I'm the creator of the North Pole Elf Stack SIEM, and we're facing a crisis - Wombley's FrostBit ransomware attack has left our logs in chaos and destroyed our only backup of the Naughty-Nice List on his laptop. With Santa furious about all the fighting, we need your help analyzing the logs using our ELK stack or Linux CLI tools to trace the attack path and hopefully make things right.
Elf Stack Intro Hints: I'm part of the ElfSOC that protects the interests here at the North Pole. We built the Elf Stack SIEM, but not everybody uses it. Some of our senior analysts choose to use their command line skills, while others choose to deploy their own solution. Any way is possible to hunt through our logs!
Elf Stack Fields Hints: If you are using your command line skills to solve the challenge, you might need to review the configuration files from the containerized Elf Stack SIEM.
Elf Stack WinEvent Hints: One of our seasoned ElfSOC analysts told me about a great resource to have handy when hunting through event log data. I have it around here somewhere, or maybe it was online. Hmm.
For the sake of simplicity, I am providing the question, the statement and the answer in each case:
In principle, you can decide here whether to solve the task with the help of the Elastic stack or to rely on Linux basic tools. I chose the latter because it allowed me to get results faster and, in some cases, to look at other useful context better, which would have taken more time in Elastic.
Question 1: How many unique values are there for the event_source field in all logs?
cat log_chunk_* | cut -f 4 -d " " | sort | uniq
5
Question 2: Which event_source has the fewest number of events related to it?
for i in AuthLog GreenCoat NetflowPmacct SnowGlowMailPxy WindowsEvent; do echo $i; grep $i log_chunk_* | wc; done
AuthLog
Question 3: Using the event_source from the previous question as a filter, what is the field name that contains the name of the system the log event originated from?
grep AuthLog log_chunk_* | grep host | head -n 1
hostname
Question 4: Which event_source has the second highest number of events related to it?
(same statement as Q2)
NetflowPmacct
Question 5: Using the event_source from the previous question as a filter, what is the name of the field that defines the destination port of the Netflow logs?
grep NetflowPmacct log_chunk_* | grep port | head -n 1
port_dst
Question 6: Which event_source is related to email traffic?
(same statement as Q1)
SnowGlowMailPxy
Question 7: Looking at the event source from the last question, what is the name of the field that contains the actual email text?
grep SnowGlowMailPxy log_chunk_* | grep email | head -n 1
Body
Question 8: Using the 'GreenCoat' event_source, what is the only value in the hostname field?
grep GreenCoat log_chunk_* | cut -f 3 -d " " | sort | uniq
SecureElfGwy
Question 9: Using the 'GreenCoat' event_source, what is the name of the field that contains the site visited by a client in the network?
grep GreenCoat log_chunk_* | head -n 1
url
Question 10: Using the 'GreenCoat' event_source, which unique URL and port (URL:port) did clients in the TinselStream network visit most?
grep GreenCoat log_chunk_* | awk -F'"url":' '{split($2, a, ","); print a[1]}' | sort | uniq -c | sort
pagead2.googlesyndication.com:443
Question 11: Using the 'WindowsEvent' event_source, how many unique Channels is the SIEM receiving Windows event logs from?
grep WindowsEvent log_chunk_* | awk -F'"Channel":' '{split($2, a, ","); print a[1]}' | sort | uniq
5
Question 12: What is the name of the event.Channel (or Channel) with the second highest number of events?
grep WindowsEvent log_chunk_* | awk -F'"Channel":' '{split($2, a, ","); print a[1]}' | sort | uniq -c
Microsoft-Windows-Sysmon/Operational
Question 13: Our environment is using Sysmon to track many different events on Windows systems. What is the Sysmon Event ID related to loading of a driver?
6 (Google Search)
Question 14: What is the Windows event ID that is recorded when a new service is installed on a system?
4697 (Google Search)
Question 15: Using the WindowsEvent event_source as your initial filter, how many user accounts were created?
grep WindowsEvent log_chunk_* | grep "\"EventID\": 4720"
0
Up for the real challenge? Take a deep dive into those logs and query your way through the chaos. It might be tricky, but I know your adaptable skills will crack it!
