This post is a walkthrough of the KC7 investigation case of Valdoria Votes . You can use it as a helpful guide when encountering an obstacle or trying to understand a question. Different ways to answer questions might exist, so don’t be afraid to explore your path.
Section 3: A vote of no confidence
Question 2: What IP address did they forget to hide in the poster?
You Got this 👾
Question 2: Is there any evidence of traffic from this IP address to our network? (yes/no)
InboundNetworkEvents
| where src_ip has "55.49.227.170"
Question 3: How many domains resolved to the IP 55.49.**.***?
PassiveDns
| where ip == "55.49.227.170"
Question 4: What is the Valdoria related domain resolving to that IP?
PassiveDns
| where ip == "55.49.227.170"
| count
Question 5: What is the Valdoria related domain resolving to that IP?
You Got this 👾
Question 6: What is the legitimate domain for the Valdoria Elections Board?
We should have already known the domain when answering sections 1 and 2. If you take a break between sections like me, you can find the answer by running the following KQL.
Employees
| distinct company_domain
Question 7: How many IP addresses did the fraudulent Valdoria government domain resolve to?
PassiveDns
| where domain has "valdoriavotesgov.com"
| count
Question 8: Which table should we be looking at for records of that kind of activity again?
You Got this 👾
Question 9: How many requests do we see to our network from those IPs?
let ips = PassiveDns
| where domain == "valdoriavotesgov.com"
| distinct ip;
InboundNetworkEvents
| where src_ip in (ips)
Question 10: Which phase of the Cyber Kill Chain is this called?
TA0043
You Got this 👾
Question 11: What group were they specifically interested in?
You Got this 👾
Hint: *e* ****s
Question 12: What specific area of our prevention measures were the threat actors interested in?
You Got this 👾
Question 13: What important machines were the hackers trying to get into? (two words)
You Got this 👾
Question 14: Which document were the hackers looking for? (two words)
You Got this 👾
Hint
.
Question 15: Let’s check if there’s any traffic to it—has any of our employees visited that domain for any reason? (yes/no)
OutboundNetworkEvents
| where url has "valdoriavotesgov.com"
Question 16: When did someone first browse to that domain?(paste the full timestamp)
You Got this 👾
Question 17: Did anyone enter their credentials on that phishing page ? (yes/no)
You Got this 👾
Question 18: When did they enter their credentials into that page? (paste the full timestamp)
You Got this 👾
Question 19: What is the username of the employee that entered their credentials on that phishing page?
You Got this 👾
Hint: url
Question 20: What is the name of the employee who entered their credentials?
Employees
| where username has "ansnooper"
| project name
Question 21: What is Snooper’s role?
Employees
| where username has "ansnooper"
| project name, role
Question 22: Did Snooper have Multiple Factor Authentication enabled (yes/no)
Employees
| where username has "ansnooper"
| project name, role, mfa_enabled
Question 23: What table would we find this logon activity in?
You Got this 👾
Question 24: When did the threat actor login to Snooper’s account?
AuthenticationEvents
| where username == "ansnooper"
| where timestamp between(datetime(2024-10-05T10:46:47Z) .. datetime(2024-10-11T10:46:47Z))
Check the timestamp, hostname and src_ip.
Section 4: Snooping Around
Question 1: What is Anderson Snooper’s email address?
Employees
| where username has "ansnooper"
| project email_addr
Question 2: What is the email address of the person he was conversing with?
Email
| where sender has "anderson_snooper@valdoriavotes.gov" or recipient has "anderson_snooper@valdoriavotes.gov"
| where timestamp between(datetime(2024-10-05T10:46:47Z) .. datetime(2024-10-11T10:46:47Z))
The timestamp were used in questions 24 which helps to reduce the records from 53 to 17. Jump to Question 24
Question 3: What is Schmelly’s job role?
Employees
| where email_addr contains "barry_schmelly@valdoriavotes.gov"
| distinct role
Question 4: “Snooper” was observed asking Schmelly how one might gain access to what devices?
Let’s check the emails between Anderson Snooper and Barry Schmelly.
