KQL - nalthea/nalthea GitHub Wiki

KC7

Introduction

this page contains information about my work on KC7, a free online tryhackme-style site that focuses on using kusto query language in a way that mirrors SIEMs like azure sentinel.

FAQ

Q: where can i find kc7?

A: kc7cyber.com -- although i am not sure i recommend it generally. its approach to teaching is somewhat scattershot, and although it's useful to learn kql, i've found it starts to deviate and include questions relating to OSINT or MITRE that are poorly executed. i have more thoughts on the state of cybersecurity education in general, and a once the blog post exists i'll link it riiiiight...here

Q: how is this page ordered?

A: each heading introduces a new scenario. these are all available at kc7cyber.com/modules. note: i didn't begin documenting this until section 4 of the module a scandal in valdoria, so the first post jumps in there.

Q: i can't follow what you're doing!

A: this isn't meant to be a walkthrough of kc7 or a how-to on how to use KQL; instead, i'm documenting my personal journey learning kusto. each screenshot shows the question i was asked and the queries i used to answer it, but usually it DOESN'T include the results of that query. i also don't include every question because some of them are trivial. usually, the screenshot explains itself, but i have included some occasional musings.

a scandal in valdoria

image

image

image

image

image
i want to narrow my search for discovery commands to after the initial c&c process ran. i need to do some research on kusto syntax to figure out how to cast to datetime.

image
easy to do, but this isn't the right direction. i don't see any discovery commands like whoami being run.

image
turns out the discovery commands were run before the plink process, which makes sense. plink isn't for interactive terminal work, it runs automated processes. the malicious macros on the .docx file would have established the initial c&c and plink is more like the payload. on a smaller note, each of these discovery commands are separated by several minutes. i wonder if that's realistic.

image

image

image

image
wow, a useful error message. kusto is kinda goated for that

image

image

image

jojo's hospital

image

image

image

image

image

image

image

image

image

image

image decided to do some simple let statements to speed things up. it took a couple tries to get the syntax right, but it's satisfying to have a scalable command.

image

image classic threat actor tpp. go to the website you want to hack and search "how do i hack this website." pretty sure that's how heartbleed worked

image

image

image

image

image

image not to nitpick every element of this silly little scenario, but why would the attackers continue to use their fake restaurant name in these files instead of using the real name? maybe they don't wanna get sued for intellectual property infringement

image

image the questions often ask me to do something in a way that just feels stupid. why would i sort through every single process event when i know the name of the file?

image

image

image

image

image

image guessed it would be a .txt file

image

azure crest hospital

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image i don't know why it surprises me that there's things like url parsers built in to kql, but wow that's useful

image

image

image

image i love regex and i don't care who knows

image

image

image

image

image

image

although there were plenty more questions, they started to not be about kql and instead be entirely unrelated questions about finding the twitter handles of cybersecurity personalities. this seems like a lazy waste of time to me, which is disappointing as someone who was interested in learning kql. if this is the last thing you see on this page, it's because KC7 has disappointed me.