KC7 - The free cyber detective game

<style>pre { line-height: 125%; } td.linenos .normal { color: #6e7681; background-color: #0d1117; padding-left: 5px; padding-right: 5px; } span.linenos { color: #6e7681; background-color: #0d1117; padding-left: 5px; padding-right: 5px; } td.linenos .special { color: #e6edf3; background-color: #6e7681; padding-left: 5px; padding-right: 5px; } span.linenos.special { color: #e6edf3; background-color: #6e7681; padding-left: 5px; padding-right: 5px; } .codehilite .hll { background-color: #6e7681 } .codehilite .c { color: #8b949e; font-style: italic } /* Comment */ .codehilite .err { color: #f85149 } /* Error */ .codehilite .esc { color: #e6edf3 } /* Escape */ .codehilite .g { color: #e6edf3 } /* Generic */ .codehilite .k { color: #ff7b72 } /* Keyword */ .codehilite .l { color: #a5d6ff } /* Literal */ .codehilite .n { color: #e6edf3 } /* Name */ .codehilite .o { color: #ff7b72; font-weight: bold } /* Operator */ .codehilite .x { color: #e6edf3 } /* Other */ .codehilite .p { color: #e6edf3 } /* Punctuation */ .codehilite .ch { color: #8b949e; font-style: italic } /* Comment.Hashbang */ .codehilite .cm { color: #8b949e; font-style: italic } /* Comment.Multiline */ .codehilite .cp { color: #8b949e; font-weight: bold; font-style: italic } /* Comment.Preproc */ .codehilite .cpf { color: #8b949e; font-style: italic } /* Comment.PreprocFile */ .codehilite .c1 { color: #8b949e; font-style: italic } /* Comment.Single */ .codehilite .cs { color: #8b949e; font-weight: bold; font-style: italic } /* Comment.Special */ .codehilite .gd { color: #ffa198; background-color: #490202 } /* Generic.Deleted */ .codehilite .ge { color: #e6edf3; font-style: italic } /* Generic.Emph */ .codehilite .gr { color: #ffa198 } /* Generic.Error */ .codehilite .gh { color: #79c0ff; font-weight: bold } /* Generic.Heading */ .codehilite .gi { color: #56d364; background-color: #0f5323 } /* Generic.Inserted */ .codehilite .go { color: #8b949e } /* Generic.Output */ .codehilite .gp { color: #8b949e } /* Generic.Prompt */ .codehilite .gs { color: #e6edf3; font-weight: bold } /* Generic.Strong */ .codehilite .gu { color: #79c0ff } /* Generic.Subheading */ .codehilite .gt { color: #ff7b72 } /* Generic.Traceback */ .codehilite .g-Underline { color: #e6edf3; text-decoration: underline } /* Generic.Underline */ .codehilite .kc { color: #79c0ff } /* Keyword.Constant */ .codehilite .kd { color: #ff7b72 } /* Keyword.Declaration */ .codehilite .kn { color: #ff7b72 } /* Keyword.Namespace */ .codehilite .kp { color: #79c0ff } /* Keyword.Pseudo */ .codehilite .kr { color: #ff7b72 } /* Keyword.Reserved */ .codehilite .kt { color: #ff7b72 } /* Keyword.Type */ .codehilite .ld { color: #79c0ff } /* Literal.Date */ .codehilite .m { color: #a5d6ff } /* Literal.Number */ .codehilite .s { color: #a5d6ff } /* Literal.String */ .codehilite .na { color: #e6edf3 } /* Name.Attribute */ .codehilite .nb { color: #e6edf3 } /* Name.Builtin */ .codehilite .nc { color: #f0883e; font-weight: bold } /* Name.Class */ .codehilite .no { color: #79c0ff; font-weight: bold } /* Name.Constant */ .codehilite .nd { color: #d2a8ff; font-weight: bold } /* Name.Decorator */ .codehilite .ni { color: #ffa657 } /* Name.Entity */ .codehilite .ne { color: #f0883e; font-weight: bold } /* Name.Exception */ .codehilite .nf { color: #d2a8ff; font-weight: bold } /* Name.Function */ .codehilite .nl { color: #79c0ff; font-weight: bold } /* Name.Label */ .codehilite .nn { color: #ff7b72 } /* Name.Namespace */ .codehilite .nx { color: #e6edf3 } /* Name.Other */ .codehilite .py { color: #79c0ff } /* Name.Property */ .codehilite .nt { color: #7ee787 } /* Name.Tag */ .codehilite .nv { color: #79c0ff } /* Name.Variable */ .codehilite .ow { color: #ff7b72; font-weight: bold } /* Operator.Word */ .codehilite .pm { color: #e6edf3 } /* Punctuation.Marker */ .codehilite .w { color: #6e7681 } /* Text.Whitespace */ .codehilite .mb { color: #a5d6ff } /* Literal.Number.Bin */ .codehilite .mf { color: #a5d6ff } /* Literal.Number.Float */ .codehilite .mh { color: #a5d6ff } /* Literal.Number.Hex */ .codehilite .mi { color: #a5d6ff } /* Literal.Number.Integer */ .codehilite .mo { color: #a5d6ff } /* Literal.Number.Oct */ .codehilite .sa { color: #79c0ff } /* Literal.String.Affix */ .codehilite .sb { color: #a5d6ff } /* Literal.String.Backtick */ .codehilite .sc { color: #a5d6ff } /* Literal.String.Char */ .codehilite .dl { color: #79c0ff } /* Literal.String.Delimiter */ .codehilite .sd { color: #a5d6ff } /* Literal.String.Doc */ .codehilite .s2 { color: #a5d6ff } /* Literal.String.Double */ .codehilite .se { color: #79c0ff } /* Literal.String.Escape */ .codehilite .sh { color: #79c0ff } /* Literal.String.Heredoc */ .codehilite .si { color: #a5d6ff } /* Literal.String.Interpol */ .codehilite .sx { color: #a5d6ff } /* Literal.String.Other */ .codehilite .sr { color: #79c0ff } /* Literal.String.Regex */ .codehilite .s1 { color: #a5d6ff } /* Literal.String.Single */ .codehilite .ss { color: #a5d6ff } /* Literal.String.Symbol */ .codehilite .bp { color: #e6edf3 } /* Name.Builtin.Pseudo */ .codehilite .fm { color: #d2a8ff; font-weight: bold } /* Name.Function.Magic */ .codehilite .vc { color: #79c0ff } /* Name.Variable.Class */ .codehilite .vg { color: #79c0ff } /* Name.Variable.Global */ .codehilite .vi { color: #79c0ff } /* Name.Variable.Instance */ .codehilite .vm { color: #79c0ff } /* Name.Variable.Magic */ .codehilite .il { color: #a5d6ff } /* Literal.Number.Integer.Long */</style><h1>Welcome to Sunlands Aeronautics and Space Administration (SASA)</h1> <p>🥳 Today is your first day as a Junior Security Operations Center (SOC) Analyst with the most advanced space program in the world. Your primary job responsibility is to defend Sunlands Aeronautics and Space Administration (SASA) and our employees from malicious cyber actors.</p> <p><img alt="sasa" src="https://github.com/KC7-Foundation/kc7_data/assets/9474932/26fda1ff-c5c2-4c5d-9e90-f553375544fc" /></p> <h3>Introduction</h3> <p>Sunlands Aeronautics and Space Administration (SASA) is the esteemed government agency of the United Sunlands responsible for the civil space program, aeronautics research, and space research.</p> <p>The International Space Summit took place on September 1, 2123 in the United Sunlands, where fellow space powers convened to discuss the development of new spaceports and other infrastructure to enable greater space exploration. The United Sunlands, an emerging economy, revolutionized its industries by harnessing solar power and recently developed cutting-edge solar powered space propulsion technology. The United Sunlands is entertaining offers for spaceport funding from two other countries: Luneria States and Astrella Republic.</p> <p>However, the United Sunlands was targeted during this summit. The attacker exfiltrated sensitive, secret data about the United Sunlands' latest rocket technology as well as confidential, high-level communications about which country the United Sunlands would likely go with for the deal. A botnet is spreading an online influence campaign with the narrative that Luneria States was responsible for the attack.</p> <p>Your mission, if you choose to accept it, is to investigate the attack and report your forensic attribution assessment to the United Sunlands president.</p> <p>Sunlands Aeronautics and Space Administration (SASA) collects log data about the activity our employees perform on the organization's network. These security audit logs are stored in Azure Data Explorer (ADX) - a data storage service in Azure (Microsoft’s cloud). You will use the Kusto Query Language (KQL) to parse through various types of security logs. By analysing these logs, you can help us determine whether we’re being targeted by malicious actors.