Elf Stack

Link

If you want to play the challenge yourself, you can find it here:

https://2024.holidayhackchallenge.com/

Story line

Let’s start off by talking to the elf:

Greetings! I’m the genius behind the North Pole Elf Stack SIEM. And oh boy, we’ve got a situation on our hands.

Our system was attacked—Wombley’s faction unleashed their FrostBit ransomware, and it’s caused a digital disaster.

The logs are a mess, and Wombley’s laptop—the only backup of the Naughty-Nice List—was smashed to pieces.

Now, it’s all up to you to help me trace the attack vectors and events. We need to figure out how this went down before it’s too late.

You’ll be using a containerized ELK stack or Linux CLI tools. Sounds like a fun little puzzle, doesn’t it?

Your job is to analyze these logs… think of it as tracking snow tracks but in a digital blizzard.

If you can find the attack path, maybe we can salvage what’s left and get Santa’s approval.

Santa’s furious at the faction fighting, and he’s disappointed. We have to make things right.

So, let’s show these attackers that the North Pole’s defenses are no joke!

Hints

Recon

Upon clicking on the challenge, an iframe pops up with some instructions and a menu.

In the menu we find four buttons, “Easy Mode”, “Hard Mode”, “Help” and “Download”. The Help page will show us some information about how to set up the SIEM.

Upon clicking the download button, we’ll get links to three files:

• log_chunk_2.log.zip
• elf-stack-siem-with-logs.zip
• log_chunk_1.log.zip

The files starting with “log_chunk_” are zipped log files, and the “elf-stack-siem-with-logs.zip” file contains the Elf Stack SIEM setup, which is optional.

Set up environment

There are multiple ways to go around solving this challenge, we can use the provided Elf Stack SIEM, but we can also use plain bash commands or Python. I chose to go with the latter, but my RAM didn’t like it 😄.

In oder to read the logs with Python, we’ll first have to transform the logs into a more usable format. What the current format looks like can be found in the provided SIEM’s config, namely in the logstash.conf file. There, we find that grok is used, along with the format string.

<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version}%{SPACE}(?:-|%{TIMESTAMP_ISO8601:syslog_timestamp})%{SPACE}(?:-|%{IPORHOST:hostname})%{SPACE}(?:%{SYSLOG5424PRINTASCII:event_source}|-)%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:event_source_id})%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:msgid})%{SPACE}(?:-|(?<structured_data>(\[.*?[^\\]\])+))(?:%{SPACE}%{GREEDYDATA:message_json}|)

There is not support for grok in the standard library, we there is a package out there called py3grok, which allows us to parse the log lines into dictionaries. We can use this in a script to transform both log files into a single big json file.

from py3grok import GrokEnvironment
import json


# Parse log files to JSON
grok_env = GrokEnvironment()
pattern = "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version}%{SPACE}(?:-|%{TIMESTAMP_ISO8601:syslog_timestamp})%{SPACE}(?:-|%{IPORHOST:hostname})%{SPACE}(?:%{SYSLOG5424PRINTASCII:event_source}|-)%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:event_source_id})%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:msgid})%{SPACE}(?:-|(?<structured_data>(\\[.*?[^\\\\]\\])+))(?:%{SPACE}%{GREEDYDATA:message_json}|)"
grok = grok_env.create(pattern)

with open("logs.json", "w") as out_file:
    out_file.write("[\n")

    for log_filename in ["log_chunk_1.log", "log_chunk_2.log"]:
        with open(log_filename, "r") as f:
            for line in f:
                text = line.strip()
                log = grok.match(text)
                for key, value in json.loads(log["message_json"]).items():
                    log[f"message.{key}"] = value
                del log["message_json"]  # We don't need it anymore, so save some RAM by deleting it
                out_file.write(json.dumps(log))
                out_file.write(",\n")

    out_file.seek(out_file.tell()-2)
    out_file.write("\n]\n")

This will take some time to run, but once finished we find a 4.5 GB large logs.json file.

Now that we have it in a more common format, we can look into loading the file. Because loading it will take a long time (due to the file size), we prefer it to be kept in memory while we make changes to the script. A Jupyter Notebook is the perfect solution for this. It’s like an interactive shell, everything will stay in memory in between changes.

We can use the official Jupyter Notebook setup, but I prefer to use Visual Studio Code (VSCode). It’s easier in use, and requires less setup. In VSCode, we can just create a file ending in .ipynb, and it’ll automatically load it as a notebook.

We can then use the pandas library to load and query the data.

import pandas as pd

df = pd.read_json("logs.json")
df

The loading might take a while, for me it took 4m 28.8s and used in excess of 100 GB of RAM/swap.

