- Read the premise above, start the attached Windows analysis machine and find the transcription logs in the
SantasLaptopLogsfolder on the Desktop.
If you want to RDP into the machine, start the AttackBox and enter the following into a terminal: xfreerdp /u:Administrator /p:grinch123! /v:MACHINE_IP — The credentials for the machine are Administrator as the username, and grinch123! as the password.
ANS: No Answer Needed
2. Each transcription log is a simple plain text file that you can open in any editor of your choice. While the filenames are random, you can get an idea as to which log “comes first” by looking at the Date Modified or Date Created attributes, or the timestamps just before the file extension!
Open the first transcription log. You can see the commands and output for everything that ran within PowerShell, like whoami and systeminfo!
What operating system is Santa's laptop running ("OS Name")?
ANS: Microsoft Windows 11 Pro
EXPLANATION:
Step 1: Start the Attackbox, Once open, Go to SantasLaptopLogs folder. Search each file, which we will find in PowerShell_transcript.LAPTOP._s3k_jad.20211128153510
3. Review each transcription log to get an idea for what activity was performed on the laptop just after it went missing. In the “second” transcription log, it seems as if the perpetrator created a backdoor user account!
What was the password set for the new “backdoor” account?
ANS: grinchstolechristmas
EXPLANATION:
Step 1: Search each file, we will find in
PowerShell_transcript.LAPTOP.k_dg27us.20211128153538.txt
4. In one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?
ANS: C:\Users\santa\AppData\Local\Microsoft\Windows\UsrClass.dat
EXPLANATION:
Step 1: Search each file, we will find in
PowerShell_transcript.LAPTOP.Zw6PA+c4.20211128153734.txt
5. The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?
ANS: certutil.exe
EXPLANATION:
Step 1: Search each file, we will find in
PowerShell_transcript.LAPTOP.Zw6PA+c4.20211128153734.txt
6. Read the above and open the ShellBagsExplorer.exe application found in the folder on your Desktop.
ANS: No Answer Needed
7. Under the Desktop folder, there seems to be a suspicious folder named “SantaRat”. Could this be a remote access trojan, that was used for further nefarious activity on Santa’s laptop? Unfortunately, from just Shellbags alone, we only have insight into folder names (sometimes files, if we are lucky) and column data within Windows Explorer, but not files… how could we uncover more details?
Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?
ANS: .github
EXPLANATION:
Step1: Go to this file (PowerShell_transcript.LAPTOP.Zw6PA+c4.20211128153734.txt) , Copy the the base64 hash from
— — -BEGIN CERTIFICATE — — — to — — -END CERTIFICATE — — -
and paste in CyberChef
Step 2: Decode the hash from base64 and save the file in Desktop as UsrClass.dat
Step 3. Open the ShellBagsExplorer.exe -> Open File -> Open Load Online Hive -> Select the File( UsrClass.dat) in Desktop.
Step 4. Go through SantaRat and check all the subdirectory, We will find .github
8. Additionally, there is a unique folder named “Bag of Toys” on the Desktop! This must be where Santa prepares his collection of toys, and this is certainly sensitive data that the actor could have compromised. What is the name of the file found in this folder?
ANS: bag_of_toys.zip
EXPLANATION:
Step 1: Go through Bag of Toys Directory and check for subfile, We will find bag_of_toys.zip
9. What is the name of the user that owns the SantaRat repository?
ANS: Grinchiest
EXPLANATION:
Step 1: Through Analysis via ShellbagsExplorer, we found that SantaRat has a github, so Let`s search in website
10. Explore the other repositories that this user owns. What is the name of the repository that seems especially pertinent to our investigation?
ANS: operation-bag-of-toys
EXPLANATION:
Step 1: Go to Grinchiest`s Account, and check for other suspicious repository and we will find operation-bag-of-toys.
11. Read the information presented in this repository. It seems as if the actor has, in fact, compromised and tampered with Santa’s bag of toys! You can review the activity in the transcription logs. It looks as if the actor installed a special utility to collect and eventually exfiltrate the bag of toys. What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?
ANS: uharc-cmd-install.exe
EXPLANATION:
Step 1: Search each file, we will find in
PowerShell_transcript.LAPTOP.b+XfnW7t.20211128154858.txt
12. In the last transcription log, you can see the activity that this actor used to tamper with Santa’s bag of toys! It looks as if they collected the original contents with a UHA archive. A UHA archive is similar to a ZIP or RAR archive, but faster and with better compression rates. It is very rare to see, but it looks the Grinch Enterprises are pulling out all the tricks!
You can see the actor compressed the original contents of the bag of toys with a password. Unfortunately, we are unable to see what the specific password was in these transcription logs! Perhaps we could find it elsewhere…
Following this, the actor looks to have removed everything from the bag of toys, and added in new things like coal, mold, worms, and more! What are the contents of these “malicious” files (coal, mold, and all the others)?
ANS: GRINCHMAS
EXPLANATION:
Step 1: Search each file, we will find in
PowerShell_transcript.LAPTOP.myCoN9lB.20211128155453.txt
13. We know that the actor seemingly collected the original bag of toys. Maybe there was a slight OPSEC mistake, and we might be able to recover Santa’s Bag of Toys! Review the actor’s repository for its planned operations… maybe in the commit messages, we could find the original archive and the password!
ANS: No answer needed
14. What is the password to the original bag_of_toys.uha archive? (You do not need to perform any password-cracking or bruteforce attempts)
ANS: TheGrinchiestGrinchmasOfAll
EXPLANATION:
Step 1: Go to Grinchiest`s Github -> operation-bag-of-toys -> Click on commit -> Click on stole Santa’s bag of toys!!!!!!!!!!!!!! -> Click on … Button and we will get the password
15. McSkidy was able to download and save a copy of the bag_of_toys.uha archive, and you have it accessible on the Desktop of the Windows analysis machine. After uncovering the password from the actor's GitHub repository, you have everything you need to restore Santa's original bag of toys!!
Double-click on the archive on the desktop to open a graphical UHARC extraction utility that has been prepared for you. Using the password you uncovered, extract the contents into a location of your choosing (you might make a “Bag of Toys” directory on the Desktop to save all the files into).
With that, you have successfully recovered the original contents of Santa’s Bag of Toys! You can view these in the Windows Explorer file browser to see how many were present.
How many original files were present in Santa’s Bag of Toys?
ANS: 228
EXPLANATION:
Step 1: Go to bag_of_toys.uha in Desktop and Login with the password find in Question 14, then all the files appear. We will see the total number of files.
*****************THANK YOU****KEEP LEARNING ******************
HOPE YOU GUYS, THIS WALKTHROUGH MIGHT HELP YOU,IF SO LIKE THE PAGE WILL BE MUCH APPRECIATED AND FOLLOW MY PROFILE FOR MORE WRITE-UPS
*******PEACE*****