</p> <p>You can find full documentation on ADX here: <a href="https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tutorial?pivots=azuredataexplorer">https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/tutorial?pivots=azuredataexplorer</a></p> <h3>Objectives</h3> <p>🧠 By the end of your first day on the job, you should be able to:</p> <ul> <li>Use the Azure Data Explorer</li> <li>Use multiple data sets to answer targeted questions </li> <li>Investigate cyber activity in logs including: email, web traffic, and server logs </li> <li>Use multiple techniques to track the activity of APTs (Advanced Persistent Threats) </li> <li>Use third party data sets to discover things about your attackers</li> <li>Make recommendations on what actions a company can take to protect themselves</li> </ul> <p><strong>The attackers have gotten a head start, so let's not waste any more time... let's get to work!</strong></p> <p>You can find all the links you need here: <a href="http://scoreboard.kc7cyber.com/modules/SASA">http://scoreboard.kc7cyber.com/modules/SASA</a></p> <h4>Getting Set Up in Azure Data Explorer (ADX)</h4> <p>ADX is the primary tool used in the Sunlands Aeronautics and Space Administration (SASA) SOC for data exploration and analysis. The great thing about ADX is that it is used by cyber analysts at many of the smallest and largest organizations in the world. </p> <p>Let’s get you logged in and started with ADX:</p> <p>On the left sidebar, you’ll see a button that says <strong>Query Data (ADX)</strong>. Click this and it will redirect you to ADX! (Note: You’ll probably be asked to login with a Microsoft account. You can use an existing personal or organization-issued Microsoft account, or create a new one for free.)</p> <p><img alt="image" src="https://github.com/KC7-Foundation/kc7_data/assets/9474932/aaab3ee6-95c6-4806-99f2-a2e9e6ada2bf" /></p> <p>Once you login, you should see a cluster called <em>“kc7001.eastus”</em> has already been added to your account.</p> <p><img alt="image" src="https://github.com/KC7-Foundation/kc7_data/assets/31902160/fa380f47-e573-452c-8647-b12b3f1a382f" /></p> <p>Data in ADX is organized in a hierarchical structure which consists of <strong>clusters</strong>, <strong>databases</strong>, and <strong>tables</strong>.</p> <p><img alt="Untitled-6" src="https://github.com/KC7-Foundation/kc7_data/assets/31902160/e213a8ed-9afb-4399-9c01-dea468b2b8a3" /></p> <p>All of Sunlands Aeronautics and Space Administration (SASA)’s security logs are stored in a single database – the <strong>Sunlands</strong> database. </p> <ol> <li>Select your database. <ul> <li>Expand the dropdown arrow next to the <strong>Sunlands</strong> database.</li> <li>Click on the <strong>Sunlands</strong> database. Once you’ve done this, you should see the database highlighted- this means you’ve selected the database and are ready to query the tables inside.</li> </ul> </li> </ol> <p>Note: It’s very important that you use the <strong>Sunlands</strong> database for all questions while you’re investigating activity at SASA! If you choose the wrong database, you won’t be able to answer questions correctly.</p> <p>The big space to the right of your cluster list is the <em>query workspace</em>. That’s where you’ll actually write the queries used to interact with our log data.</p> <p><img alt="Untitled-7" src="https://github.com/KC7-Foundation/kc7_data/assets/31902160/c0c3552b-8032-4682-876a-523d9f73ce0e" /></p> <p>Currently, you’ll see there’s a message there welcoming you to Sunlands Aeronautics and Space Administration (SASA)! Click the blue Run button above the query workspace to run your first query! Once you’ve done that, you can erase the welcome message by highlighting it and pressing backspace or delete on your keyboard.</p> <p>Okay, enough introductions… let’s get your hands on the data.</p> <h4>First Look at the data...</h4> <p>The <strong>Sunlands Aeronautics and Space Administration (SASA)</strong> database contains nine tables. Tables contain many rows of similar data. For security logs, a single row typically represents a single thing done by an employee or a device on the network at a particular time.