Silver

With the setup ready, we can start with the challenge. Let’s click Easy Mode and start with the first task.

Question 1

How many unique values are there for the event_source field in all logs?

Starting off easy, we can use panda’s nunique function on the “event_source” field.

df["event_source"].nunique()

5

Answer: 5

Question 2

Which event_source has the fewest number of events related to it?

For question 2, the value_counts function can be used.

df["event_source"].value_counts()

Answer: AuthLog

Question 3

Using the event_source from the previous question as a filter, what is the field name that contains the name of the system the log event originated from?

Next up is finding the column. We can filter on the event source, and then use .T.dropna(how="all").T to strip off all columns that only contain empty values. This way we remove the columns used by other event sources.

df[df["event_source"] == "AuthLog"].T.dropna(how="all").T

Answer: hostname

Question 4

Which event_source has the second highest number of events related to it?

We can reuse the result from question 2 here.

df["event_source"].value_counts()

Answer: NetflowPmacct

Question 5

Using the event_source from the previous question as a filter, what is the name of the field that defines the destination port of the Netflow logs?

Reusing what we did for question 3, we can run the following query.

df[df["event_source"] == "NetflowPmacct"].T.dropna(how="all").T

We’ll find the remote port in the message.port_dst column.

Answer: port_dst

Question 6

Which event_source is related to email traffic?

We can list the distinct event sources using the unique function.

df["event_source"].unique()

array(['AuthLog', 'WindowsEvent', 'GreenCoat', 'SnowGlowMailPxy',
       'NetflowPmacct'], dtype=object)

Answer: SnowGlowMailPxy

Question 7

Looking at the event source from the last question, what is the name of the field that contains the actual email text?

Once again we can reuse a previous query from question 3 and 5.

df[df["event_source"] == "SnowGlowMailPxy"].T.dropna(how="all").T

We’ll then see the email contents in message.Body.

Answer: Body

Question 8

Using the ‘GreenCoat’ event_source, what is the only value in the hostname field?

For this one we can combine the filter with the unique function.

df[df["event_source"] == "GreenCoat"]["hostname"].unique()

array(['SecureElfGwy'], dtype=object)

Answer: SecureElfGwy

Question 9

Using the ‘GreenCoat’ event_source, what is the name of the field that contains the site visited by a client in the network?

You know how this works by now.

df[df["event_source"] == "GreenCoat"].T.dropna(how="all").T

We then find the sites in the message.url column.

Answer: url

Question 10

Using the ‘GreenCoat’ event_source, which unique URL and port (URL:port) did clients in the TinselStream network visit most?

This one should also be pretty clear from the previous ones.

df[df["event_source"] == "GreenCoat"]["message.url"].value_counts()

Answer: pagead2.googlesyndication.com:443

Question 11

Using the ‘WindowsEvent’ event_source, how many unique Channels is the SIEM receiving Windows event logs from?

To count the amount of unique values, we can use nunique again.

df[df["event_source"] == "WindowsEvent"]["message.Channel"].nunique()

5

Answer: 5

Question 12

What is the name of the event.Channel (or Channel) with the second highest number of events?

One last value count for good pratice.

df[df["event_source"] == "WindowsEvent"]["message.Channel"].value_counts()

Answer: Microsoft-Windows-Sysmon/Operational

Question 13

Our environment is using Sysmon to track many different events on Windows systems. What is the Sysmon Event ID related to loading of a driver?

For this one we’ll have to look online. A good place is Microsoft’s documentation, were find that Event ID 6 is used for the driver loaded events.

Answer: 6

Question 14

What is the Windows event ID that is recorded when a new service is installed on a system?

Microsoft’s documentation will help us once again here. Although the documentation can be hard to find, it often does exist.

Answer: 4697

Question 15

Using the WindowsEvent event_source as your initial filter, how many user accounts were created?

Before we can query the logs, we need to know how to look for account creation events. We can once again look at Microsoft’s documentation, and find that Event ID 4720 is used for that.

len(
    df[
        (df["event_source"] == "WindowsEvent")
        & (df["message.EventID"] == 4720)
    ]
)

0

Looks like no new user accounts were created

Answer: 0

Gold

Not that the practice round is done, we’re ready for Hard Mode.

Continued story line

Let’s first talk to the elf again.

Fantastic job! You worked through the logs using the ELK stack like a pro—efficient, quick, and spot-on. Maybe, just maybe, this will turn Santa’s frown upside down!

Up for the real challenge? Take a deep dive into those logs and query your way through the chaos. It might be tricky, but I know your adaptable skills will crack it!

Bravo! You pieced it all together, uncovering the attack path. Santa’s gonna be grateful for your quick thinking and tech savvyness. The North Pole owes you big time!

