World Domination S3

Q1

Robert Russell reported seeing prompts for failed logins against his account, your
manager wants you to investigate. What IP address does Robert usually use to login
to his mail account?

Ans

10.10.4.55

Employees
| where name == "Robert Russell"

Q2

That IP appears to be a private (RFC1918) IP address, so we aren't too concerned

Ans
48.147.171.98

let _emp_usr =
Employees
| where name == "Robert Russell"
| distinct username;
AuthenticationEvents
| where username in (_emp_usr)
| summarize count()by src_ip
| order by count_

Q3
You are unsure if this IP address is actually suspicious. What user agent did
Robert show when logging in from that public IP? Just enter the last piece (e.g.
Firefox/##.#)

Ans
Firefox/46.0

Q5
Ok that's probably just Russell logging in while working from home or something.
What is the second most common user agent that we see being used to login to
Russell's account? Just enter the last piece (e.g. Firefox/##.#)

Ans

Firefox/69.0

let _emp_usr =
Employees
| where name == "Robert Russell"
| distinct username;
let _emp_agent =
Employees
| where name == "Robert Russell"
| distinct user_agent;
AuthenticationEvents
| where username in (_emp_usr)
|summarize count()by user_agent
| order by count_

Q6

How many different IPs were used in attempted logins to Russell's account via that
second user agent?

Ans

20

let _emp_usr =
Employees
| where name == "Robert Russell"
| distinct username;
let _emp_agent =
Employees
| where name == "Robert Russell"
| distinct user_agent;
AuthenticationEvents
| where username in (_emp_usr)
|where user_agent == "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0)
Gecko/20100101 Firefox/69.0"
| distinct src_ip

Q7

How many of those attempted logins succeeded?

Ans
0

let _emp_usr =
Employees
| where name == "Robert Russell"
| distinct username;
let _emp_agent =
Employees
| where name == "Robert Russell"
| distinct user_agent;
AuthenticationEvents
| where username in (_emp_usr)
|where user_agent == "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0)
Gecko/20100101 Firefox/69.0"
| summarize count()by result

Q8

How many different passwords were tried against Russell's accounts via that second
user agent?

Ans
15

let _emp_usr =
Employees
| where name == "Robert Russell"
| distinct username;
let _emp_agent =
Employees
| where name == "Robert Russell"
| distinct user_agent;
AuthenticationEvents
| where username in (_emp_usr)
|where user_agent == "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0)
Gecko/20100101 Firefox/69.0"
| distinct password_hash

Q9
How many different accounts did the threat actor try this attack against?

Ans
316

AuthenticationEvents
|where user_agent == "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0)
Gecko/20100101 Firefox/69.0"
| distinct username

Q11

How many accounts were successfully logged into via that user agent?

Ans

12

AuthenticationEvents
|where user_agent == "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0)
Gecko/20100101 Firefox/69.0"
| where result != "Failed Login"
| distinct username

Q12

What is the username of the first user to be compromised in this password spray?

Ans
mibohringer

AuthenticationEvents
|where user_agent == "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0)
Gecko/20100101 Firefox/69.0"
| where result != "Failed Login"
| order by timestamp asc

Q14
Let's investigate what happened after that user was compromised. 3 days later, the
attacker ran a discovery command on that first victim's machine to find out who
they are. What is this 6-letter command?

Ans

whoami

ProcessEvents
| where username == "mibohringer"
| where timestamp >= datetime_add('day', 3, datetime(2023-06-09T12:03:56Z))

Q15

We don't see much more suspicious activity on this machine afterwards. Perhaps the
actor decided to focus elsewhere. Let's look at another one of the accounts that
was sprayed - caanderson. What is this user's hostname?

Ans

Q68K-MACHINE

ProcessEvents
| where username == "caanderson"

Q16

It looks like the actor may have dumped credentials from this user's machine. What
command did the attacker run to dump credentials?

Ans

procdump.exe -accepteula -r -ma lsass.exe lsass.dmp

ProcessEvents
| where username == "caanderson"
| where process_commandline contains "mimikatz"
or process_commandline contains "sekurlsa::logonpasswords"
or process_commandline contains "lsadump::sam"
or process_commandline contains "procdump"
or process_commandline contains "taskmgr.exe" and process_commandline contains
"lsass"
or process_commandline contains "reg save hklm"
or process_commandline contains "secretsdump"

Q17

Maybe the attackers dumped credentials here to gain access to an account with
elevated permissions. What is the username of the admin account that logged into
this host?

Ans

lifehack_local_admin

AuthenticationEvents
 | where hostname == "Q68K-MACHINE"
| where username contains "admin"
| where result == "Successful Login"

Q18

How many hosts did this account attempt to log into?

