> For the complete documentation index, see [llms.txt](https://cl4nd3st1ne.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/sherlocks/optinseltrace24-3-blizzard-breakdown-walk-through.md).

# OpTinselTrace24–3: Blizzard Breakdown Walk-through

There are 2 main tools that will make this analysis easier for us — `zcat` and `jq`.

> `zcat` is the equivalent of `gunzip -c`. It can be used to read the contents of a gzip compressed file without decompressing it. Since we have lots of logs, all compressed with gzip, this tool will help us read them directly. 
>
> `jq` is a CLI tool for JSON processing. Since all our logs are in JSON, this tool will help us filter and format the logs efficiently. Refer to the [manual](https://jqlang.github.io/jq/manual/) for better understanding.
>
> The [Amazon S3 guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) will be a useful resource for looking up APIs that are utilised here.

***

**The Victim Elf shared credentials that allowed the Rogue Elf to access the workstation. What was the Client ID that was shared?**

Exploring the system dump, we’ll be able to see some chat logs in the directory `C/Users/lannyl/AppData/Local/IceChat Networks/IceChat/Logs/irc.quakenet.org/Query`. There’s one log file containing a conversation where the attacker pretends to be a helpful colleague and offers to help the victim setup their workstation. This file contains the Client ID and Password.\
\&#xNAN;*Answer: 95192516*

**What is the IP address of the Rogue Elf used during the attack?**

This can be found in the same log file as before.\
\&#xNAN;*Answer: 146.70.202.35*

**What is the name of the executable the victim ran to enable remote access to their system?**

In the conversation with the attacker, we can see that `Ammyy Admin` was the tool the victim was made to run and provide credentials for. Searching about this tool online will give us the executable’s name.\
\&#xNAN;*Answer: AA\_V3.EXE*

**What time (UTC) did the Rogue Elf connect to the victim’s workstation?**

In the directory `C/ProgramData/Ammyy` there is an access log file which contains the timestamp of when the attacker successfully authenticated to the victim machine. However, this timestamp represents the time in the local timezone, which we do not know. The timezone of the machine can be extracted from the SYSTEM registry hive. I used Chainsaw to dump this registry using the following command:\
`chainsaw dump ./NORTHPOLE-LUMEN/C/Windows/System32/config/SYSTEM.hve -j -o systemhve.json`\ <mark style="color:$warning;">**Note**</mark><mark style="color:$warning;">: Chainsaw doesn’t work on hive files that don’t have the</mark> <mark style="color:$warning;"></mark><mark style="color:$warning;">`hve`</mark> <mark style="color:$warning;"></mark><mark style="color:$warning;">extension. So, make a copy of the SYSTEM hive (</mark><mark style="color:$warning;">`C/Windows/System32/config/SYSTEM`</mark><mark style="color:$warning;">) and name it</mark> <mark style="color:$warning;"></mark><mark style="color:$warning;">`SYSTEM.hve`</mark><mark style="color:$warning;">.</mark>

Searching for timezone will take us to this specific key which states that the machine is following the Pacific Standard Time.

<figure><img src="/files/DeRRatnLX3sFGcBegnQC" alt=""><figcaption></figcaption></figure>

Convert the PST timezone from the access log into UTC (+8 hours).\
\&#xNAN;*Answer: 2024–11–13 12:23:34*

**The Rogue Elf compromised an AWS Access Key. What is the AWS Access Key ID obtained from the victim’s workstation?**

Here onward begins the AWS log analysis. Running `zcat` on one of the log files will help us understand the log structure.