Question 1

What is the event.EventID number for Sysmon event logs relating to process creation?

Gold starts off where silver stopped, and we’ll have to find an Event ID again. Just like the previous times, we can find the Event ID in Microsoft’s documentation.

Answer: 1

Question 2

How many unique values are there for the ’event_source’ field in all of the logs?

We should know how to use nunique by now.

df["event_source"].nunique()

5

Answer: 5

Question 3

What is the event_source name that contains the email logs?

A quick listing of all event sources will show us the email logs source.

df["event_source"].unique()

array(['AuthLog', 'WindowsEvent', 'GreenCoat', 'SnowGlowMailPxy',
       'NetflowPmacct'], dtype=object)

Answer: SnowGlowMailPxy

Question 4

The North Pole network was compromised recently through a sophisticated phishing attack sent to one of our elves. The attacker found a way to bypass the middleware that prevented phishing emails from getting to North Pole elves. As a result, one of the Received IPs will likely be different from what most email logs contain. Find the email log in question and submit the value in the event ‘From:’ field for this email log event.

Okay, now we’ll have to combine a few things. First, let’s take a look at what the email logs look like.

email_df = df[df["event_source"] == "SnowGlowMailPxy"].T.dropna(how="all").T
email_df

The question asks us to look at the Received IPs, and we found two columns for that; ReceivedIP1 and ReceivedIP2. Let’s get their value counts.

email_df["message.ReceivedIP1"].value_counts()

email_df["message.ReceivedIP2"].value_counts()

The IP 34.30.110.62 shows up only once, so let’s get more information about that email.

email_df[email_df["message.ReceivedIP2"] == "34.30.110.62"]

We can find the answer in the message.From column.

Answer: kriskring1e@northpole.local

Question 5

Our ElfSOC analysts need your help identifying the hostname of the domain computer that established a connection to the attacker after receiving the phishing email from the previous question. You can take a look at our GreenCoat proxy logs as an event source. Since it is a domain computer, we only need the hostname, not the fully qualified domain name (FQDN) of the system.

Let’s start again by looking at what the GreenCoat data source looks like.

greencoat_df = df[df["event_source"] == "GreenCoat"].T.dropna(how="all").T
greencoat_df

Okay, we have the message.url column here, but we don’t have a url to search for. Maybe we can find it in the content of the phishing email.

phishing_email = email_df[email_df["message.ReceivedIP2"] == "34.30.110.62"].iloc[0]
phishing_email["message.Body"]

"We need to store the updated naughty and nice list somewhere secure. I posted it here http://hollyhaven.snowflake/howtosavexmas.zip. Act quickly so I can remove the link from the internet! I encrypted it with the password: n&nli$t_finAl1\n\nthx!\nkris\n- Sent from the sleigh. Please excuse any Ho Ho Ho's."

Alright, there is a url there, so let’s search for it in the GreenCoat logs.

greencoat_df[greencoat_df["message.url"] == "http://hollyhaven.snowflake/howtosavexmas.zip"]

Yes, we found it. The hostname is all the way at the end in the message.host column.

Answer: SleighRider

Question 6

What was the IP address of the system you found in the previous question?

We already found the answer for this one in the previous question. But let’s also save the event to a variable; we might need it later.

download_event = greencoat_df[greencoat_df["message.url"] == "http://hollyhaven.snowflake/howtosavexmas.zip"].iloc[0]
download_event["message.ip"]

Answer: 172.24.25.12

Question 7

A process was launched when the user executed the program AFTER they downloaded it. What was that Process ID number (digits only please)?

Let’s start again by looking at the WindowsEvent logs.

events_df = df[df["event_source"] == "WindowsEvent"].T.dropna(how="all").T
events_df

It looks like the hostname column requerest the FQDN, but, luckily, SleighRider is already right there, and we don’t have to look it up. We can use this together with the timestamp of when the user clicked the link to find the processes. There are way to many columns to look at, so let’s also narrow those down to the ones we need.

events_df[
    (events_df["hostname"] == "SleighRider.northpole.local")
    & (events_df["syslog_timestamp"] > download_event["syslog_timestamp"])
    & (events_df["message.EventID"] == 1)
][["syslog_timestamp", "message.User", "message.Image", "message.CommandLine"]]

Event 724498 looks interesting here because it contains “howtosavexmas”, let’s take a closer look.

events_df.loc[724498].dropna()

Here, we find two process ids, ProcessID and ProcessId, we need the first one.

Answer: 10014

Question 8

Did the attacker’s payload make an outbound network connection? Our ElfSOC analysts need your help identifying the destination TCP port of this connection.

