Challenges
- Challenge 1: Here
- Challenge 2: Here
- Challenge 3: Here
- Challenge 4: Here
- Challenge 5: This article
The ADX team upped their game once again. Time for a proper forensic investigation, track down the baddies, find clues and decipher their meaning all while racing against the clock. Can you come up with the date and location of the heist in time to stop them?
General advice
This challenge requires a bit of creative thinking, even with the hints there are multiple paths to go down and not all of them are going to lead to the right outcome. the key to this one, keep it simple and logical.
Challenge 5: Big heist
This challenge also has multiple parts, first we need to identify four chatroom users from over three million records and then we need to “hack” their IPs to get more clues.
Trying to identify the right user behaviors here is super tricky, I got tripped up here by adding a level of complexity that was unnecessary. At its simplest we would have to find a room where only 4 people joined and no one else. Some KQL commands that will be useful here are tostring, split, extend, row_cumsum
Hello. It’s going to happen soon: a big heist. You can stop it if you are quick enough. Find the exact place and time it’s going to happen.
Do it right, and you will be rewarded, do it wrong, and you will miss your chance.
Here are some pieces of the information:
The heist team has 4 members. They are very careful, hide well with minimal interaction with the external world. Yet, they use public chat-server for their syncs. The data below was captured from the chat-server: it doesn’t include messages, but still it may be useful. See what you can do to find the IPs the gang uses to communicate.
Once you have their IPs, use my small utility to sneak into their machine’s and find more hints:
https://sneakinto.z13.web.core.windows.net/<ip>
Cheers
El Puente
PS:
Feeling uncomfortable and wondering about an elephant in the room: why would I help you?
Nothing escapes you, ha?
Let’s put it this way: we live in a circus full of competition. I can use some of your help, and nothing breaks if you use mine… You see, everything is about symbiosis.
Anyway, what do you have to lose? Look on an illustrated past, fast forward N days and realize the future is here.
let rooms =
ChatLogs
| where Message contains “joined”
| extend user = tostring(split(Message,” “,1))
| extend chan = tostring(split(Message,” “,5))
| distinct user, chan
| summarize count() by chan
| where count_ == 4
| project chan;
let chatroom =
ChatLogs
| extend action = tostring(split(Message,” “,2))
| where action contains “joined” or action contains “left”
| extend A1 = iif(action contains “joined”, 1, -1)
| extend user = tostring(split(Message,” “,1))
| extend chan = tostring(split(Message,” “,5))
| where chan in (rooms)
| order by Timestamp asc
| extend total=row_cumsum(A1, chan != prev(chan))
| where total ==4
| distinct chan;
let users =
ChatLogs
| extend chan = tostring(split(Message,” “,5))
| where chan in (chatroom)
| extend user = tostring(split(Message,” “,1))
| distinct user;
ChatLogs
| extend user = tostring(split(Message,” “,1))
| where user in (users)
| where Message contains “logged”
| extend IP = tostring(split(Message,” “,5))
| distinct IP
Alright we’ve got some IPs, so time to “hack”, using the provided tool you’ll gather a set of clues from each of the gang members, there are a few key things you need to find, these are an email, some pictures, a cypher tool, an article and a pdf copy of it and of course a video from the nefarious professor Smoke.
From here on out it’s all investigative skills, you now have everything you need to find the date and location of the heist and save that datacenter!
In order to decrypt the secret message, you’re going to need a special key, the format looks familar right? Spot on you’ll need the answer from challenge 4!
Congratulations Detective!
If you’ve found this blog series useful, please let me know via LinkedIn or drop a comment below. These challenges have been super fun and I for one am looking forward to season 2!
Pingback: Kusto Detective Agency: Challenge 4 - Ready to play? - OpsMan
Pingback: Kusto Detective Agency: Challenge 3 - Bank robbery! - OpsMan
Any hints additional? I don’t find date correct.
The date is a three-step process you need the date form one of the pictures, you need to do the %(MOD) calculation, using the year from the article that comes from the decrypted message and then add that number of days to the first date
1) Get the picture of the Project X’s target and see the date it was taken (Datel).
2) There was another historical nonsense event happened at year YYYY, and it reminds me of today (I will send a link later). We will use that event as a reference point.
The day of our action will be: Date1 + ((YYYY % 1000) days))
Ad.1. That was easy part- PDF article shows big “X” on the picture – you just need to find correct file
Ad.2. Where to look for it? The article?
The Date1 = 09 + ((YYYY=1981 / 1000) Days=14)) this is correct? Any other hints?
No, it’s mod (%) not division.
I got the correct date! the key is 2) …. , and it reminds me Of today. Good luck!
Any hints Cesar?
I’m also struggling with the date. A bit frustrating having covered everything and remaining blocked at this stage :).
date1 : 09/7/2022 so date1 = 09
from pdf file (project-x.pdf) page 3, go to the link in top of page 1 download the image go to Propeties >> Details >> date created
—————————————————-
YYYY: 1891
from this link is: bing.com?q=uncomfortable+%2Belephant+%2Bescapes+%2Bcircus+%2Bbreaks+%2Beverything+%2Btoulouse+%2Billustrated
total days in future is : 9 + (1891%1000) = 18919
but which day is present day?
Don’t remove anything from the date you start at a specific date example 1/6/2022 and move X days forward, if x was 10 then you’d get 11/6/2022
The key of the challenge 4 for what message is?
Not is this message. but yes the key.
Impressive, you got it right! Something BIG is going to happen… Keep the next hint close to you, it will help you. We will be in touch soon. El Puente.
Any hints.
As part of your answer for challenge 4 you should also have a string of letters and a series of numbers. These are the decryption key for calculating part of the date in challenge 5
yes, i have the key, but i don’t know the message correct. ¿Is same message of the case #4?
I already have the message! PS Cheers The Puente. Any hints for find the Date?
OK, I got the date (from one of the picture), or rather two dates- one is file creation, the other is buried down in exif as picture description. I’m not sure where should I look for the year of “another historical nonsense event”. Secondly- not sure what decryption key from #4 is used for – it gives an empty link to bing page.
One of the files the baddies have is a cypher tool, to use this properly you need the decryption key (from challenge 4) and the right message to decrypt (Think about the message from El Puente)
Oh, my- it was supposed to decrypt the whole message, not just “PS”. Now it makes sense. 🙂
I’ve tried to find ‘YYYY’ but I couldn’t. I think I know the coordinates and the basic ‘date’ (starting on 09.MM.YYYY) but I don’t have any idea how to find the second date which allows me to calculate the destination date.
Have you located the email from the criminals detailing the steps to calculate the date as well as the decryption tool?
The basic calculation is Date1 + ((YYYY % 1000) days)), key things here Date1 is the full start date, YYYY comes from decrypting the message and % is the function MOD not divide
Thank you for your reply. I found mail and basic calculation of destination data but the main issue is I don’t know how and what I should decrypt to obtain ‘YYYY’. Obviously, after decryption I will use MOD function (YYYY mod 1000) to obtain the number of days which I should add to Date1.
Hi,
I’ve located the e-mail (Subject: ‘The day of Project X.’) and decryption tool (ReadMessage function). I am not sure what I should decrypt and how.
Warren, I’ve just found correct date and the final answer. Thank you very much for your tips!
Pingback: Microsoft Cloud ve Datacenter Management Aralık 2022 Bülten – Sertaç Topal