Elf Stack PowerShell Hints: Our Elf Stack SIEM has some minor issues when parsing log data that we still need to figure out. Our ElfSOC SIEM engineers drank many cups of hot chocolate figuring out the right parsing logic. The engineers wanted to ensure that our junior analysts had a solid platform to hunt through log data.
Elf Stack Hard - Email1 Hints: I was on my way to grab a cup of hot chocolate the other day when I overheard the reindeer talking about playing games. The reindeer mentioned trying to invite Wombley and Alabaster to their games. This may or may not be great news. All I know is, the reindeer better create formal invitations to send to both Wombley and Alabaster.
Elf Stack Hard - Email2 Hints: Some elves have tried to make tweaks to the Elf Stack log parsing logic, but only a seasoned SIEM engineer or analyst may find that task useful.
Again, for the sake of simplicity, I will give the questions, statements and appropriate answers. This time, a little ingenuity and creativity is sometimes required.
Question 1: What is the event.EventID number for Sysmon event logs relating to process creation?
1 (Google Search)
Question 2: How many unique values are there for the 'event_source' field in all of the logs?
cat log_chunk_* | cut -f 4 -d " " | sort | uniq
5
Question 3: What is the event_source name that contains the email logs?
cat log_chunk_* | cut -f 4 -d " " | sort | uniq
SnowGlowMailPxy
Question 4: The North Pole network was compromised recently through a sophisticated phishing attack sent to one of our elves. The attacker found a way to bypass the middleware that prevented phishing emails from getting to North Pole elves. As a result, one of the Received IPs will likely be different from what most email logs contain. Find the email log in question and submit the value in the event 'From:' field for this email log event.
grep SnowGlowMailPxy log_chunk_* | awk -F'"ReceivedIP2":' '{split($2, a, ","); print a[1]}' | sort | uniq
grep SnowGlowMailPxy log_chunk_* | grep "ReceivedIP2\": \"34.30.110.62"
kriskring1e@northpole.local
Question 5: Our ElfSOC analysts need your help identifying the hostname of the domain computer that established a connection to the attacker after receiving the phishing email from the previous question. You can take a look at our GreenCoat proxy logs as an event source. Since it is a domain computer, we only need the hostname, not the fully qualified domain name (FQDN) of the system.
grep GreenCoat log_chunk_* | grep "url\": \".*howtosavexmas.zip"
SleighRider
Question 6: What was the IP address of the system you found in the previous question?
grep GreenCoat log_chunk_* | grep "url\": \".*howtosavexmas.zip"
172.24.25.12
Question 7: A process was launched when the user executed the program AFTER they downloaded it. What was that Process ID number (digits only please)?
grep WindowsEvent log_chunk_* | grep "ProcessName\": \".*howtosavexmas.*" | grep "ObjectType\": \".*File.*"
10014
Question 8: Did the attacker's payload make an outbound network connection? Our ElfSOC analysts need your help identifying the destination TCP port of this connection.
grep WindowsEvent log_chunk_* | grep "ProcessID\": 10014" | grep "Image\": \".*howtosavexmas.*" | grep Port
8443
Question 9: The attacker escalated their privileges to the SYSTEM account by creating an inter-process communication (IPC) channel. Submit the alpha-numeric name for the IPC channel used by the attacker.
grep WindowsEvent log_chunk_* | grep "ProcessID\": 10014" | grep pipe
ddpvccdbr
Question 10: The attacker's process attempted to access a file. Submit the full and complete file path accessed by the attacker's process.
grep WindowsEvent log_chunk_* | grep "ProcessName\": \".*howtosavexmas.*" | grep File
C:\Users\elf_user02\Desktop\kkringl315@10.12.25.24.pem
Question 11: The attacker attempted to use a secure protocol to connect to a remote system. What is the hostname of the target server?
cat log_chunk_* | grep "34.30.110.62" | grep -i ssh | grep -i hostname
kringleSSleigH
Question 12: The attacker created an account to establish their persistence on the Linux host. What is the name of the new account created by the attacker?