There is also and event id for network communications. I don’t think you saw this coming, but it’s written in Microsoft’s documentation. We can filter on both it and the process id to find the network communications of the process.

events_df[
    (events_df["hostname"] == "SleighRider.northpole.local")
    & (events_df["message.ProcessID"] == 10014)
    & (process_events_df["message.EventID"] == 3)
].T.dropna(how="all").T

One connection jumps out here; 19.148.239.35.bc.googleusercontent.com. It’s different from the rest, and it’s port is 8443.

Answer: 8443

Question 9

The attacker escalated their privileges to the SYSTEM account by creating an inter-process communication (IPC) channel. Submit the alpha-numeric name for the IPC channel used by the attacker.

There is an Event ID for IPC pipes, but if we filter on it, won’t find anything. Instead, we should look at new processes that are created with the system user.

events_df[
    (events_df["hostname"] == "SleighRider.northpole.local")
    & (events_df["message.ProcessID"] == 10014)
    & (events_df["message.EventID"] == 1)
    & (events_df["message.User"] == "NT AUTHORITY\\SYSTEM")
    & (events_df["message.Image"].str.contains(".*(cmd.exe)|(powershell.exe)"))
][["message.Image", "message.CommandLine"]]

In there, we find a cmd command that connects with a pipe.

Answer: ddpvccdbr

Question 10

The attacker’s process attempted to access a file. Submit the full and complete file path accessed by the attacker’s process.

There is once again an Event ID for attempts to access a file; Windows Security Log Event ID 4663. Let’s filter on that.

events_df[
    (events_df["message.ProcessID"] == 10014)
    & (events_df["message.EventID"] == 4663)
].T.dropna(how="all").T

There is only one result, but its ObjectName is cut off. We can get the full result as follows.

events_df[
    (events_df["message.ProcessID"] == 10014)
    & (events_df["message.EventID"] == 4663)
].iloc[0]["message.ObjectName"]

"C:\Users\elf_user02\Desktop\kkringl315@10.12.25.24.pem"

Answer: C:\Users\elf_user02\Desktop\kkringl315@10.12.25.24.pem

Question 11

The attacker attempted to use a secure protocol to connect to a remote system. What is the hostname of the target server?

If connections are made to connect to a system, there should be some authentication logs. Let’s explore those.

auth_df = df[df["event_source"] == "AuthLog"].T.dropna(how="all").T
auth_df

We find that most information is stored as text in the message.message column. Let’s look for the IP from the filename we got.

auth_df[auth_df["message.message"].str.contains("10.12.25.24")]

We find some connections here, and all of them are going to the kringleSSleigH host.

Answer: kringleSSleigH

Question 12

The attacker created an account to establish their persistence on the Linux host. What is the name of the new account created by the attacker?

Let’s take a look at all the unique log messages from kringleSSleigH.

auth_df[auth_df["hostname"] == "kringleSSleigH"]["message.message"].unique()

