Each year, the SANS and Counter Hack Challenges teams put together my favorite capture the flag (CTF) competition, the SANS Holiday Hack Challenge. The 2020 SANS Holiday Hack Challenge, featuring KringleCon 3: French Hens! was held at Santa’s newly renovated castle at the North Pole from December 10, 2020 to January 11, 2021. This is a walk-through for an objective from the event.
Objective 6) Access the Splunk terminal in the Great Room. What is the name of the adversary group that Santa feared would attack KringleCon?
The first time I attempted to complete this challenge, I had not gone through the picture to take on the role of Santa (see Objective 5 to understand what this means). When I attempted to log into Splunk, I was unable to because I was not authorized. To get around this, I became Santa and then went back to the Splunk Terminal in the great room and I was able to log right in!
To complete the objective, I was given a series of training questions which I had to search Splunk to solve. These training questions, along with the process I followed to search Splunk are documented below.
Question 1: How many distinct MITRE ATT&CK techniques did Alice emulate?
To help solve this, Santa dropped a link to a talk in the SOC chat. I wasn’t sure how to get started, so I watched this video. In the video, I learned about the Splunk indexes there are and how each technique that Alice simulated was stored in an index.
First I searched
index=T* to pull back all the logs that represented a simulated technique. Then I looked in the side bar to see how many unique values there were. It showed 25. However, in the video I learned that there are different indexes for the same technique on different operating systems, meaning that there were likely duplicate techniques in that list of 25.
To filter down to a list of unique values, I updated my query to the following:
index = T* | table index | dedup index. From here, I was able to count the number of unique values to get thirteen unique techniques that were simulated.
Question 2: What are the names of the two indexes that contain the results of emulating Enterprise ATT&CK technique 1059.003?
For this, I used the search
index=t1059.003* and confirmed that I got logs that used the 1059.003 technique. Then I added on
| table index | dedup index to get a list of the unique indexes that used that technique.
This produced two indexes: T1059.003-main and T1059.003-win
Answer: T1059.003-main T1059.003-win
Question 3: One technique that Santa had us simulate deals with ‘system information discovery.’ What is the full name of the registry key that is queried to determine the MachineGuid?
To begin this question, I searched in the ATT&CK documentation for “system information discovery”. This produced two results (T1082 and T1426). I ruled out T1426 because it applied to mobile devices, which typically don’t have a registry key like windows systems do. Thus, I focused on T1082.
Next, I searched in Splunk for
index=T1082* machineguid and got 4 results. Two of them queried
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography, which was the answer.
Question 4: According to events recorded by the Splunk Attack Range, when was the first OSTAP related atomic test executed?
When I watched the conference talk about Splunk, it mentioned that there are different indexes as well, including one called Attack. When I searched
index=attack, I saw some logs indicating that Atomic Red Team was being run. When I looked at those log results, I noticed that there was a field called “Test Name” associated with them.
I updated my search to include a filter on Test Name containing OSTAP (
index=attack “Test Name”=*OSTAP*). I sorted the results on the field “Execution Time _UTC” and got the earliest time stamp of 2020–11–30T17:44:15Z
Question 5: One Atomic Red Team test executed by the Attack Range makes use of an open source package authored by frgnca on GitHub. According to Sysmon (Event Code 1) events in Splunk, what is the processId associated with the first use of this component?
This question mentioned a package authored by frgnca on GitHub, so I searched for that user on GitHub. It is available here. Frgnca had a couple repositories published and a few that seem like they could be used in Atomic Red Team.
Next, I searched the Atomic Red Team index for strings that might indicate that one of the repositories from frgnca’s GitHub was being used. One of the strings I searched for was just “Audio” since frgnca had published an AudioDeviceCmdlets package. This led me to technique T1123: Audio Capture which had a description of using device audio capture commandlet. The documentation for Test 1 confirmed that it is using frgnca’s AudioDeviceCmdlets package.
Next, I shifted gears to locate the first use of this test in the logs in Splunk. The question indicates that I should look at Sysmon events with an event code of 1, so I started my search with
index=T1123* to see the logs associated with the T1123 tests that were run. I also added a filter for
eventtype=“ms-sysmon-process” since I knew I wanted to look at Sysmon events and a filter for
EventCode=1 since the question indicated that I should look at event code 1, meaning a new process was created.
When I looked at the resulting logs, I noticed that there was a CommandLine field which shows the command that was run associated with that log. In the documentation for the test associated with T1123, it mentioned that the test runs with powershell and provides the following commandline:
powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet.