Ans

200

AuthenticationEvents
| where username == "lifehack_local_admin"
| distinct hostname

Q19

On how many hosts were those logins successful?

Ans

200

AuthenticationEvents
| where username == "lifehack_local_admin"
| where result == "Successful Login"
| distinct hostname

Q20

There may be more impact here.

How many total hosts did the attackers dump credentials on?

Ans

61

ProcessEvents
| where process_commandline contains "procdump"

Q21

How many local admin accounts logged into these hosts?

Ans

10

let _dump =
ProcessEvents
| where process_commandline contains "procdump"
| distinct hostname;
AuthenticationEvents
| where hostname in (_dump)
| where username contains "local_admin"
| where result == "Successful Login"

Q22

Now, let's see if any other privileged accounts logged into these hosts. How many
domain admins logged into all of these hosts that had credentials dumped on them?

Ans

1 cacapley_domain_admin

let _dump =
ProcessEvents
| where process_commandline contains "procdump"
| distinct hostname;
AuthenticationEvents
| where hostname in (_dump)
| where username contains "domain_admin"
| where result == "Successful Login"
| distinct username

Q24

If domain admin credentials were stolen by the actor, they may have compromised
more devices within our environment. What is the hostname of the server logged into
by this domain admin?

Ans
DOMAIN_CONTROLLER_01

AuthenticationEvents
| where username == "cacapley_domain_admin"
| where result == "Successful Login"
| extend type = tostring(split(hostname, "-")[-1])
| where type !in ("DESKTOP", "LAPTOP")

Q25

Let's inspect that host more closely for suspicious activity. The attackers used
mkdir on this host to create a new directory. What is the full path of the
directory they created?

Ans

C:\Windows\Temp\Ntds_dit

ProcessEvents
| where hostname == "DOMAIN_CONTROLLER_01"

Q26

The attackers ran a command on this host to dump directory-wide credentials.

Ans

Q28

How many hosts was the gpupdate command run on?

Ans

1233

ProcessEvents
| where process_commandline contains "gpupdate"
| distinct hostname

Q29

Okay, that's a lot of hosts. There could be a lot of impact here. But uh oh, it
looks like the CEO's host was one of the ones possibly affected. What is the CEO's
hostname?

Ans

ODWU-LAPTOP

let _aff_hosts =
ProcessEvents
| where process_commandline contains "gpupdate"
| distinct hostname;
Employees
| where hostname in (_aff_hosts)
| where role == "CEO"

Q30
What time was the group policy update command run on this host?

Ans

2023-07-17T16:03:40Z

ProcessEvents
| where process_commandline contains "gpupdate"
| where hostname == "ODWU-LAPTOP"

Q31

A few days after the group policy update on this host, a strange powershell command
was run. What encoding scheme is used in this command?

Ans

base64
ProcessEvents
| where hostname == "ODWU-LAPTOP"
| where timestamp >= datetime(2023-07-17T16:03:40Z)
| where process_commandline contains "powershell" and process_commandline contains
"enc"

Q32

Decode this encoded command. What is the destination URL in this decoded script?

Ans

http://hire.xyz/exfil/

Q34
Check for a file on this host in the path you found in Q33. What is the Sha256 hash
of this file?

Ans

fe4bda7bd7252bcae343788e21ece59ac308956666e5d03be83e355aa4b49bbd

FileCreationEvents
| where hostname == "ODWU-LAPTOP"
| where path contains "C:\\Users\\Desktop\\temartin\\exfil"

Q35

How many total hosts in the organization had similar file paths?

Ans
12

FileCreationEvents
| where path hasprefix "C:\\Users\\Desktop\\"
| where path contains "exfil"

| where path matches regex @"C:\\Users\\Desktop\\[^\\]+\\exfil.*"

<wrong>
let _usr_name= tostring(toscalar(
Employees
| distinct username));
FileCreationEvents
| where path hasprefix "C:\\Users\\Desktop\\"
| where extract(@"C:\\Users\\Desktop\\([^\\]+)\\exfil", 1, path) in (_usr_name)

let _usr_name= tostring(toscalar(

Q36
How many unique employee roles had data exfiltrated from their devices?

Ans

let _exfil_hosts =
FileCreationEvents
| where path hasprefix "C:\\Users\\Desktop\\"
| where path contains "exfil"
| distinct hostname;
Employees
| where hostname in (_exfil_hosts)
| distinct role

Q37

It looks this actor was primarily interested in targeting high-value employees at

Ans

10

let _exfil_hosts =
FileCreationEvents
| where path hasprefix "C:\\Users\\Desktop\\"
| where path contains "exfil"
| distinct hostname;
Employees
| where hostname in (_exfil_hosts)
| summarize count()by role