CTF for aspiring SOC Engineers
Yesterday, June 10, 2023 EST, KC7 (https://kc7cyber.com/) held an awesome capture-the-flag event. At first, I thought it was just like another vendor-hosted event wherein they will just pool your contact details and spam you with their products and services. I logged in and connected non-chalantly. I got weirded that in their email, they are asking 3–4 things to setup, Zoom, an Azure page, “scoreboard” of some sort and Discord. It was just a matter of clicking the links they provided. However, I havent logged in to Discord for months now and since I changed mobile phones, It took me 30 minutes to move my authenticator from my old mobile and new mobile. Anyways, the trouble was all worth it once things are all settled. It was indeed a CTF/competitive learning activity, so I completely bought in.
Objectives
🧠 By the end of your first day on the job, you should be able to:
- Use Azure Data Explorer and Kusto Query Language
- Use multiple data sets to answer targeted questions
- Investigate cyber activity in logs including: email, web traffic, and server logs
- Use multiple techniques to track the activity of APTs (Advanced Persistent Threats)
- Use third party data sets to discover things about your attackers
- Make recommendations on what actions a company can take to protect themselves
This CTF introduced me to KQL.
KQL stands for Kusto Query Language. It is a query language developed by Microsoft for querying and analyzing large datasets stored in Azure Data Explorer (formerly known as Kusto). Azure Data Explorer is a fast and scalable data exploration service that can handle massive amounts of data for real-time analysis.
KQL is designed to be simple, expressive, and efficient for performing ad-hoc data exploration and analysis. It allows users to write queries to retrieve, filter, aggregate, and transform data stored in Azure Data Explorer. KQL supports a wide range of operations such as filtering, sorting, joining, grouping, and summarizing data.
The syntax of KQL resembles SQL (Structured Query Language) but with some differences and additional features specific to Azure Data Explorer. It includes functions, operators, and query constructs that enable users to perform complex operations on the data. KQL queries can be executed through various tools and interfaces, including Azure Data Explorer Web UI, Azure Data Explorer Explorer, and the KQL command line interface.
KQL is commonly used in scenarios that require real-time data analysis, such as log analytics, telemetry analysis, and monitoring of large-scale systems. It provides powerful capabilities for processing and analyzing vast amounts of data quickly, making it a valuable tool for data engineers, data analysts, and developers working with Azure Data Explorer.
Since it is my first time to use this, I had a hard time and took me another hour to grasp the concept. I havent completed the 4 sections as of writing though but these are my queries/answers from my Milanote.
SECTION 1
×Question 1 (10pts) ✅ Solved
Try it for yourself! Do a take 10 on all the other tables to see what kind of data they contain. Answer with “done” when you are finished.
×Question 2 (10pts) ✅ Solved
How many employees are in the company?
1500
Employees
| count×Question 3 (10pts) ✅ Solved
Each employee at Castle&Sand is assigned an IP address. Which employee has the IP address: “10.10.2.1”?
Preston Lane
Employees
| where ip_addr == "10.10.2.1"×Question 4 (10pts) ✅ Solved
How many emails did Jacqueline Henderson receive?
26
Email
| where recipient == "jacqueline_henderson@castleandsand.com"where recipient == "jacqueline_henderson@castleandsand.com"×Question 5 (10pts) ✅ Solved
How many distinct senders were seen in the email logs from sunandsandtrading.com?
2146
Email
| where sender has "sunandsandtrading.com"
| distinct sender×Question 6 (10pts) ✅ Solved
How many unique websites did “Cristin Genao” visit?
45
Search for Ip add of the user
Employees
| where name == "Cristin Genao"Look in another table with the src ip
OutboundNetworkEvents
| where src_ip == "10.10.0.141"
| distinct url
| count×Question 7 (10pts) ✅ Solved
How many distinct domains in the PassiveDns records contain the word “shark”?
13
PassiveDns
| where domain contains "shark"
| distinct domainsharkgamingsystems-my.sharepoint.com
×Question 8 (10pts) ✅ Solved
What IPs did the domain “sharkfin.com” resolve to (enter any one of them)?
157.242.169.232;200.106.38.88;188.203.116.15;180.5.6.199PassiveDns
| where domain contains "sharkfin.com"main contains "sharkfin.com"×Question 9 (20pts) ✅ Solved
How many unique URLs were browsed by employees named “Karen”?
151
let karen_ips =
Employees
| where name has "Karen"
| distinct ip_addr;
OutboundNetworkEvents
| where src_ip in (karen_ips)
| distinct urlBTW, I finished in the top 30 (out of 200) of the participants. Not bad for a red teamer :D
Again, kudos to KC7 Foundation. I really enjoyed every bit of your CTF! Once I finished this module, I will try the earlier modules you have! Looking forward to your future events!
