[Day 8] Santa's Bag of Toys
{Incident response = PowerShell Transcription Logs}
Last updated
{Incident response = PowerShell Transcription Logs}
Last updated
McSkidy was notified of some terrible news! Santa's laptop, which he uses to prepare his bag of toys for Christmas, is missing! We believe a minion at the Grinch Enterprise stole it, but we need to find out for sure. It is up to us to determine what actor compromised the laptop and recover Santa's bag of toys!
Unfortunately, The Best Festival Company had minimal monitoring tools on Santa's laptop (he is the boss, after all)! All we have to work with are some PowerShell Transcription Logs we were able to remotely recover just after it went missing. You can find the transcription logs within the SantasLaptopLogs folder on the Desktop of the attached Windows virtual machine.
Inspecting the Powershell logs gives more information of what was ran on the system
What operating system is Santa's laptop running ("OS Name")?
Microsoft Windows 11 Pro
What was the password set for the new "backdoor" account?
grinchstolechristmas
in one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?
C:\Users\santa\AppData\Local\Microsoft\Windows\UsrClass.dat
The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?
certutil.exe
Now that we know that UsrClass.dat was exfiltrated from the system, lets try to make out what it was with the help of cyber chef.
This file can be used to aid in our investigation. The UsrClass.dat file contains "Shellbags," or artifacts contained within the Windows registry that store user preferences while viewing folders within the Windows Explorer GUI. If you could carve out this information, you could get an idea as to what user activity was performed on the laptop before it was stolen or compromised!
Using ShellBagsExplorer, we can explore the file as shown below.
What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?
.github
What is the name of the file found in this folder?
bag_of_toys.zip
Since there was a .github file under SantaRat-main, googling that led to the github repo.
What is the name of the user that owns the SantaRat repository?
Grinchiest
What is the name of the repository that seems especially pertinent to our investigation?
operation-bag-of-toys
What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?
uharc-cmd-install.exe
What are the contents of these "malicious" files (coal, mold, and all the others)?
GRINCHMAS
Looking at one of the older commits revealed the password to the archive
What is the password to the original bag_of_toys.uha archive?
TheGrinchiestGrinchmasOfAll
How many original files were present in Santa's Bag of Toys?
228
