OPTinselTrace24-3: Blizzard Breakdown
Sherlock Scenario
Furious after discovering he’s been left off the Nice List this holiday season, one particular elf - heavily influenced by Krampus - goes rogue, determined to take revenge. Consumed by anger, he hatches a sinister plan to sabotage Christmas by targeting Santa Claus’ most critical asset - its S3 data archive! This repository holds sensitive information, including blueprints for new toys, holiday logistics, toy production schedules, and most importantly, the coveted gift list! With Christmas preparations in full swing, any disruption to this storage could cause chaos across the entire operation, threatening to derail everyone’s holiday season. Will the holiday magic prevail, or will Christmas fall into dismay?
task 1
The Victim Elf shared credentials that allowed the Rogue Elf to access the workstation. What was the Client ID that was shared?
95192516
1 | task 2 |
task 2
What is the IP address of the Rogue Elf used during the attack?
146.70.202.35
1 | └─$ cat './C/Users/lannyl/AppData/Local/IceChat Networks/IceChat/Logs/irc.quakenet.org/Query/W4yne-2024-11-13.log' |
task 3
What is the name of the executable the victim ran to enable remote access to their system?
AA_V3.EXE
1 | └─$ strings './C/Users/lannyl/AppData/Local/Microsoft/Edge/User Data/Default/Cache/Cache_Data/data_3' |grep AA_v3 -A4 -B4 |
1 | └─$ strings './C/Users/lannyl/AppData/Local/Microsoft/Edge/User Data/Default/History' |grep AA_ -A3 -B3 |
task 4
What time (UTC) did the Rogue Elf connect to the victim’s workstation?
2024-11-13 12:23:34
1 | └─$ cat Ammyy/access.log |
task 5
The Rogue Elf compromised an AWS Access Key. What is the AWS Access Key ID obtained from the victim’s workstation?
AKIA52GPOBQCBFYGAYHI
1 | └─$ ls ./AppData/Local/Packages/Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe/LocalState/ |
task 6
Within the targeted S3 bucket, what is the name of the main directory where the files were stored?
arctic-archive-freezer
1 | └─$ cat log|grep 13/|awk -F '_CloudTrail' '{print $1}'|uniq -c|sort -u |
task 7
Within the targeted S3 bucket, what is the name of the main directory where the files were stored?
Claus_Operation_Data
1 | └─$ zcat ./*/*/*/*/*|grep 'arctic-archive-freezer' |jq|grep prefix |
task 8
What time (UTC) did the Rogue Elf disable versioning for the S3 bucket?
2024-11-13 15:31:15
1 | 2020年9月10日 — Versioning cannot be turned off, it can only be Suspended. So, yes, you would use Status=Suspended to deactivate the Versioning process. |
task 9
What is the MITRE ATT&CK Technique ID associated with the method used in Question 8?
T1490
1 |
|
task 10
What time (UTC) was the first restore operation successfully initiated for the S3 objects?
2024-11-13 15:43:49
1 | └─$ zcat ./*/*/*/*/*|grep 's3' |grep RestoreObject|jq -c '.Records.[]|select(.eventName == "RestoreObject" and .errorCode == null)|{eventTime,eventName}' |
task 11
Which retrieval option did the Rogue Elf use to restore the S3 objects?
Expedited
1 | └─$ zcat ./*/*/*/*/*|grep 's3' |grep RestoreObject|jq '.Records.[]|select(.eventName == "RestoreObject" and .errorCode == null)' |
task 12
What is the filename of the S3 object that the Rogue Elf attempted to delete?
GiftList_Worldwide.csv
1 | └─$ zcat ./*/*/*/*/*|grep 's3' |grep '146.70.202.35'|grep -i 'deleteObject'|jq |
task 13
What is the size (MB) of the S3 object that the Rogue Elf targeted in Question 12?
152
1 | └─$ zcat ./*/*/*/*/*|grep 'GiftList_Worldwide.csv' |jq '.Records.[]|select(.requestParameters.key=="Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv")|{b: .requestParameters.key, a:.additionalEventData.bytesTransferredOut}'|grep 83 |
task 14
The Rogue Elf uploaded corrupted files to the S3 bucket. What time (UTC) was the first object replaced during the attack?
2024-11-13 16:10:03
1 | └─$ zcat ./*/*/*/*/*|grep 's3' |grep '146.70.202.35'|jq '.Records.[]|select( .eventName=="PutObject" and .errorCode==null)|{eventTime,eventName}' -c |
task 15
What storage class was used for the S3 objects to mimic the original settings and avoid suspicion?
GLACIER
1 | └─$ zcat ./*/*/*/*/*|grep 's3' |grep '146.70.202.35'|jq '.Records.[]|select( .eventName=="PutObject" and .errorCode==null)' -c {"eventVersion":"1.10","userIdentity":{"type":"IAMUser","principalId":"AIDA52GPOBQCHOIPNIEEH","arn":"arn:aws:iam::949622803460:user/arctic-archive-user","accountId":"949622803460","accessKeyId":"AKIA52GPOBQCBFYGAYHI","userName":"arctic-archive-user"},"eventTime":"2024-11-13T16:10:03Z","eventSource":"s3.amazonaws.com","eventName":"PutObject","awsRegion":"us-east-1","sourceIPAddress":"146.70.202.35","userAgent":"[aws-cli/2.20.0 md/awscrt#0.22.0 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.12.6 md/pyim |