array(['pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)',
       'pam_unix(cron:session): session closed for user root',
       'uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)',
       'uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh',
       'Connection from 34.30.110.62 port 39720 on 10.12.25.24 port 22 rdomain ""',
       'Failed password for netrider from 34.30.110.62 port 39720 ssh2',
       'Connection from 34.30.110.62 port 39721 on 10.12.25.24 port 22 rdomain ""',
       'Failed password for frostyhacker from 34.30.110.62 port 39721 ssh2',
       'Connection from 34.30.110.62 port 39722 on 10.12.25.24 port 22 rdomain ""',
       'Failed password for cryptocode from 34.30.110.62 port 39722 ssh2',
       'Connection from 34.30.110.62 port 39723 on 10.12.25.24 port 22 rdomain ""',
       'Failed password for shadowseeker from 34.30.110.62 port 39723 ssh2',
       'Connection from 34.30.110.62 port 39724 on 10.12.25.24 port 22 rdomain ""',
       'Failed password for dataphantom from 34.30.110.62 port 39724 ssh2',
       'Connection from 34.30.110.62 port 39725 on 10.12.25.24 port 22 rdomain ""',
       'Failed password for firewallfox from 34.30.110.62 port 39725 ssh2',
       'Connection from 34.30.110.62 port 39726 on 10.12.25.24 port 22 rdomain ""',
       'Failed password for glitchmaster from 34.30.110.62 port 39726 ssh2',
       'Connection from 34.30.110.62 port 39727 on 10.12.25.24 port 22 rdomain ""',
       'Failed password for wiretrace from 34.30.110.62 port 39727 ssh2',
       'Connection from 34.30.110.62 port 39728 on 10.12.25.24 port 22 rdomain ""',
       'Failed password for codecrunch from 34.30.110.62 port 39728 ssh2',
       'Connection from 34.30.110.62 port 39732 on 10.12.25.24 port 22 rdomain ""',
       'error: Received disconnect from 34.30.110.62 port 39732:14: No supported authentication methods available [preauth]',
       'Disconnected from authenticating user kkringl315 34.30.110.62 port 39732 [preauth]',
       'Connection from 34.30.110.62 port 39733 on 10.12.25.24 port 22 rdomain ""',
       'Failed publickey for kkringl315 from 34.30.110.62 port 39733 ssh2: RSA SHA256:ZxnmQ23LgHtXj5987Km3NdjXjUHwVvBr',
       'Received disconnect from 34.30.110.62 port 39733:11: Bye Bye [preauth]',
       'Connection from 34.30.110.62 port 41606 on 10.12.25.24 port 22 rdomain ""',
       'Accepted key RSA SHA256:AbfXsQOO05qHNT98Rhe1B7KzURo0viFfq2/gpAWlP7E found at /home/kkringl315/.ssh/authorized_keys:1',
       'Postponed publickey for kkringl315 from 34.30.110.62 port 41606 ssh2 [preauth]',
       'Accepted publickey for kkringl315 from 34.30.110.62 port 41606 ssh2: RSA SHA256:AbfXsQOO05qHNT98Rhe1B7KzURo0viFfq2/gpAWlP7E',
       'pam_unix(sshd:session): session opened for user kkringl315(uid=1000) by (uid=0)',
       'New session 58 of user kkringl315.',
       'pam_env(sshd:session): deprecated reading of user environment enabled',
       'User child is on pid 6145',
       'Starting session: shell on pts/5 for kkringl315 from 34.30.110.62 port 41606 id 0',
       'pam_unix(sudo:auth): authentication failure; logname=kkringl315 uid=1000 euid=0 tty=/dev/pts/5 ruser=kkringl315 rhost=  user=kkringl315',
       ' kkringl315 : 3 incorrect password attempts ; TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/usr/bin/su',
       'pam_unix(sudo:auth): conversation failed',
       'pam_unix(sudo:auth): auth could not identify password for [kkringl315]',
       ' kkringl315 : TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/usr/bin/su',
       'pam_unix(sudo:session): session opened for user root(uid=0) by kkringl315(uid=1000)',
       '(to root) root on pts/6',
       'pam_unix(su:session): session opened for user root(uid=0) by kkringl315(uid=0)',
       'pam_unix(su:session): session closed for user root',
       'pam_unix(sudo:session): session closed for user root',
       ' kkringl315 : TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/usr/sbin/adduser ssdh',
       'group added to /etc/group: name=ssdh, GID=1002',
       'group added to /etc/gshadow: name=ssdh',
       'new group: name=ssdh, GID=1002',
       'new user: name=ssdh, UID=1002, GID=1002, home=/home/ssdh, shell=/bin/bash, from=/dev/pts/6',
       'pam_unix(passwd:chauthtok): password changed for ssdh',
       "gkr-pam: couldn't update the login keyring password: no old password was entered",
       "changed user 'ssdh' information",
       'members of group users set by root to kkringl315,pmacct,ssdh',
       ' kkringl315 : TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/usr/sbin/usermod -a -G sudo ssdh',
       "add 'ssdh' to group 'sudo'", "add 'ssdh' to shadow group 'sudo'",
       'Received disconnect from 34.30.110.62 port 41606:11: disconnected by user',
       'Disconnected from user kkringl315 34.30.110.62 port 41606',
       'pam_unix(sshd:session): session closed for user kkringl315',
       'Session 58 logged out. Waiting for processes to exit.',
       'Removed session 58.',
       'Connection from 34.30.110.62 port 58634 on 10.12.25.24 port 802 rdomain ""',
       'Postponed publickey for kkringl315 from 34.30.110.62 port 58634 ssh2 [preauth]',
       'Accepted publickey for kkringl315 from 34.30.110.62 port 58634 ssh2: RSA SHA256:AbfXsQOO05qHNT98Rhe1B7KzURo0viFfq2/gpAWlP7E',
       'New session 59 of user kkringl315.', 'User child is on pid 6319',
       'Starting session: shell on pts/5 for kkringl315 from 34.30.110.62 port 58634 id 0',
       ' kkringl315 : TTY=pts/5 ; PWD=/home/kkringl315 ; USER=root ; COMMAND=/usr/bin/crontab -',
       ' kkringl315 : TTY=pts/5 ; PWD=/home/kkringl315 ; USER=root ; COMMAND=/usr/bin/crontab -l',
       ' kkringl315 : TTY=pts/5 ; PWD=/home/kkringl315 ; USER=root ; COMMAND=/usr/sbin/service cron restart',
       ' kkringl315 : TTY=pts/5 ; PWD=/home/kkringl315 ; USER=root ; COMMAND=/usr/bin/cat /etc/crontab',
       ' kkringl315 : TTY=pts/5 ; PWD=/home/kkringl315 ; USER=root ; COMMAND=/usr/bin/cat /var/spool/cron/crontabs/root',
       'Received disconnect from 34.30.110.62 port 58634:11: disconnected by user',
       'Disconnected from user kkringl315 34.30.110.62 port 58634',
       'Session 59 logged out. Waiting for processes to exit.',
       'Removed session 59.',
       'Connection from 34.30.110.62 port 48202 on 10.12.25.24 port 802 rdomain ""',
       'Postponed publickey for kkringl315 from 34.30.110.62 port 48202 ssh2 [preauth]',
       'Accepted publickey for kkringl315 from 34.30.110.62 port 48202 ssh2: RSA SHA256:AbfXsQOO05qHNT98Rhe1B7KzURo0viFfq2/gpAWlP7E',
       'New session 62 of user kkringl315.', 'User child is on pid 6447',
       'Starting session: shell on pts/5 for kkringl315 from 34.30.110.62 port 48202 id 0',
       'error: connect_to dc01.northpole.local: unknown host (Name or service not known)',
       'error: connect_to 10.56.4.53 port 88: failed.',
       'Close session: user kkringl315 from 34.30.110.62 port 48202 id 0',
       'Received disconnect from 34.30.110.62 port 48202:11: disconnected by user',
       'Disconnected from user kkringl315 34.30.110.62 port 48202',
       'Session 62 logged out. Waiting for processes to exit.',
       'Removed session 62.'], dtype=object)

