Elf #6 - Pepper Minstix: Yule Log Analysis Cranberry Pi terminal

Pepper Minstix - Yule Log Analysis Cranberry Pi terminal

Given hint: https://www.youtube.com/watch?v=ZIOw_xfqkKM

I am Pepper Minstix, and I'm looking for your help.
Bad guys have us tangled up in pepperminty kelp!
"Password spraying" is to blame for this our grinchly fate.
Should we blame our password policies which users hate?

Here you'll find a web log filled with failure and success.
One successful login there requires your redress.
Can you help us figure out which user was attacked?
Tell us who fell victim, and please handle this with tact...

Submit the compromised webmail username to runtoanswer to complete this challenge.

The challenge can be accessed directly here:

List the current directory

elf@9379a8ea1023:~$ ls -al
total 6916
drwxr-xr-x 1 elf  elf     4096 Dec 14 16:42 .
drwxr-xr-x 1 root root    4096 Dec 14 16:42 ..
-rw-r--r-- 1 elf  elf      220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 elf  elf     3785 Dec 14 16:42 .bashrc
-rw-r--r-- 1 elf  elf      807 Apr  4  2018 .profile
-rw-r--r-- 1 elf  elf     1353 Dec 14 16:13 evtx_dump.py
-rw-r--r-- 1 elf  elf  1118208 Dec 14 16:13 ho-ho-no.evtx
-rwxr-xr-x 1 elf  elf  5936968 Dec 14 16:13 runtoanswer

Use evtx_dump.py to convert the file "ho-ho-no..evtx" into an XML file

elf@9379a8ea1023:~$ python evtx_dump.py ho-ho-no.evtx > events.xml

A good start to identify a password spray attack, is to look for failed logons (event ID 4625) from a single source host (or from a limited range of source hosts), over a wide range of usernames, within a short timeframe.

First, identify the structure of a failed logon attempt from the event log:

elf@9379a8ea1023:~$ cat events.xml | grep "4625" -m 1 -C 50
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4625</EventID>
<TimeCreated SystemTime="2018-09-10 12:41:50.900736"></TimeCreated>
<Correlation ActivityID="{71a9b66f-4900-0001-a8b6-a9710049d401}" RelatedActivityID=""></Correlation>
<Execution ProcessID="664" ThreadID="712"></Execution>
<Security UserID=""></Security>
<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-KCON-EXCH16$</Data>
<Data Name="SubjectDomainName">EM.KRINGLECON</Data>
<Data Name="SubjectLogonId">0x00000000000003e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">sparkle.redberry</Data>
<Data Name="TargetDomainName">EM.KRINGLECON</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">8</Data>
<Data Name="LogonProcessName">Advapi  </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">WIN-KCON-EXCH16</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x00000000000019f0</Data>
<Data Name="ProcessName">C:\Windows\System32\inetsrv\w3wp.exe</Data>
<Data Name="IpAddress"></Data>
<Data Name="IpPort">47904</Data>

To capture a single fail event, search the file using grep for pattern ">4625<" and include 1 line above, and 37 lines below, as per the pattern above. Then pipe those search results into another grep search which outputs the WorkstationName, TargetUserName and TimeCreated fields.

elf@9379a8ea1023:~$ cat events.xml | grep ">4625<" -B 1 -A 37 | grep -E "WorkstationName|TargetUserName|TimeCreated"
<TimeCreated SystemTime="2018-09-10 12:41:50.900736"></TimeCreated>
<Data Name="TargetUserName">sparkle.redberry</Data>
<Data Name="WorkstationName">WIN-KCON-EXCH16</Data>
<TimeCreated SystemTime="2018-09-10 12:54:56.034510"></TimeCreated>
<Data Name="TargetUserName">test.user</Data>
<Data Name="WorkstationName">WIN-KCON-EXCH16</Data>


The output above clearly reveals a password spray attempt from source host "WIN-KCON-EXCH16". Many usernames are tried once each, between the times of 13:03 and 13:05. The list of usernames that were password sprayed is retrieved using the query below.

elf@9379a8ea1023:~$ cat events.xml | grep ">4625<" -B 1 -A 37 | grep '"WorkstationName">WIN-KCON-EXCH16' -A 9 -B 29 | grep -E "13:03|13:04|13:05" -A 31 -B 7 | grep "TargetUserName" | grep -oP '(?<=>).*(?=<)'


The Windows event code for successful logons is 4624. Accounts that have successfully logged on between 13:03 and 13:05 from "WIN-KCON-EXCH16", who are not webmail users, have very likely fallen victim to the password spray attack.

elf@9379a8ea1023:~$ cat events.xml | grep ">4624<" -B 1 -A 37 | grep '"WorkstationName">WIN-KCON-EXCH16' -A 9 -B 29 | grep -E "13:03|13:04|13:05" -A 31 -B 7 | grep "TargetUserName" | grep -oP '(?<=>).*(?=<)'

Legit webmail users can be filtered out by filtering "HealthMailbox" from the results

elf@9379a8ea1023:~$ cat events.xml | grep ">4624<" -A 37 -B 1 | grep '"WorkstationName">WIN-KCON-EXCH16' -A 9 -B 29 | grep -E "13:03|13:04|13:05" -A 31 -B 7 | grep "TargetUserName" | grep -oP '(?<=>).*(?=<)' | grep -v HealthMailbox

User "minty.candycane" was very likely compromised in the password spray attack.

elf@9379a8ea1023:~$ ./runtoanswer 
Loading, please wait......

Whose account was successfully accessed by the attacker's password spray? minty.candycane

Silly Minty Candycane, well this is what she gets.
"Winter2018" isn't for The Internets.
Passwords formed with season-year are on the hackers' list.
Maybe we should look at guidance published by the NIST?