Email
| where sender contains "anderson_snooper@valdoriavotes.gov"
| where recipient contains "barry_schmelly@valdoriavotes.gov"
Question 5: What is it? (four words)
You Got this 👾
Question 6: What system did Schmelly mention?
Let’s check the email subject to find out!
Email
| where sender contains "barry_schmelly@valdoriavotes.gov"
| where recipient contains "anderson_snooper@valdoriavotes.gov"
Question 7: What is Snooper’s IP address?
Employees
| where email_addr contains "anderson_snooper@valdoriavotes.gov"
| distinct ip_addr
Question 8: What term appeared at the end of each url that Snooper guessed?
By plugging Snooper IP address we can review the urls he visited and analyze the terms used in his search.
InboundNetworkEvents
| where src_ip contains "10.10.0.4"
Question 9: What was the first subdomain that Snooper guessed?
To find the first log activity we could click on the timestamp to sort it or use the ‘sort’ operator.
InboundNetworkEvents
| where src_ip contains "10.10.0.4"
| sort by timestamp asc
Question 10: What status code was returned for Snooper's unsuccessful guesses?
Check the status_code column and distinct the results.
InboundNetworkEvents
| where src_ip contains "10.10.0.4"
| distinct status_code
The question informed us that 200 is a successful respond we could filter it out by using the !contains operator to narrow it down.
InboundNetworkEvents
| where src_ip contains "10.10.0.4"
| where status_code !contains "200"
| distinct status_code
Read more about HTTP response status codes .
Question 11: What was the nursery rhyme-related subdomain that Snooper guessed?
Some might have missed this funny one.
InboundNetworkEvents
| where src_ip contains "10.10.0.4"
| distinct url
By looking at the url column we will find a subdomain related to this nursery rhymes or songs for children.
Question 12: What was the basketball player-related subdomain that Snooper guessed?
You Got this 👾
Question 13: What was the first subdomain “Snooper” guessed that returned a 200 status code?
InboundNetworkEvents
| where src_ip contains "10.10.0.4"
| where status_code contains "200"
| sort by timestamp asc
Question 14: How many questions did they ask the chatbot?
You Got this 👾
Question 15: Which conversation_id is associated with the question about voting machines?
AIPrompts
| where prompt contains "voting machines"
| distinct conversation_id
Question 16: The AI bot told the threat actor to bring a _ and a banana.
You Got this 👾
Question 17: Instead, votes are manually calculated using a ___.
The question gave us a hint word to find in the AI prompt responses.
AIPrompts
| where response contains "internet"
Question 18: What is the name of the vendor?
You Got this 👾
Question 19: What job role will the vendor talk to?
You Got this 👾
Question 20: What is the name of the employee with that job role?
Employees
| where role contains "Election Commissioner"
Section 5: Look on my [Security], ye Mighty, and despair!
Question 1: You Got this 👾
Question 2: When did they log in to Bobama’s account?
What we know from the Transcript of Helpdesk Call; the call ended at 11:59 PM on 15-10-2024. Let’s use that to filter out previous AuthenticaitonEvents.
AuthenticationEvents
| where username contains "arbobama"
| where timestamp >= datetime(2024-10-14 23:59:00)
| sort by timestamp asc
Question 3: What IP address did the threat actors use to log in to that account?
You Got this 👾
Question 3: What email address did they send this email to?
Two things wo know are the send email address and when the account was compromised so we will use them in our query.
Email
| where sender contains "arrack_bobama@valdoriavotes.gov"
| where timestamp >= datetime(2024-10-14 23:59:00)
| sort by timestamp asc
Question 4: What PDF did the threat actors receive that might be useful to them later?
Since we know the sender email address and the recipient lets plug them in and find the attachment.
Email
| where sender contains "help@dominosvotingsystems.com"
| where recipient contains "arrack_bobama@valdoriavotes.gov"
| where timestamp >= datetime(2024-10-14 23:59:00)
| sort by timestamp asc
Question 5: You Got this 👾
Community Help
Join Discord to discuss the module KC7 Discord valdoria-votes .