Lespion

Category: Threat Intel

Tools: Google Maps Google Image search Sherlock

Scenario

You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker's identity.

Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider. Investigate the incident, find the insider, and uncover the attack actions.

Questions

Q1: File -> Github.txt: What API key did the insider add to his GitHub repositories?

open the github profile provided and take a look at the repositories

Here's the API key

Q2: File -> Github.txt: What plaintext password did the insider add to his GitHub repositories?

The password is base64 encoded, so we need to decode it

Q3: File -> Github.txt: What cryptocurrency mining tool did the insider use?

Back to exploring the rest of the repositories

from its description we can know that it's the tool used.

Q4: On which gaming website did the insider have an account?

Here’s where some OSINT skills come into play, let’s start by looking at social media platforms like Instagram. Tools like Sherlock can also be helpful for finding usernames across multiple platforms.

Open the latest post, from the caption "Add me for some games" this ensures that is what we are looking for, so let's scan the QR code.

Q5: What is the link to the insider Instagram profile?

We have already reached to it https://www.instagram.com/emarseille99?igsh=MTUwOGNwOWxnc3JweQ==

Q6: Which country did the insider visit on her holiday?

Scrolling the rest of her posts, from this post caption we knew it was from a holiday

So lets use https://images.google.com/

Q7: Which city does the insider family live in?

from this post caption, it seems to be in the city where her family live in.

It appears that the photo contains the UAE flag, but it does not necessarily means that this photo were taken at it. From the caption also it seems that there is another photo "1/2" so let's look for it

This photo contains some landmarks so let's look it up

Q8: File -> office.jpg: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?

by searching the "Hippodrome Theatre" from the direction sign in the image

Q9: File -> Webcam.png: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and landed in another country. Our intelligence team spotted the target with this IP camera. Which state is this camera in?

Let's look up the image given

PreviousYellow RAT NextTusk Infostealer

Last updated 8 months ago

hashtagScenario

hashtagQuestions

hashtagQ1: File -> Github.txt: What API key did the insider add to his GitHub repositories?

hashtagQ2: File -> Github.txt: What plaintext password did the insider add to his GitHub repositories?

hashtagQ3: File -> Github.txt: What cryptocurrency mining tool did the insider use?

hashtagQ4: On which gaming website did the insider have an account?

hashtagQ5: What is the link to the insider Instagram profile?

hashtagQ6: Which country did the insider visit on her holiday?

hashtagQ7: Which city does the insider family live in?

hashtagQ8: File -> office.jpg: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?