</p> <p>We currently have nine types of log data. As you’ll see in ADX, each log type corresponds to a table that exists in the <strong>Sunlands Aeronautics and Space Administration (SASA)</strong> database:</p> <table> <thead> <tr> <th><strong>Table Name</strong></th> <th><strong>Description</strong></th> </tr> </thead> <tbody> <tr> <td>Employees</td> <td>Contains information about the company’s employees</td> </tr> <tr> <td>Email</td> <td>Records emails sent and received by employees</td> </tr> <tr> <td>InboundNetworkEvents</td> <td>Records inbound network events including browsing activity from the Internet to devices within the company network</td> </tr> <tr> <td>OutboundNetworkEvents</td> <td>Records outbound network events including browsing activity from within the company network out to the Internet</td> </tr> <tr> <td>AuthenticationEvents</td> <td>Records successful and failed logins to devices on the company network. This includes logins to the company’s mail server.</td> </tr> <tr> <td>FileCreationEvents</td> <td>Records files stored on employee’s devices</td> </tr> <tr> <td>ProcessEvents</td> <td>Records processes created on employee’s devices</td> </tr> <tr> <td>PassiveDns (External)</td> <td>Records IP-domain resolutions</td> </tr> <tr> <td>SecurityAlerts</td> <td>Records security alerts from an employee’s device or the company’s email security system</td> </tr> </tbody> </table> <blockquote> <p>🎯<strong>Key Point – Over the Horizon (OTH) data</strong>: One of the tables listed above is not like the others – <strong>PassiveDns</strong>. Rather than being an internal security log, PassiveDns is a data source that we’ve purchased from a 3rd party vendor. Not all malicious cyber activity happens within our company network, so sometimes we depend on data from other sources to complete our investigations.</p> </blockquote> <p>You’ll learn more about how to use each of these datasets in just a minute. First, let’s just run some queries so you can practice using KQL and ADX.</p> <h2>Section 2: Start Hunting!</h2> <p>You’ve finished your training and you’re ready to get to work protecting Sunlands Aeronautics and Space Administration (SASA). </p> <p>Work with your team to complete as many challenge questions from the remaining sections in the scoreboard as possible! The goal is to score as many points as you can. There are a lot of questions (the attackers have been busy), so you probably won’t be able to answer them all. Just do as many as you can!</p> <p>As you answer the questions, we will take you on a journey exploring the data and discovering what actions the adversaries have taken. However, you should remember that this is only one of many paths you can take through the data. As you go, don’t forget to pay attention to the details along the way. What patterns do the attackers exhibit that could help you track them better? Do they like to use certain words, themes? Or do they make mistakes? Keeping track of these patterns will help you build the full picture of what happened. </p> <p>Use the provided <a href="https://docs.google.com/document/d/1rZR4eVG886oPziG-5nGeQ5kN_q5Bpq0m/edit?usp=sharing&ouid=105873493764084037775&rtpof=true&sd=true">Actor Preview</a> document to keep track of what you know about the attacker. Building a good profile, timelining the attacker’s activity, and forming a list of indicators of compromise (IOCs) will help you keep track of the attacker. KC7 models some of the techniques used by these attackers from real world threat actors, so it may be a helpful resource for you in the future when you are investigating a real security incident. </p> <p>Now, get out there and keep us safe! The whole company is counting on you. No pressure😊.</p> <h2>Resources</h2> <p>Understanding KQL operators: <a href="https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators">https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators</a></p>