In this post, I would like to share some walkthroughs on the Sherlock Challenges such Constellation can be considered a Medium Difficulty

Case Study


  The SOC team has recently been alerted to the potential existence of an insider threat. The suspect employee's workstation has been secured and examined. During the memory analysis, the Senior DFIR Analyst succeeded in extracting several intriguing URLs from the memory. These are now provided to you for further analysis to uncover any evidence, such as indications of data exfiltration or contact with malicious entities. Should you discover any information regarding the attacking group or individuals involved, you will collaborate closely with the threat intelligence team. Additionally, you will assist the Forensics team in creating a timeline. Warning : This Sherlock will require an element of OSINT and some answers can be found outside of the provided artifacts to complete fully.

I am required to download the zip file from the hack the box platform.


When I extract the file, I have presented with the IOCs URL as shown above.

A screenshot of a computer

Description automatically generated

For these challenges, I will be using unfurl platform to retrieve any information from the URL.

Task 1: When did the suspect first start Direct Message (DM) conversation with the external entity ( A possible threat actor group which targets organizations by paying employees to leak sensitive data)?

A screenshot of a computer

Description automatically generated

After analyzing the diagram, I have notice there’s a few timestamp that we can investigate further. However, I did notice that one of them is the answer for question 1.

Task 2: What was the name of the file sent to the suspected insider threat?


I did read one of the files as NDA_Instructions.pdf which can be the answer

Task 3: When was the file sent to the suspected insider threat? (UTC)

A screenshot of a computer

Description automatically generated

There is another timestamp that would be another answer.

Task 4: The suspect utilized Google to search something after receiving the file. What was the search query?

A screenshot of a computer

Description automatically generated

Whenever I clicked another URL, I have been provided with the google search function which is the answer.

Task 5: The suspect originally typed something else in search tab, but found a Google search result suggestion which they clicked on. Can you confirm which words were written in search bar by the suspect originally?


From the tool, I managed to notice there’s a search query that can be the original search.

Task 6: When was this Google Search made? (UTC)


The timestamp of when the google search been made can be found under the google search query within the unfurl website

Task 7 : What is the name of the Hacker group responsible for bribing the insider threat?


I will be using the pdfinfo to extract the information of pdf file which it leaks the hacker group that involved in the attack.

Task 8: What is the name of the person suspected of being an Insider Threat?


Within the pdf file, I notice that there’s one name such as karen riley which can be suspected of being the insider threat.

Task 9: What is the anomalous stated creation date of the file sent to the insider threat? (UTC)

A computer screen with green text

Description automatically generated

I can get the timestamp if using some python script that can be grabed on chatgpt but I will take an easier method by using the exiftool where it will leak the timestamp on the spot.

Task 10: The Forela threat intel team are working on uncovering this incident. Any OpSec mistakes made by the attackers are crucial for Forela’s security team. Try to help the TI team and confirm the real name of the agent/handler from Anticorp

Image

Task 11: Which City does the threat actor belong to?

Image

I will do some research within the internet about anticorp.gr04p where it leak one linkedin profile for Abdullah Al Sajjad from Bahawalpur.