In this post, I would like to share some walkthroughs on the Sherlock Challenges such as Litter which can be considered an Easy Difficulty

Case Study for Litter Challenge

Khalid has just logged onto a host that he and his team use as a testing host for many different purposes. It’s off their corporate network but has access to lots of resources on the network. The host is used as a dumping ground for a lot of people at the company, but it’s very useful, so no one has raised any issues. Little does Khalid know; the machine has been compromised and company information that should not have been on there has now been stolen – it’s up to you to figure out what has happened and what data has been taken.

Firstly, we need to download the file into our machine so that we can analyze it further

From the extraction process, I noticed that there is only a pcap file stored in the directory which we need to open Wireshark

1. At a glance, what protocol seems suspect in this attack?

Based on my experience, DNS might be the suspect protocol on the attack base.

  • DNS = Domain Name Server
  • MDNS = Multicast DNS
  • LLMNR = Link-Local Multicast Name Resolution 
  • SSDP (Simple Service Discovery Protocol)

The name above is present for those who are not familiar with network terms

2. There seems to be a lot of traffic between our host and another, what is the IP address of the suspect host?

When we try to filter the packet that is assigned to a DNS protocol, i notice one IP address stands out that much

3. What is the first command the attacker sends to the client?

Therefore, let’s filter the packet with the protocol and IP address that we suspect on the wireshark

There is one packet that stands out and let’s follow the UDP stream which provides the packet as shown above.

We should be able to see the actual message when we try to translate it on CyberChef. On the CyberChef platform, we can use the “From Hex” to analyze it further

After we analyzed it carefully, i noticed the command that has been used over here.

4. What is the version of the DNS tunneling tool the attacker is using?

While looking at the packet again, i found the DNS tunneling tool which is dnscat2 with the version after that

5. The attackers attempts to rename the tool they accidentally left on the clients host. What do they name it to?

After a while, i found the tool had been renamed accidentally on the client host

6. The attacker attempts to enumerate the users cloud storage. How many files do they locate in their cloud storage directory?

Normally, people will use Onedrive as cloud storage. Therefore, let’s find the Onedrive directory on the packet and see the files that have been stored inside there.

7. What is the full location of the PII file that was stolen?

Following a careful investigation, there’s one PII file that was stolen from the packet which saved as a CSV file format

8. Exactly how many customer PII records were stolen?

On the litter directory too, there is a lot of PII records that were stolen