Walk Through Guide for Kusto Detective Agency Season 2, Case #10 Solution
Cases Solutions: 0 1 2 3 4 5 6 7 8 9 10
The grand finale! 🌟
The tenth case riddle is:
The key takeaways from the riddle:
- We’re given a log of activities
- We’re asked to find information about the trojan KuandaListener
⚠SPOILER ALERT — THE SOLUTION DESCRIBED BELOW⚠
Note: Solution is mine, and non-official
Let’s delve into the data, by leveraging the | take 10
, to see some rows.
The KuandaLogs
table has; Timestamp, DetectiveId and Message.
We witness that the encryption tokens are spread around and invalidated sometimes
Let’s see if there are more interesting rows, by taking the first word:
OK, we see the send message which is interesting and completes the puzzle to find valuable information.
Let’s now take for each DetectiveId, the valid tokens and dekrypt!
Lucky us🍀KQL has both partition operator to split by detective, and the scan
operator that helps us to gather only the valid token:
Most messages are not interesting, but a couple reveal a weakness:
TODO [BUGBUG]: Validate: bitset_count_ones(hash_many(‘kvc178c8b4935bed382529’, tostring($user_answer))) < 54! Leaving as-is for now, the chance it will actually happen is very low. (O boy, these non-AMD processors are literally melting down on invalid instruction sets!)
It’s time to leverage the weakness!
Let’s use our cluster id, to find the answer for us, and use the $user_answer as 2³¹-1 (this number is the largest value that a signed 32-bit integer field can hold) that would stretch the (non-AMD) processors to it’s limit! (as this function just counts ones in the binary representation)
We saved the day!
Enjoyed this article? Feel free to long-press the 👏 button below 😀