This led me to add this command line string to my search, which narrowed down my results to two logs. I picked the earlier of the two by looking at the System Time Field. The earlier happened at 2020–11–30T19:25:14.572014200Z. I then examined this log entry to find the ProcessId field, which had a value of 3648. I entered this and it was correct!
My final filter in Splunk was:
index=T1123* eventtype=”ms-sysmon-process” EventCode=1 “powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet”
It’s worth noting that the Sysmon logs have two fields named processid with different variations on capitalization. I was able to determine the correct field by mapping these back to the log record itself. The process ID in the logs that corresponded with 3648 also show
<Data Name=’ProcessId’>3648</Data>. This implies that the process ID listed applies to the process whose creation is documented by the event code 1 log since it’s encapsulated in the data portion of the log record.
The other process ID in the logs (which is shown as the string 2236) shows
<Execution ProcessID=’2236' ThreadID=’3136'/>. Because this is talking about execution, this seems to correspond more with the execution of sysmon and not the process whose creation is being documented by the event code 1 log record.
Question 6: Alice ran a simulation of an attacker abusing Windows registry run keys. This technique leveraged a multi-line batch file that was also used by a few other techniques. What is the final command of this multi-line batch file used as part of this simulation?
I began this challenge by searching in the Atomic Red Team index. Specifically, I looked for some reference to run keys. This led me to technique T1547.001, which seemed to have seven Atomic Red Team tests associated with it.
Next, I examined the documentation on that technique’s tests. In the documentation, I found that test 3 (PowerShell Registry RunOnce) runs a batch file called Discovery.bat and test 6 (Suspicious bat file run from startup Folder) runs a batch file called batstartup.bat, which seems to be part of the code downloaded with the test. I looked at the code for both files to see if one of them was a multi-line batch file. I was able to locate the code for batstartup.bat by looking in the src folder for that test and found that it is a single line. When I looked at the source for discovery.bat at the link above, I found that the file was a multi-line batch file where the last line was
The last step was to confirm that this file actually ran as part of the simulation. I turned back to splunk and narrowed my search first on the technique I identified earlier. I found two logs showing that this batch file was run as part of the test for T1547.001 using the filter:
Question 7: According to x509 certificate events captured by Zeek (formerly Bro), what is the serial number of the TLS certificate assigned to the Windows domain controller in the attack range?
I knew I needed to filter on Zeek logs but didn’t know what the logs were called so I decided to use the GUI to select which options I wanted to filter on in hopes that it would show me all log names. To use the side bar to select the correct logs, I needed to get all logs back first. To get all logs, I searched on
index=*. Then I examined the
sourcetype field and saw that the Zeek logs, which the question tells me used to be called Bro, are in the format
Bro:<string>:json. In that list, I saw one with the string being x509. So I added
sourcetype = “bro:x509:json” to my search.
I examined the
certificate.subject field to see the hosts that the certificates are assigned to. I did this by adding
| table certificate.subject | dedup certificate.subject to my search to see the unique certificate subjects. There were 12 values but only one looked like a domain controller due to the use of the string “dc” in the name. That was
I pivoted my search to include a filter on that certificate subject next. My search became:
index=* sourcetype=”bro:x509:json” “certificate.subject”=”CN=win-dc-748.attackrange.local”. When I did that, there was only one unique value in the certificate.serial field which represents the serial number of the certificate. It was
Final Question: What is the name of the adversary group that Santa feared would attack KringleCon?
With each of the training questions done, I turned my attention to the challenge question. In the chat with Alice Bluebird in the SOC Chat, she gave me the information I needed to answer this question.
She mentioned that the cipher text is base64 encoded and then encrypted with an old algorithm. She mentioned RFC 7465 as well. When I googled RFC 7465, I found that it was a standard proposing that RC4 ciphers no longer be used.
I turned to CyberChef to decrypt this, using the RC4 recipe and changing the input to Base64. Next, I had to figure out the passphrase. Alice said to Santa that it “is encrypted using your favorite phrase.” When I started this challenge, I watched the talk by Dave Herrald on Adversary Emulation and Automation. At the end of his video he showed a picture of Santa with a speech bubble saying “Stay Frosty”. I entered that into my recipe, and I got “The Lollipop Guild” as an answer.
Answer: The Lollipop Guild
Interested in learning more about the 2020 SANS Holiday Hack Challenge? Check out my other walk-throughs available here.