KC7 Inside Encryptodera - Section 1: Offensive Odor

This post is a write-up or clues on how to resolve the KC7 investigation case of Inside Encryptodera - Section 1: Offensive Odor 👽 . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.

Section 1:

Question 1: What is Barry’s role at the company?

Employees
| where name contains "Barry"
| project name , role

Question 2: What is Barry’s email address?

Employees
| where name contains "Barry"
| project name , role, email_addr

Question 3: What was the subject of the interesting email (the one on January 16th) that Barry sent?

Email
| where sender == "barry_shmelly@encryptoderafinancial.com"
| where timestamp between (datetime(2024-01-16T00:00:00Z) .. datetime(2024-01-16T23:59:59Z))

Question 4: What was the role of the employees that received Barry’s email?

Find the list of the recipients.

Email
| where sender == "barry_shmelly@encryptoderafinancial.com"
| where subject == "I'm not coming in today. I'm sick of this place. We're all getting laid off anyway."

Find the role.

Employees
| where email_addr in ("christopher_naylor@encryptoderafinancial.com", "michelle_collins@encryptoderafinancial.com", "jarrod_rodriguez@encryptoderafinancial.com")
| distinct role

Advanced operators:

Email
| where sender == "barry_shmelly@encryptoderafinancial.com"
| where subject == "I'm not coming in today. I'm sick of this place. We're all getting laid off anyway."
| project recipient
| join kind=inner (
    Employees
    | project email_addr, role 
) on $left.recipient == $right.email_addr
| project recipient, role
| distinct role

Question 5: What was the role of the recipient of that email?

Email
| where subject == "YOU ARE A GREEDY PIG!!!! WHAT IS WRONG WITH YOU?????"

Employees
| where email_addr == "les_goh@encryptoderafinancial.com"
| project role

Question 6: What’s Barry’s IP address? (Paste the full IP address )

Employees
| where name contains "Barry"
| project ip_addr

Question 7: What was the complete URL that Barry was browsing on his computer regarding Cybersecurity Insiders on the afternoon of December 26th?(Paste the full url)

OutboundNetworkEvents
| where src_ip == "10.10.0.1"
| where url contains "Insiders"
| project url

Question 8: What website did he visit first on January 15th? (Paste the full URL)

OutboundNetworkEvents
| where src_ip == "10.10.0.1"
| where timestamp >= datetime(2024-01-15T00:00:00Z)
| top 1 by timestamp asc
| project url

Question 9: Could you provide the full URL for the website Barry searched for USB Flash Drives?

OutboundNetworkEvents
| where src_ip == "10.10.0.1"
| where url contains "usb"
| project url

Question 10: What “secret” document on business transactions did Barry download?

InboundNetworkEvents
| where src_ip == "10.10.0.1"
| where url contains "secret"
| project url

Question 11: What document (docx) did Barry download about salaries?

InboundNetworkEvents | where src_ip == “10.10.0.1” and url contains “salary” and url contains “docx” | project url

Advanced operators:

InboundNetworkEvents
| where src_ip == "10.10.0.1" and url contains "salary" and url contains "docx"
| extend parsed_url = parse_url(url)
| extend path_segments = split(parsed_url["Path"], "/")
| project FileName = tostring(path_segments[-1])

InboundNetworkEvents
| where src_ip == "10.10.0.1" and url contains "salary" and url contains "docx"
| extend fileName = tostring(split(parse_url(url)["Path"], "/")[-1])
| project fileName

Question 12: What document (zip) did Barry download to get this?

InboundNetworkEvents
| where src_ip == "10.10.0.1"
| where url contains "zip"
| extend fileName = tostring(split(parse_url(url)["Path"], "/")[-1])
| project fileName

Question 13: Do you know the password he used to zip the files?

We know the file name is Encryptodera_Proprietary_Algorithms.zip and by checking the ProcessEvents table, we observe the parent_process_hash is 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f

ProcessEvents
| where process_commandline contains "Encryptodera_Proprietary_Algorithms.zip"

I narrowed down the results by the day the event took place to shoren my results and find the password.

ProcessEvents
| where timestamp between (datetime(2024-01-16T00:00:00Z) .. datetime(2024-01-16T23:59:59Z))
| where hostname == "IGOY-DESKTOP"
| where parent_process_hash == "614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f"

Question 14: What is the name of the drive on which Barry stored the final files?

Ans from question 13.

ProcessEvents
| where timestamp between (datetime(2024-01-16T00:00:00Z) .. datetime(2024-01-16T23:59:59Z))
| where hostname == "IGOY-DESKTOP"
| where parent_process_hash == "614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f"

Community Help

Join Discord to discuss the module KC7 Discord #encryptodera .

Section 1:#

Question 1: What is Barry’s role at the company?#

Question 2: What is Barry’s email address?#

Question 3: What was the subject of the interesting email (the one on January 16th) that Barry sent?#

Question 4: What was the role of the employees that received Barry’s email?#

Question 5: What was the role of the recipient of that email?#

Question 6: What’s Barry’s IP address? (Paste the full IP address )#

Question 7: What was the complete URL that Barry was browsing on his computer regarding Cybersecurity Insiders on the afternoon of December 26th?(Paste the full url)#

Question 8: What website did he visit first on January 15th? (Paste the full URL)#

Question 9: Could you provide the full URL for the website Barry searched for USB Flash Drives?#

Question 10: What “secret” document on business transactions did Barry download?#

Question 11: What document (docx) did Barry download about salaries?#

Question 12: What document (zip) did Barry download to get this?#

Question 13: Do you know the password he used to zip the files?#

Question 14: What is the name of the drive on which Barry stored the final files?#

Community Help#