This post is a walkthrough of the KC7 investigation case of Valdoria Votes . You can use it as a helpful guide when encountering an obstacle or trying to understand a question. Different ways to answer questions might exist, so don’t be afraid to explore your path.
Section 3: A vote of no confidence
Question 2: What IP address did they forget to hide in the poster?
You Got this 👾
Question 2: Is there any evidence of traffic from this IP address to our network? (yes/no)
InboundNetworkEvents
| where src_ip has "55.49.227.170"
Question 3: How many domains resolved to the IP 55.49.**.***?
PassiveDns
| where ip == "55.49.227.170"
Question 4: What is the Valdoria related domain resolving to that IP?
PassiveDns
| where ip == "55.49.227.170"
| count
Question 5:
You Got this 👾
Question 6: What is the legitimate domain for the Valdoria Elections Board?
We should have already known the domain when answering sections 1 and 2. If you take a break between sections like me, you can find the answer by running the following KQL.
Employees
| distinct company_domain
Question 7: How many IP addresses did the fraudulent Valdoria government domain resolve to?
PassiveDns
| where domain has "valdoriavotesgov.com"
| count
Question 8: Which table should we be looking at for records of that kind of activity again?
You Got this 👾
Question 9: How many requests do we see to our network from those IPs?
let ips = PassiveDns
| where domain == "valdoriavotesgov.com"
| distinct ip;
InboundNetworkEvents
| where src_ip in (ips)
Question 10: Which phase of the Cyber Kill Chain is this called?
TA0043
You Got this 👾
Question 11: What group were they specifically interested in?
You Got this 👾
Hit: *e* ****s
Question 12: What specific area of our prevention measures were the threat actors interested in?
You Got this 👾
Question 13: What important machines were the hackers trying to get into? (two words)
You Got this 👾
Question 14: Which document were the hackers looking for? (two words)
//in progress
Question 15: Let’s check if there’s any traffic to it—has any of our employees visited that domain for any reason? (yes/no)
OutboundNetworkEvents
| where url has "valdoriavotesgov.com"
Question 16: When did someone first browse to that domain?(paste the full timestamp)
You Got this 👾
Question 17: Did anyone enter their credentials on that phishing page ? (yes/no)
You Got this 👾
Question 18: When did they enter their credentials into that page? (paste the full timestamp)
You Got this 👾
Question 19: What is the username of the employee that entered their credentials on that phishing page?
You Got this 👾
Hit: url
Question 20: What is the name of the employee who entered their credentials?
Employees
| where username has "ansnooper"
| project name
Question 21: What is Snooper’s role?
Employees
| where username has "ansnooper"
| project name, role
Question 22: Did Snooper have Multiple Factor Authentication enabled (yes/no)
Employees
| where username has "ansnooper"
| project name, role, mfa_enabled
Question 23: What table would we find this logon activity in?
You Got this 👾
Question 24: When did the threat actor login to Snooper’s account?
AuthenticationEvents
| where username == "ansnooper"
| where timestamp between(datetime(2024-10-05T10:46:47Z) .. datetime(2024-10-11T10:46:47Z))
Check the timestamp, hostname and src_ip.
Section 4: Snooping Around
In progress
Community Help
Join Discord to discuss the module KC7 Discord valdoria-votes .