Category: Threat Intelligence
Difficulty: Medium
https://app.hackthebox.com/sherlocks/Constellation
Scenario #
The SOC team has recently been alerted to the potential existence of an insider threat. The suspect employee’s workstation has been secured and examined. During the memory analysis, the Senior DFIR Analyst succeeded in extracting several intriguing URLs from the memory. These are now provided to you for further analysis to uncover any evidence, such as indications of data exfiltration or contact with malicious entities. Should you discover any information regarding the attacking group or individuals involved, you will collaborate closely with the threat intelligence team. Additionally, you will assist the Forensics team in creating a timeline.
Warning : This Sherlock will require an element of OSINT and some answers can be found outside of the provided artifacts to complete fully.
Steps to Solve #
Step 1: Analyze the Discord URL #
Description:
Using the tool Unfurl, the Discord URL was deconstructed to extract timestamps and details from its path. The analysis revealed:
- The channel ID, indicating it was a direct message (DM) channel.
- A timestamp marking the start of communication: 2023-09-16 16:03:37 UTC.
- The file upload timestamp: 2023-09-27 05:27:02 UTC.
- The filename: NDA_Instructions.pdf.
Commands/Methods Used:
- Loaded the Discord URL into Unfurl.
- Interpreted the breakdown of host, path, and query parameters.
Step 2: Review the File Metadata #
Description:
The file “NDA_Instructions.pdf,” shared via Discord, was analyzed for metadata using ExifTool. Key findings included:
- The author email: CyberJunkie@AntiCorp.Gr04p.
- Malformed creation date: 2054-01-17 22:45:22 UTC.
- The title: KarenForela_Instructions.
- File producer: AntiCorp PDF FW.
Commands/Methods Used:
exiftool NDA_Instructions.pdf
Relevant Screenshot:
Step 3: Decompose the Google URL #
Description:
The provided Google URL contained a search query. The analysis uncovered:
- Search query: how to zip a folder using tar in linux.
- Initial input: How to archive a folder using tar i.
- Timestamp for the search: 2023-09-27 05:31:45 UTC.
Commands/Methods Used:
- Loaded the Google URL into Unfurl.
- Decoded query parameters to extract search details and timestamps.
Relevant Screenshot:
Step 4: Conduct OSINT on the Threat Actor #
Description:
The email address CyberJunkie@AntiCorp.Gr04p found in the file metadata led to a LinkedIn profile:
- Name: Abdullah Al Sajjad.
- Location: Bahawalpur, Punjab, Pakistan.
Commands/Methods Used:
- Conducted LinkedIn searches using the email address.
Relevant Screenshot:
Tools Used #
- Unfurl: To analyze and extract data from URLs.
- ExifTool: To retrieve and examine metadata from the PDF file.
- OSINT Resources: LinkedIn and search engines to profile the threat actor.
Final Timeline #
| Time (UTC) | Description | Source |
|---|---|---|
| 2023-09-16 16:03:37 | First DM communication between insider and threat actor | Discord URL |
| 2023-09-27 05:27:02 | Instructions PDF shared via Discord | Discord URL |
| 2023-09-27 05:31:45 | Insider searched for tar instructions | Google URL |
This timeline highlights the chain of events, providing actionable evidence for investigation.