There are manu things happening, but just after the successfull login, we find a line starting with new user.

'new user: name=ssdh, UID=1002, GID=1002, home=/home/ssdh, shell=/bin/bash, from=/dev/pts/6',

In it, we can clearly see the new user name.

Answer: ssdh

Question 13

The attacker wanted to maintain persistence on the Linux host they gained access to and executed multiple binaries to achieve their goal. What was the full CLI syntax of the binary the attacker executed after they created the new user account?

For question 13 we can take another look at the last result. A few lines after the new user event, we find a command.

' kkringl315 : TTY=pts/5 ; PWD=/opt ; USER=root ; COMMAND=/usr/sbin/usermod -a -G sudo ssdh',

Answer: /usr/sbin/usermod -a -G sudo ssdh

Question 14

The attacker enumerated Active Directory using a well known tool to map our Active Directory domain over LDAP. Submit the full ISO8601 compliant timestamp when the first request of the data collection attack sequence was initially recorded against the domain controller.

Back to the Windows event logs. LDAP events are logging using Event ID 2889, so let’s filter on those.

events_df[events_df["message.EventID"] == 2889].T.dropna(how="all").T

The question is asking for the first one, so we can take the syslog_timestamp of that one.

Answer: 2024-09-16T11:10:12-04:00

Question 15

The attacker attempted to perform an ADCS ESC1 attack, but certificate services denied their certificate request. Submit the name of the software responsible for preventing this initial attack.

Another look at Microsoft’s documentation will tell us that Event ID 4886 is used for denied a certificate requests.

events_df[events_df["message.EventID"] == 4888].T.dropna(how="all").T

We can find the EDR that blocked it in the message.ReasonForRejection column.

Answer: KringleGuard

Question 16

We think the attacker successfully performed an ADCS ESC1 attack. Can you find the name of the user they successfully requested a certificate on behalf of?

Another question, another event id. This one oddly doesn’t show on the same page as the previous one, but can be found here.

events_df[events_df["message.EventID"] == 4886].T.dropna(how="all").T

We can then find the username in the message.UserInformation_UPN column.

Answer: nutcrakr

Question 17

One of our file shares was accessed by the attacker using the elevated user account (from the ADCS attack). Submit the folder name of the share they accessed.

There is also and Event ID in Microsoft’s documentation for network share access logs. We can combine that with the user we just found to find the shares that were accessed.

events_df[
    (events_df["message.EventID"] == 5140)
    & (events_df["message.SubjectUserName"] == "nutcrakr")
].T.dropna(how="all").T

The question is not asking for the share, but for the folder in it. This can be found in the message.ShareInformation_SharePath column.

Answer: WishLists

Question 18

The naughty attacker continued to use their privileged account to execute a PowerShell script to gain domain administrative privileges. What is the password for the account the attacker used in their attack payload?