grep AuthLog log_chunk_* | grep "new user"
ssdh
Question 13: The attacker wanted to maintain persistence on the Linux host they gained access to and executed multiple binaries to achieve their goal. What was the full CLI syntax of the binary the attacker executed after they created the new user account?
grep AuthLog log_chunk_* | grep -A 20 "new user" | grep COMMAND
/usr/sbin/usermod -a -G sudo ssdh
Question 14: The attacker enumerated Active Directory using a well known tool to map our Active Directory domain over LDAP. Submit the full ISO8601 compliant timestamp when the first request of the data collection attack sequence was initially recorded against the domain controller.
grep WindowsEvent log_chunk_*.log| grep "EventID\": 2889" | grep "Computer\": \"dc.*" | head -n 1
2024-09-16T11:10:12-04:00
Question 15: The attacker attempted to perform an ADCS ESC1 attack, but certificate services denied their certificate request. Submit the name of the software responsible for preventing this initial attack.
grep WindowsEvent log_chunk_*.log| grep -i "certificate template"
KringleGuard
Question 16: We think the attacker successfully performed an ADCS ESC1 attack. Can you find the name of the user they successfully requested a certificate on behalf of?
grep WindowsEvent log_chunk_*.log| grep -i "certificate template"
nutcrakr
Question 17: One of our file shares was accessed by the attacker using the elevated user account (from the ADCS attack). Submit the folder name of the share they accessed.
grep WindowsEvent log_chunk_*.log| grep "Subject_AccountName\": \"nutcrakr" | grep "EventID\": 5140" | grep accessed
WishLists
Question 18: The naughty attacker continued to use their privileged account to execute a PowerShell script to gain domain administrative privileges. What is the password for the account the attacker used in their attack payload?
grep WindowsEvent log_chunk_*.log| grep -i "nutcrakr" | grep -i payload | grep pswd
fR0s3nF1@k3_s
Question 19: The attacker then used remote desktop to remotely access one of our domain computers. What is the full ISO8601 compliant UTC EventTime when they established this connection?
grep WindowsEvent log_chunk_*.log| grep "EventID\": 4624" | grep "LogonType\": 10"
2024-09-16T15:35:57.000Z
Question 20: The attacker is trying to create their own naughty and nice list! What is the full file path they created using their remote desktop connection?
grep WindowsEvent log_chunk_*.log| grep "CurrentDirectory\": .*List.*"
C:\WishLists\santadms_only\its_my_fakelst.txt
Question 21: The Wombley faction has user accounts in our environment. How many unique Wombley faction users sent an email message within the domain?
grep SnowGlowMailPxy log_chunk_*.log| awk -F'"From":' '{split($2, a, ","); print a[1]}' | sort | uniq| grep cub
4
Question 22: The Alabaster faction also has some user accounts in our environment. How many emails were sent by the Alabaster users to the Wombley faction users?
grep SnowGlowMailPxy log_chunk_*.log| grep "From\": \"asnow" | grep "To\": \"wcub" | wc
22
Question 23: Of all the reindeer, there are only nine. What's the full domain for the one whose nose does glow and shine? To help you narrow your search, search the events in the 'SnowGlowMailPxy' event source.
grep SnowGlowMailPxy log_chunk_*.log| awk -F'"From":' '{split($2, a, ","); print a[1]}' | sort | uniq -c | sort | grep -i rudolph
rud01ph.glow
Question 24: With a fiery tail seen once in great years, what's the domain for the reindeer who flies without fears? To help you narrow your search, search the events in the 'SnowGlowMailPxy' event source.
grep SnowGlowMailPxy log_chunk_*.log| awk -F'"From":' '{split($2, a, ","); print a[1]}' | sort | uniq -c | sort | grep -i reindeer
c0m3t.halleys
I'm so impressed with how efficiently you worked through the ELK stack logs like an expert - your quick and accurate analysis of the attack chain might just be what we need to get Santa smiling again! With skills like yours piecing together the attack path, the North Pole owes you a huge debt of gratitude.