[Day 8] Santa's Bag of Toys

{Incident response = PowerShell Transcription Logs}


McSkidy was notified of some terrible news! Santa's laptop, which he uses to prepare his bag of toys for Christmas, is missing! We believe a minion at the Grinch Enterprise stole it, but we need to find out for sure. It is up to us to determine what actor compromised the laptop and recover Santa's bag of toys!

Unfortunately, The Best Festival Company had minimal monitoring tools on Santa's laptop (he is the boss, after all)! All we have to work with are some PowerShell Transcription Logs we were able to remotely recover just after it went missing. You can find the transcription logs within the SantasLaptopLogs folder on the Desktop of the attached Windows virtual machine.


Inspecting the Powershell logs gives more information of what was ran on the system

What operating system is Santa's laptop running ("OS Name")?

  • Microsoft Windows 11 Pro

What was the password set for the new "backdoor" account?

  • grinchstolechristmas

in one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?

  • C:\Users\santa\AppData\Local\Microsoft\Windows\UsrClass.dat

The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?

  • certutil.exe

Now that we know that UsrClass.dat was exfiltrated from the system, lets try to make out what it was with the help of cyber chef.

This file can be used to aid in our investigation. The UsrClass.dat file contains "Shellbags," or artifacts contained within the Windows registry that store user preferences while viewing folders within the Windows Explorer GUI. If you could carve out this information, you could get an idea as to what user activity was performed on the laptop before it was stolen or compromised!

Using ShellBagsExplorer, we can explore the file as shown below.

What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?

  • .github

What is the name of the file found in this folder?

  • bag_of_toys.zip

Since there was a .github file under SantaRat-main, googling that led to the github repo.

What is the name of the user that owns the SantaRat repository?

  • Grinchiest

What is the name of the repository that seems especially pertinent to our investigation?

  • operation-bag-of-toys

What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?

  • uharc-cmd-install.exe

What are the contents of these "malicious" files (coal, mold, and all the others)?


Looking at one of the older commits revealed the password to the archive

What is the password to the original bag_of_toys.uha archive?

  • TheGrinchiestGrinchmasOfAll

How many original files were present in Santa's Bag of Toys?

  • 228

Last updated