# \[Day 8] Santa's Bag of Toys
## Story
McSkidy was notified of some terrible news! Santa's laptop, which he uses to prepare his bag of toys for Christmas, is missing! We believe a minion at the Grinch Enterprise stole it, but we need to find out for sure. It is up to us to determine what actor compromised the laptop and recover Santa's bag of toys!
Unfortunately, The Best Festival Company had minimal monitoring tools on Santa's laptop (he is the boss, after all)! All we have to work with are some PowerShell Transcription Logs we were able to remotely recover just after it went missing. You can find the transcription logs within the `SantasLaptopLogs` folder on the Desktop of the attached Windows virtual machine.
## Challenge
Inspecting the Powershell logs gives more information of what was ran on the system
{% hint style="success" %}
**What operating system is Santa's laptop running ("OS Name")?**
* Microsoft Windows 11 Pro
{% endhint %}
{% hint style="success" %}
**What was the password set for the new "backdoor" account?**
* grinchstolechristmas
{% endhint %}
{% hint style="success" %}
**in one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?**
* C:\Users\santa\AppData\Local\Microsoft\Windows\UsrClass.dat
{% endhint %}
{% hint style="success" %}
**The actor uses a** [**Living Off The Land** ](https://lolbas-project.github.io/lolbas/Binaries/Certutil/)**binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?**
* certutil.exe
{% endhint %}
Now that we know that `UsrClass.dat` was exfiltrated from the system, lets try to make out what it was with the help of cyber chef.
{% hint style="info" %}
This file can be used to aid in our investigation. The `UsrClass.dat` file contains "Shellbags," or artifacts contained within the Windows registry that store user preferences while viewing folders within the Windows Explorer GUI. If you could carve out this information, you could get an idea as to what user activity was performed on the laptop before it was stolen or compromised!
{% endhint %}
Using [ShellBagsExplorer](https://www.sans.org/tools/shellbags-explorer/), we can explore the file as shown below.
{% hint style="success" %}
**What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?**
* .github
{% endhint %}
{% hint style="success" %}
What is the name of the file found in this folder?
* bag\_of\_toys.zip
{% endhint %}
Since there was a `.github` file under `SantaRat-main`, googling that led to the github repo.
{% hint style="success" %}
**What is the name of the user that owns the SantaRat repository?**
* Grinchiest
{% endhint %}
{% hint style="success" %}
**What is the name of the repository that seems especially pertinent to our investigation?**
* operation-bag-of-toys
{% endhint %}
{% hint style="success" %}
**What is the name of the *****executable***** that installed a unique utility the actor used to collect the bag of toys?**
* uharc-cmd-install.exe
{% endhint %}
{% hint style="success" %}
**What are the contents of these "malicious" files (coal, mold, and all the others)?**
* GRINCHMAS
{% endhint %}
Looking at one of the older commits revealed the password to the archive
{% hint style="success" %}
**What is the password to the original bag\_of\_toys.uha archive?**
* TheGrinchiestGrinchmasOfAll
{% endhint %}
{% hint style="success" %}
**How many original files were present in Santa's Bag of Toys?**
* 228
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://repo.4pfsec.com/tryhackme/advent-of-cyber-3-2021/day-8-santas-bag-of-toys.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.