For full text search please use the '?' prefix. e.g. ? Onboarding

KC7

RAICES CYBER - June 2023

Challenge - Scoreboard

Section 1

  1. Try it for yourself! Do a take 10 on all the other tables to see what kind of data they contain. Answer with "done" when you are finished.

  2. How many employees are in the company?

Employees | count

Answer: 1500

  1. Each employee at Castle&Sand is assigned an IP address. Which employee has the IP address: “10.10.2.1”?

Employees | where ip_addr == "10.10.2.1"

Answer: Preston Lane

  1. How many emails did Jacqueline Henderson receive?

First, we need to get her email address:

Employees
| where name == "Jacqueline Henderson"

That gives us jacqueline_henderson@castleandsand.com. Now we can use that to get the number of emails she received:

Email
| where recipient == "jacqueline_henderson@castleandsand.com"
| count

Answer: 26

  1. How many distinct senders were seen in the email logs from sunandsandtrading.com?
Email
| where sender has "sunandsandtrading.com"
| distinct sender
| count

Answer: 2146

  1. How many unique websites did “Cristin Genao” visit?

First we have to get Cristin's IP address:

Employees
| where name == "Cristin Genao"

Then we can plug that into the network event logs:

OutboundNetworkEvents
| where src_ip == "10.10.0.141"
| distinct url
| count

Answer: 45

  1. How many distinct domains in the PassiveDns records contain the word “shark”?
PassiveDns
| where domain has "shark"
| distinct domain
| count

This gave me 11 total domains and 6 distinct domains, from which there were 9 distinct IP addresses. None of these 3 answers was accepted...

  1. What IPs did the domain “sharkfin.com” resolve to (enter any one of them)?
PassiveDns
| where domain == "sharkfin.com"

Answer: 180.5.6.199

  1. How many unique URLs were browsed by employees named “Karen”?

First step was getting the IP Addresses for all employees named Karen:

Employees
| where name has "Karen"
| distinct ip_addr

Then we can use that to get the URLs:

OutboundNetworkEvents
| where src_ip in ("10.10.5.1", "10.10.5.208", "10.10.3.117")
| distinct url
| count

Answer: 151

  1. BONUS: There is a codeword in the #general (Private) channel of the June Blue Team Cyber Challenge on the KC7 Discord (kc7cyber.com/community). Join the server and enter the codeword here for 100 BONUS POINTS!

Section 2

  1. Oh no! Castle&Sand has been hit with ransomware!!! They posted a ransom note and locked all of the company's files. IT was able to get you a copy of the ransom note. Take a look at the note. What email address did the threat actor provide to Castle&Sand to communicate with them? You can view the ransom note here: https://drive.google.com/file/d/1C9E2rSOSu1vYnZdW7VSVtbmix8a62i0C/view?usp=sharing

Ransom Note

Answer: sharknadorules_gang@onionmail.org

  1. What is the unique decryption ID?

Answer: SUNNYDAY123329JA0

  1. Should this be something you post publicly about? Yes or no? Always be sure to determine if the data is sensitive to the company. You have to make sure you protect sensitive information, including all of the information in the Castle&Sand database.

Answer: no

  1. The ransom note filename was called "PAY_UP_OR_SWIM_WITH_THE_FISHES.txt". How many notes appeared in Castle&Sand's environment?
FileCreationEvents
| where filename == "PAY_UP_OR_SWIM_WITH_THE_FISHES.txt"
| count

Answer: 774

  1. How many distinct hostnames had the ransom note?
FileCreationEvents
| where filename == "PAY_UP_OR_SWIM_WITH_THE_FISHES.txt"
| distinct hostname
| count

Answer: 774

  1. Let's take the list of unique hostnames and search them across the Employees table. How many distinct employee roles were affected by the ransomware attack?