<figure><img src="/files/60TEKhnjeVXIrHlW58iP" alt=""><figcaption><p>Log file structure</p></figcaption></figure>

Since we know the attacker’s IP, I decided to dump all the logs originating from it in a file using `jq`. The script for the same is given below:

{% code overflow="wrap" %}

```
#!/bin/bash

# Check if a directory argument is provided
if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <parent_folder>"
    exit 1
fi

PARENT_FOLDER=$1

# Ensure the specified parent folder exists
if [ ! -d "$PARENT_FOLDER" ]; then
    echo "Error: $PARENT_FOLDER is not a valid directory."
    exit 1
fi

# Recursively find json.gz files and process them
find "$PARENT_FOLDER" -type f -name "*.json.gz" | while read -r FILE; do
    # echo "Processing: $FILE"

    # Use zcat and jq with context lines
    zcat "$FILE" | jq '.Records[] | select(.sourceIPAddress=="146.70.202.35")'

done
# Example usage: ./get_attacker_actions.sh ./AWS-CloudTrail
```

{% endcode %}

<figure><img src="/files/4ZFTs52cUVG5vljXznOj" alt=""><figcaption></figcaption></figure>

**Which S3 bucket did the Rogue Elf target during the incident?**

Search for the `bucketName` parameter.\
\&#xNAN;*Answer: arctic-archive-freezer*

**Within the targeted S3 bucket, what is the name of the main directory where the files were stored?**

In the same log as before, the `prefix` parameter will contain the directory.\
\&#xNAN;*Answer: Claus\_Operation\_Data*

**What time (UTC) did the Rogue Elf disable versioning for the S3 bucket?**

Versioning is the feature of storing multiple versions of an object in a bucket. This helps in recovery in case of data corruption. According to the AWS S3 user guide, a bucket whose versioning is stopped is said to be in Suspended state. Searching for that will take us to the relevant log.\
\&#xNAN;*Answer: 2024–11–13 15:31:15*

**What is the MITRE ATT\&CK Technique ID associated with the method used in Question 8?**

The attacker disabled a data recovery measure. Looking for techniques related to preventing system recovery will give us the correct ID.\
\&#xNAN;*Answer: T1490*

**What time (UTC) was the first restore operation successfully initiated for the S3 objects?**

The event name associated with restoring an object using the S3 API is `RestoreObject`. Searching for this first shows a failed request due to the `key` parameter being too long. The timestamp of the next request is the answer.\
\&#xNAN;*Answer: 2024–11–13 15:43:49*

**Which retrieval option did the Rogue Elf use to restore the S3 objects?**

In the same log as above, we’ll be able to see a parameter called `Tier` under `GlacierJobParameters`. The expedited mode allows the fastest way to retrieve an object.\
\&#xNAN;*Answer: expedited*

**What is the filename of the S3 object that the Rogue Elf attempted to delete?**

As one would expect, the event name for this API action is `DeleteObject`. The filename is the `key` parameter of the first such log.\
\&#xNAN;*Answer: GiftList\_Worldwide.csv*

**What is the size (MB) of the S3 object that the Rogue Elf targeted in Question 12?**

This can be determined by looking at `GetObject` API calls for the file in the previous question. According to the structure of this API’s logs, the parameter `bytesTransferredOut` is what we need. Also, the file was probably transferred in parts. I modified the script at the start of this article to find all the relevant requests. The action to be performed in the do-while loop is now:

{% code overflow="wrap" %}

```
zcat "$FILE" | jq '.Records[] | select(.sourceIPAddress=="146.70.202.35") | select(.eventName == "GetObject") | select(.requestParameters.key == "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv") | .additionalEventData.bytesTransferredOut'
```

{% endcode %}

There were total 19 requests and 8388608 bytes were transferred in each. The size in MB is the total amount of bytes divided by 1024\*1024.\
\&#xNAN;*Answer: 152*

**What storage class was used for the S3 objects to mimic the original settings and avoid suspicion?**

The storage class used by the attacker can be found by searching for the `x-amz-storage-class` key.\
\&#xNAN;*Answer: Glacier*

<mark style="color:$info;">\[Originally Published on Jan 5, 2025]</mark>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/sherlocks/optinseltrace24-3-blizzard-breakdown-walk-through.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.