The attack payload might be referring to a PowerShell script, so let’s take a look at those logs. Event IDs 4103 and 4104 are used for powershell script logging.

events_df[(events_df["message.EventID"] == 4104)]["message.ScriptBlockText"].unique()

array(['quser | Select-String -Pattern ".+"',
       'Get-LocalUser | Where-Object { $_.Enabled -eq $true } | Get-LocalGroupMember',
       'Get-Disk | Select-Object Number, Status, OperationalStatus, TotalSize, PartitionStyle',
       'Get-ChildItem "$env:USERPROFILE\\Downloads\\*" | Where-Object { $_.CreationTime -lt (Get-Date).AddDays(-30) } | Remove-Item',
       'Get-WmiObject Win32_LogicalDisk | Format-Table DeviceID, MediaType, FreeSpace',
       "Get-NetAdapter | Where-Object { $_.Status -eq 'Up' } | Select-Object Name, InterfaceDescription, MacAddress",
       '[int][double]::Parse((Get-WmiObject win32_operatingsystem).LastBootUpTime.Subtract([datetime]::Parse("1970-01-01T00:00:00Z")).TotalSeconds)',
       'certutil -verify -urlfetch certificate.cer',
       'Test-Connection -ComputerName conntest.northpole.local -Count 4',
       'Get-SmbSession | Where-Object { $_.OpenFileCount -gt 0 } | Format-Table SessionId, ClientComputerName',
       '(Get-WmiObject -Query "SELECT * FROM Win32_Printer WHERE Default=$true").Name',
       '(Get-Date) - (gcim Win32_OperatingSystem).LastBootUpTime',
       'Get-Counter -Counter "\\PhysicalDisk(_Total)\\Disk Reads/sec", "\\PhysicalDisk(_Total)\\Disk Writes/sec"',
       'C:\\Windows\\System32\\perfmon /report',
       "Get-Counter '\\Processor(_Total)\\% Processor Time' | Select-Object -ExpandProperty CounterSamples | Select-Object CookedValue",
       'Get-PSDrive C | Select-Object Free,Used',
       'Get-EventLog -LogName Application | Measure-Object -Property Length -Sum | Select-Object Sum',
       '(New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow()',
       'gpupdate /force',
       "Get-Disk | Where-Object { $_.OperationalStatus -ne 'OK' } | Select-Object Number, Status, OperationalStatus",
       'Get-WmiObject Win32_NetworkProtocol | Select-Object Name, ProtocolID, GuaranteesDelivery, GuaranteesSequencing',
       'Get-WmiObject Win32_BIOS | Select-Object Manufacturer, SMBIOSBIOSVersion, ReleaseDate | Format-List',
       'Add-Type -AssemblyName System.DirectoryServices\n$ldapConnString = "LDAP://CN=Domain Admins,CN=Users,DC=northpole,DC=local"\n$username = "nutcrakr"\n$pswd = \'fR0s3nF1@k3_s\'\n$nullGUID = [guid]\'00000000-0000-0000-0000-000000000000\'\n$propGUID = [guid]\'00000000-0000-0000-0000-000000000000\'\n$IdentityReference = (New-Object System.Security.Principal.NTAccount("northpole.local\\$username")).Translate([System.Security.Principal.SecurityIdentifier])\n$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None\n$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"), ([System.Security.AccessControl.AccessControlType] "Allow"), $propGUID, $inheritanceType, $nullGUID\n$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $pswd\n$secOptions = $domainDirEntry.get_Options()\n$secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl\n$domainDirEntry.RefreshCache()\n$domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)\n$domainDirEntry.CommitChanges()\n$domainDirEntry.dispose()\n$ldapConnString = "LDAP://CN=Domain Admins,CN=Users,DC=northpole,DC=local"\n$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $pswd\n$user = New-Object System.Security.Principal.NTAccount("northpole.local\\$username")\n$sid=$user.Translate([System.Security.Principal.SecurityIdentifier])\n$b=New-Object byte[] $sid.BinaryLength\n$sid.GetBinaryForm($b,0)\n$hexSID=[BitConverter]::ToString($b).Replace(\'-\',\'\')\n$domainDirEntry.Add("LDAP://<SID=$hexSID>")\n$domainDirEntry.CommitChanges()\n$domainDirEntry.dispose()'],
      dtype=object)

On the last line we can find that a username and password are set.

Answer: fR0s3nF1@k3_s

Question 19

The attacker then used remote desktop to remotely access one of our domain computers. What is the full ISO8601 compliant UTC EventTime when they established this connection?

