Plenty of Phish

  1. What is Sonia's job role?

Ans Senior Editor

// KQL

Employees
| where name == "Sonia Gose"
| project  role

  1. What email address was used to send this email?

Ans :- It's already written in image [email protected]

  1. When was the email sent to Sonia Gose? Enter the exact timestamp from the logs.

Ans 

// KQL

Email
| where sender =="[email protected]" and recipient has  "Sonia"
| project timestamp

  1. What URL was included in the email?

Ans

  1. What is Sonia Gose's IP address ?

Ans

  1. Did Sonia click on this link? If so, enter the timestamp when she clicked the link. If not, type "no".

Ans let's check all the url clicked by sonia since we know her ip adrs and url visited it's easy to fetch now

2024-01-05T10:23:17Z

  1. What was the name of the docx file in the link that sonia clicked ?

Ans Valdorian_Times_Editorial_Offer_Letter.docx

  1. What is Sonia Gose's hostname?

Ans UL0M-MACHINE

  1. When did the downloaded docx file first show up on Sonia's machine?

Ans Let's find all file creation Activities

  1. What was the full path of the docx file that was downloaded to Sonia's machine?

Ans Just replace timestamp with path

C:\Users\sogose\Downloads\Valdorian_Times_Editorial_Offer_Letter.docx

  1. What is the sha256 hash of the file that Sonia downloaded?

Ans just modify the previous KQL and project it by sha256

60b854332e393a6a2f0015383969c3ac705126a6b7829b762057a3994967a61f

  1. What is the name of the file (.ps1) that was written to disk immediately after the docx was downloaded?

Ans

  1. When was this new file created?

Ans Just modified previous KQL add Timestamp

  1. Let's do some research! What type of file is this?

Ans : Powershell

  1. What does the attacker say to "let you know they are here"?

Ans lol ur bout 2 get pwnd...;lol ur bout 2 get pwnd

  1. According to the PowerShell script, what might be the hacker's favorite color?

Ans Green

  1. The purpose of the script is to invoke ____ and uncover da truth

Ans Plink

  1. How many Process Events are there related to this PowerShell script on Sonia's machine?

Ans 3

  1. What is the full command used to create the scheduled task?

Ans schtasks /create /sc hourly /mo 5 /tn "Hacktivist Manifesto" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1"

  1. What ExecutionPolicy is set in the command?

Ans Bypass

  • schtasks: Command-line tool to manage scheduled tasks.

  • /create: Create a new task.

  • /sc hourly: Schedule type: hourly.

  • /mo 5: Modify schedule: every 5 hours.

  • /tn "Hacktivist Manifesto": Task name.

  • /tr "powershell.exe -ExecutionPolicy Bypass -File C:\ProgramData\hacktivist_manifesto.ps1": Action to run the PowerShell script with execution policy bypassed.

  1. What IP address is used when plink is executed?

Ans 136.130.190.181

  1. What username did the attacker use when connecting via plink?

Ans from previous KQL it's there

  1. What password did the attacker use when connecting via plink?

Ans same from previous KQL

  1. What six-letter command did the attackers run to figure out which user they are logged on as on the computer?

Ans : we can easily guess i.e "whoami"

but if you need kql , it would be something like

  1. How many discovery commands did the attackers run on this machine?

Ans This is little tricky , here we need to take reference of MITRE attack framework T1018 and do keep hit & Trial

5

  • whoami: Displays the current username.

  • hostname: Shows the name of the computer.

  • ipconfig: Displays network configuration details.

  • netstat: Shows network connections, routing tables, and interface statistics.

  • systeminfo: Provides detailed information about the system, including OS version, hardware, and network configuration.

  1. Do you think we can safely stop our investigation here? (yes/no)

Ans : No since , system sanitise is pending

PreviousWelcome to Valdoria !NextA Scandal

Last updated