Skip to content

Yule Log Analysis

Location: East Hall

Problem

I am Pepper Minstix, and I'm looking for your help.
Bad guys have us tangled up in pepperminty kelp!
"Password spraying" is to blame for this our grinchly fate.
Should we blame our password policies which users hate?

Here you'll find a web log filled with failure and success.
One successful login there requires your redress.
Can you help us figure out which user was attacked?
Tell us who fell victim, and please handle this with tact...

  Submit the compromised webmail username to 
  runtoanswer to complete this challenge.

elf@4b866d6674a5:~$

Hints

Pepper Minstix introduces this terminal:

Have you heard of password spraying? It seems we've been victim.

We fear that they were successful in accessing one of our Elf Web Access accounts, but we don't know which one.

Parsing through .evtx files can be tricky, but there's a Python script that can help you convert it into XML for easier grep'ing.

Pepper also provides a link to a webpage on Password Spraying: https://securityweekly.com/2017/07/21/tsw11/

Solution

In the home directory, we have a Windows eventlog file and a Python script to convert it to XML format. 

elf@3b7a816ee05c:~$ ls -l
total 6896
-rw-r--r-- 1 elf elf    1353 Dec 14 16:13 evtx_dump.py
-rw-r--r-- 1 elf elf 1118208 Dec 14 16:13 ho-ho-no.evtx
-rwxr-xr-x 1 elf elf 5936968 Dec 14 16:13 runtoanswer
elf@3b7a816ee05c:~$ 
python evtx_dump.py ho-ho-no.evtx | egrep "(EventID|TargetUserName)"

Events are spread across multiple lines, so we'll have to grep each line that contains either an EventID or a TargetUserName. Eventually you start seeing a series of entries indicative of a password spray attack:

<EventID Qualifiers="">4625</EventID>
<Data Name="TargetUserName">aaron.smith</Data>
<EventID Qualifiers="">4625</EventID>
<Data Name="TargetUserName">abhishek.kumar</Data>
<EventID Qualifiers="">4625</EventID>
<Data Name="TargetUserName">adam.smith</Data>
<EventID Qualifiers="">4625</EventID>
<Data Name="TargetUserName">ahmed.ali</Data>
<EventID Qualifiers="">4625</EventID>
<Data Name="TargetUserName">ahmed.hassan</Data>
<EventID Qualifiers="">4625</EventID>
<Data Name="TargetUserName">ahmed.mohamed</Data>
<EventID Qualifiers="">4625</EventID>
<Data Name="TargetUserName">ajay.kumar</Data>

Event 4625 is a failed logon, and 4624 is success. Look for the successful logon amongst all of the failures to determine which account was compromised. Eventually you come across an entry showing Minty Candycane logged in successfully during this attack.

<EventID Qualifiers="">4624</EventID>
<Data Name="TargetUserName">minty.candycane</Data>
<EventID Qualifiers="">4625</EventID>
<Data Name="TargetUserName">mohamed.ahmed</Data>
<EventID Qualifiers="">4625</EventID>
<Data Name="TargetUserName">mohamed.ali</Data>

elf@3b7a816ee05c:~$ runtoanswer Loading, please wait......

Whose account was successfully accessed by the attacker's password spray? minty.candycane

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMkl0MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMXO0NMxl0MXOONMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMxlllooldollo0MMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMW0OKWMMNKkollldOKWMMNKOKMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMXollox0NMMMxlOMMMXOdllldWMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMWXOdlllokKxlk0xollox0NMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMNkkXMMMMMMMMMMMWKkollllllldkKWMMMMMMMMMMM0kOWMMMMMMMMMMMM
MMMMMMWKXMMMkllxMMMMMMMMMMMMMMMXOold0NMMMMMMMMMMMMMMMollKMMWKKWMMMMMM
MMMMMMdllKMMkllxMMMMMMMMMMMMN0KNMxl0MN00WMMMMMMMMMMMMollKMMOllkMMMMMM
Mkox0XollKMMkllxMMMMMMMMMMMMxllldoldolllOMMMMMMMMMMMMollKMMkllxXOdl0M
MMN0dllll0MMkllxMMMMMMMMMMMMMN0xolllokKWMMMMMMMMMMMMMollKMMkllllx0NMM
MW0xolllolxOxllxMMNxdOMMMMMWMMMMWxlOMMMMWWMMMMWkdkWMMollOOdlolllokKMM
M0lldkKWMNklllldNMKlloMMMNolok0NMxl0MX0xolxMMMXlllNMXolllo0NMNKkoloXM
MMWWMMWXOdlllokdldxlloWMMXllllllooloollllllWMMXlllxolxxolllx0NMMMNWMM
MMMN0kolllx0NMMW0ollll0NMKlloN0kolllokKKlllWMXklllldKMMWXOdlllokKWMMM
MMOllldOKWMMMMkollox0OdldxlloMMMMxlOMMMNlllxoox0Oxlllo0MMMMWKkolllKMM
MMW0KNMMMMMMMMKkOXWMMMW0olllo0NMMxl0MWXklllldXMMMMWKkkXMMMMMMMMX0KWMM
MMMMMMMMMMMMMMMMMMMW0xollox0Odlokdlxxoox00xlllokKWMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMWollllOWMMMMNklllloOWMMMMNxllllxMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMN0xlllokK0xookdlxxookK0xollokKWMMMMMMMMMMMMMMMMMMM
MMWKKWMMMMMMMMKk0XMMMMW0ollloOXMMxl0MWKklllldKWMMMWXOOXMMMMMMMMNKKMMM
MMkllldOXWMMMMklllok00xoodlloMMMMxlOMMMNlllxook00xollo0MMMMWKkdlllKMM
MMMN0xollox0NMMW0ollllONMKlloNKkollldOKKlllWMXklllldKWMMX0xlllok0NMMM
MMWWMMWKkollldkxlodlloWMMXllllllooloollllllWMMXlllxooxkollldOXMMMWMMM
M0lldOXWMNklllldNMKlloMMMNolox0XMxl0WXOxlldMMMXlllNMXolllo0WMWKkdloXM
MW0xlllodldOxllxMMNxdOMMMMMNMMMMMxlOMMMMWNMMMMWxdxWMMollkkoldlllokKWM
MMN0xllll0MMkllxMMMMMMMMMMMMMNKkolllokKWMMMMMMMMMMMMMollKMMkllllkKWMM
MkldOXollKMMkllxMMMMMMMMMMMMxlllooloolll0MMMMMMMMMMMMollKMMkllxKkol0M
MWWMMMdllKMMkllxMMMMMMMMMMMMXO0XMxl0WXOONMMMMMMMMMMMMollKMMOllkMMMWMM
MMMMMMNKKMMMkllxMMMMMMMMMMMMMMMN0oldKWMMMMMMMMMMMMMMMollKMMWKKWMMMMMM
MMMMMMMMMMMMXkxXMMMMMMMMMMMWKkollllllldOXMMMMMMMMMMMM0xkWMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMX0xlllok0xlk0xollox0NMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMXollldOXMMMxlOMMWXOdllldWMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMW0OKWMMWKkollldOXWMMN0kKMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMklllooloollo0MMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMXOOXMxl0WKOONMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMkl0MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWXMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