To stay with the same method, there are also Event IDs for RDP logs. We can use Event ID 4642, which is for any login, together with the LogonType to filter on RDP logins.

events_df[
    (events_df["message.EventID"] == 4624)
    & (events_df["message.LogonInformation_LogonType"] == 10)
    & (events_df["message.NewLogon_AccountName"] == "nutcrakr")
].T.dropna(how="all").T

We found the log here, but there is something really awful. The last question that asked for a timestamp allowed the existing format, and according to the current question, this one does as well. This is not the case however. This time, we need to convert it to a UTC timestamp.

from datetime import datetime, UTC

datetime.fromtimestamp(
    datetime.fromisoformat("2024-09-16T11:35:57-04:00").timestamp(), UTC
).isoformat(timespec="milliseconds")

Answer: 2024-09-16T15:35:57.000+00:00

Question 20

The attacker is trying to create their own naughty and nice list! What is the full file path they created using their remote desktop connection?

From the previous result, we can grab the login ID to filter on anything that happened in that session. Let’s take a look at the processes that ran.

events_df[
    (events_df["message.LogonId"] == "0xdd425e")
][["message.Image", "message.CommandLine"]]

Event 1903852 is interesting here, as it shows that Notepad was used. Let’s take a closer look.

events_df.loc[1903852]["message.CommandLine"]

'"C:\\Windows\\system32\\NOTEPAD.EXE" C:\\WishLists\\santadms_only\\its_my_fakelst.txt'

Answer: C:\WishLists\santadms_only\its_my_fakelst.txt

Question 21

The Wombley faction has user accounts in our environment. How many unique Wombley faction users sent an email message within the domain?

Let’s first check what email addresses exist.

email_df["message.From"].value_counts()

We are quite a few, but the ones ending in “@northpole.local” are from our environment. Let’s filter on those.

email_df[email_df["message.From"].str.endswith("@northpole.local")]["message.From"].value_counts()

Now that we have all local email address, we can infer that the ones starting with “wcub” are from Wombley’s faction. The question asked for local messages, so we also add the domain check for the To field.

len(
    email_df[
        (email_df["message.From"].str.endswith("@northpole.local"))
        & (email_df["message.From"].str.startswith("wcub"))
        & (email_df["message.To"].str.endswith("@northpole.local"))
    ]["message.From"].unique()
)

4

Answer: 4

Question 22

The Alabaster faction also has some user accounts in our environment. How many emails were sent by the Alabaster users to the Wombley faction users?

This question is very similar to the previous one, just replace “wcub” with “asnowball”, and add another To check.

len(
    email_df[
        (email_df["message.From"].str.endswith("@northpole.local"))
        & (email_df["message.From"].str.startswith("asnowball"))
        & (email_df["message.To"].str.endswith("@northpole.local"))
        & (email_df["message.To"].str.startswith("wcub"))
    ]
)

22

Answer: 22

Question 23

Of all the reindeer, there are only nine. What’s the full domain for the one whose nose does glow and shine? To help you narrow your search, search the events in the ‘SnowGlowMailPxy’ event source.

Let’s start by listing all domains which had email activity.

email_df[["message.From", "message.To"]].stack().reset_index()[0].apply(lambda v: v.split("@")[1]).unique()

array(['northpole.local', 'merry.elves', 'santa.hut', 'rud01ph.glow',
       'sleigh.ride', 'blizzard.north', 'cheery.fireplace', 'holly.jolly',
       'icicle.light', 'twilight.star', 'candycane.factory', 'snowy.land',
       'bells.ring', 'elf.toyshop', 'yule.log', 'stocking.chimney',
       'snowflake.spark', 'frosty.north', 'ginger.snap',
       'toytinkers.land', 'mistlebranch.vixen', 'wreath.maker',
       'wicked.snow', 'gingerlane.dancer', 'evergreen.tree',
       'jolly.jingle', 'starlight.tree', 'northstar.nibbles',
       'snowflakekingdom.chill', 'gingerbread.house', 'pine.tree',
       'tinsel.town', 'pr4nc3r.trot', 'twinkle.light', 'nutcracker.tale',
       'reindeer.corral', 'snowdrift.globe', 'nogfest.eggnog',
       'tinsel.wrap', 'c0m3t.halleys', 'reindeers.fly'], dtype=object)

There are multiple reindeer domains in there, but obviously only Rudolph’s nose glows and shines.

Answer: rud01ph.glow

Question 24

With a fiery tail seen once in great years, what’s the domain for the reindeer who flies without fears? To help you narrow your search, search the events in the ‘SnowGlowMailPxy’ event source.

We can use the previous result for this question as well. Comet is the reindeer that fiels without fears.

Answer: c0m3t.halleys

Final elf message

Unbelievable! You dissected the attack chain using advanced analysis—impressive work! With determination like yours, we might just fix the mess and get Santa smiling again.