Hello once again internet, it’s me your one and only peppermint flavored script kitty here to wish you a happy holidays and to talk about the Sans Holiday Hack 2022! As you may know every year the team at Sans put together an online event where you can watch informative talks, solve fun hacking puzzles and talk with the Infosec community. This year I’ll be doing write ups of some of the puzzles, now I should note that it is a policy of mine to never do write ups on currently active competitions or anything that could give someone an unfair advantage. Since the event is over the activities are purely educational and exist only for fun and learning. Since fun and learning are the two cornerstones of the Cyberkat Cafe lets boot up our Christmas Synthwave Playlists and hop right into one of the first challenges!
To start the challenge off we talk with an elf by the name of Dusty Giftwrap in the Tolkien Ring area. He lets us know there was a compromise of some administrator credentials by an attacker looking to steal the secret ingredients to the Lembahn bread. However PowerShell auditing was enabled and they have saved the logs to a flat text file for us to analyze. We complete this challenge by correctly answering a series of questions related to the attack.
Now straight away the terminal lets us know that grep (Global regular expression print) will be a very useful tool and links us a helpful page on grep usage. The most important options are -i for ignore case and -n for show line numbers.
The first question is “What month/day/year did the attack take place? For example, 09/05/2021.” and there are a couple of different ways we can go about answering this question. We could take the rather primitive method of using grep **/**/2022 to get a list of all the dates in the log-file and Brute-force all the different dates, however using some Blue Team knowledge we can take a more sophisticated approach. Since we already know that there was unauthorized activity we can search the log for event ID 4104 which is the execution of a remote PowerShell command (For more information on finding malicious activity in Windows logs I recommend you check out this excellent blog post by Liam Clearly). On its own event ID 4104 doesn’t mean there was a security incident however if we do grep -n 4104 powershell.evtx.log and take a look at the entries we will see a large amount of activity on 12/24/2022 and this anomalous activity lines up with our knowledge of the attack. Using this information we can answer the first question.
Now the second question “An attacker got a secret from a file. What was the original file’s name?” a good question and again there are multiple ways we can get our answer. They way I did this was by first using some information we already know, the attacker was looking for the secret ingredient to Lembanh bread so lets do a search: grep -n Lembanh powershell.evtx.log with this we can see two interesting pieces of information on line 20207 a user was writing text to the file mydiary.txt and further up we can also see some log entries referencing “Lembahn Original Recipe”. Since we know there is a user writing to text files lets take a look for more entries in the log using grep -n Lembanh powershell.evtx.log with this we can see the other diary entries as well as some activity happening to a recipe.txt using this information we can answer the second question.
The third question “The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.” caused me a bit of difficulty because I was trying to use control-v instead of control-shift-v to submit my answer, but how did I get that answer? Well in our last grep search we can see the attacker is using a variable foo to replace honey with fish oil, so if we do a grep search for fish we can see on line 7997 $foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}.
Question 4 is “After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.” and we know the variable is foo so by doing grep -n foo powershell.evtx.log on line 7462 we see $foo | Add-Content -Path 'Recipe'. and for question 5 “The attacker ran the previous command against a file multiple times. What is the name of this file?” We can just look at our previous grep to get the answer. For question 6 “Were any files deleted?” we already know the answer from one of our previous grep searches however we can also do another search grep -n del powershell.evtx.log to look for the delete command which we see on line 6568 & 6762 and using that we can answer question 7 “Was the original file (from question 2) deleted? (Yes/No)”
Question 8 “What is the Event ID of the log that shows the actual command line used to delete the file?” Well if you remember from our first search we were looking for Event ID 4104 to see if there were many remote PowerShell commands on a certain date, this provides us with the answer to this question. Question 9 “Is the secret ingredient compromised (Yes/No)?” Is pretty simple because we already know the answer from answering question 3. And finally question 10 “What is the secret ingredient?” is also known to us because of our answer for question 3.
And with that we have completed the challenge and are rewarded 10 KringleCoin’s to spend on hats for our avatar! I hope you enjoyed this write up and this challenge, I know I learned a few tricks for analyzing windows logs and I also really enjoyed the challenge! As always if you did anything different or have any questions please let me know in the comments down below. And if you like this content please consider following my blog so you can be notified whenever I have a brand new piece of educational content to share with all you 1337 hax0rs and script kiddies out there surfing the information superhighway!
This is your one and only resident Script Kitty signing off, stay safe out there and remember never reuse your email password and have a happy holiday season!
The CyberKat Cafe 