Silly Minty Candycane, well this is what she gets.
"Winter2018" isn't for The Internets.
Passwords formed with season-year are on the hackers' list.
Maybe we should look at guidance published by the NIST?
Congratulations!

Alternative

You know, looking through those logs was pretty hard on the eyes. Maybe there is a better way. Let's start by dumping all of the events into a text file so we can get a better look at the log file structure.

elf@c78226a6a169:~$ evtx_dump.py ho-ho-no.evtx > ho-ho-no.txt

The sign of a password spray attack is a series of failed logons for different usernames over a short span of time. Since we know the requets came in over the web, let's find a failed logon event with process name of w3wp.exe.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2018-09-10 12:41:50.900736"></TimeCreated>
<EventRecordID>234488</EventRecordID>
<Correlation ActivityID="{71a9b66f-4900-0001-a8b6-a9710049d401}" RelatedActivityID=""></Correlation>
<Execution ProcessID="664" ThreadID="712"></Execution>
<Channel>Security</Channel>
<Computer>WIN-KCON-EXCH16.EM.KRINGLECON.COM</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-KCON-EXCH16$</Data>
<Data Name="SubjectDomainName">EM.KRINGLECON</Data>
<Data Name="SubjectLogonId">0x00000000000003e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">sparkle.redberry</Data>
<Data Name="TargetDomainName">EM.KRINGLECON</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">8</Data>
<Data Name="LogonProcessName">Advapi  </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">WIN-KCON-EXCH16</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x00000000000019f0</Data>
<Data Name="ProcessName">C:\Windows\System32\inetsrv\w3wp.exe</Data>
<Data Name="IpAddress">10.158.210.210</Data>
<Data Name="IpPort">47904</Data>
</EventData>
</Event>

It's helpful that the IP address of the client is logged, but it would be nice if we could get the entire event onto one line for easier searching. awk can help us with that, but then the log data nearly impossible to read, so we can use cut to get the interesting bits out. This helps us to find the pattern of failed logons we're looking for:

elf@c78226a6a169:~$ awk '/<\/Event>/{if (NR!=1)print "";next}{printf "%s|",$0}END{print "";}' ho-ho-no.txt | grep w3wp.exe | grep 4625 | grep 172.31.254.101 | cut -d "|" -f 22,36

<Data Name="TargetUserName">test.user</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">aaron.smith</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">abhishek.kumar</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">adam.smith</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">ahmed.ali</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">ahmed.hassan</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">ahmed.mohamed</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">ajay.kumar</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">alex.smith</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">ali.khan</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">ali.raza</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">amanda.smith</Data>|<Data Name="IpAddress">172.31.254.101</Data>

This shows that the source IP address of the password spray attack is 172.31.254.101.

It now becomes a simple matter to find any successful log entries (Event ID 4624) associated with IP address 172.31.254.101.

elf@c78226a6a169:~$ awk '/<\/Event>/{if (NR!=1)print "";next}{printf "%s|",$0}END{print "";}' ho-ho-no.txt | grep w3wp.exe | grep 4624 | grep 172.31.254.101 | cut -d "|" -f 22,35

<Data Name="TargetUserName">minty.candycane</Data>|<Data Name="IpAddress">172.31.254.101</Data>
<Data Name="TargetUserName">minty.candycane</Data>|<Data Name="IpAddress">172.31.254.101</Data>

Credit to http://www.theunixschool.com/2012/05/awk-join-or-merge-lines-on-finding.html for the awk wizardry.