival”. Next, we extract the domain from the link in the email and then further extract the Top-Level Domain (TLD) from that domain. Finally, we list the distinct TLDs found in the emails.

Email
| where subject has "[EXTERNAL] Exclusive Invitation to our Candy Themed Beer Festival"
| extend actorDomain = tostring(parse_url(link).Host)
| extend tld = tostring(split(actorDomain, ".")[-1])
| distinct tld

Here’s a breakdown of what each part of the query does:

Filtering by Subject: | where subject has "[EXTERNAL] Exclusive Invitation to o Candy Themed Beer Festival": Filters the emails based the subject containing the specified text.
Extracting Domain and TLD: | extend actorDomain = tostring(parse_url(link).Host) Extracts the domain from the link in the email and create a new column called actorDomain. | extend tld = tostring(split(actorDomain, ".")[-1]) Splits the domain by “.” and extracts the last element which represents the Top-Level Domain (TLD). This is store in a new column called tld.
Listing Distinct TLDs: | distinct tld: Returns only the unique Top-Level Domains found in the emails.

Question 9: How many domains are associated with this actor? Look for patterns and build a query based on their infrastructure registration TTPs (Hint: between 75 and 300)

Question 10: How many emails did this actor send?

Question 11: How many of this actor’s emails were actually delivered (not blocked)?

Question 12: How many HopsNStuff employees clicked on more than 1 link from this actor?

Question 13: How many accounts at HopsNStuff did this actor attempt to log into?

Question 14: How many mail accounts did this actor exfiltrate data from? (Hint: Look for clear evidence of this.)

Community Help

Join Discord to discuss the module KC7 Discord #easter-eggstravaganza .

Section 4: 🍭 Sugar Rush#

Question 1: IP 158.235.158.156 was observed exfiltrating data from mailboxes at HopsNStuff. How many mailboxes were affected?#

Question 2: How many total accounts did IP 158.235.158.156 successfully login into?#

Question 3: Whose account was first accessed by IP 158.235.158.156?#

Question 4: What was the subject of the email that the user in (3) received leading to their account being compromised?#

Question 5: How many actor email addresses were observed associated with the subject in (4)?#

Question 6: How many actor domains were observed associated with the subject in (5)?#

Question 7: How many IP addresses were associated via PassiveDNS with the domains in (6)?#

Question 8: How many top level domains (TLDs) are used by this actor (based on your observations so far)?#

Question 9: How many domains are associated with this actor? Look for patterns and build a query based on their infrastructure registration TTPs (Hint: between 75 and 300)#

Question 10: How many emails did this actor send?#

Question 11: How many of this actor’s emails were actually delivered (not blocked)?#

Question 12: How many HopsNStuff employees clicked on more than 1 link from this actor?#

Question 13: How many accounts at HopsNStuff did this actor attempt to log into?#

Question 14: How many mail accounts did this actor exfiltrate data from? (Hint: Look for clear evidence of this.)#

Community Help#