Lespion
Category: Threat Intel
Tools: Google Maps Google Image search Sherlock
Scenario
You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker's identity.
Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider. Investigate the incident, find the insider, and uncover the attack actions.
Questions
Q1: File -> Github.txt: What API key did the insider add to his GitHub repositories?
open the github profile provided and take a look at the repositories
Here's the API key
Q2: File -> Github.txt: What plaintext password did the insider add to his GitHub repositories?
The password is base64 encoded, so we need to decode it
Q3: File -> Github.txt: What cryptocurrency mining tool did the insider use?
Back to exploring the rest of the repositories
from its description we can know that it's the tool used.
Q4: On which gaming website did the insider have an account?
Here’s where some OSINT skills come into play, let’s start by looking at social media platforms like Instagram. Tools like Sherlock can also be helpful for finding usernames across multiple platforms.
Open the latest post, from the caption "Add me for some games" this ensures that is what we are looking for, so let's scan the QR code.
Q5: What is the link to the insider Instagram profile?
We have already reached to it https://www.instagram.com/emarseille99?igsh=MTUwOGNwOWxnc3JweQ==
Q6: Which country did the insider visit on her holiday?
Scrolling the rest of her posts, from this post caption we knew it was from a holiday
So lets use https://images.google.com/
Q7: Which city does the insider family live in?
from this post caption, it seems to be in the city where her family live in.
It appears that the photo contains the UAE flag, but it does not necessarily means that this photo were taken at it. From the caption also it seems that there is another photo "1/2" so let's look for it
This photo contains some landmarks so let's look it up
Q8: File -> office.jpg: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?
by searching the "Hippodrome Theatre" from the direction sign in the image
Q9: File -> Webcam.png: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?
Let's look up the image given
Last updated