HTB Sherlock - Constellation Writeup

Sherlock Scenario

The SOC team has recently been alerted to the potential existence of an insider threat. The suspect employee’s workstation has been secured and examined. During the memory analysis, the Senior DFIR Analyst succeeded in extracting several intriguing URLs from the memory. These are now provided to you for further analysis to uncover any evidence, such as indications of data exfiltration or contact with malicious entities. Should you discover any information regarding the attacking group or individuals involved, you will collaborate closely with the threat intelligence team. Additionally, you will assist the Forensics team in creating a timeline. Warning: This Sherlock will require an element of OSINT, and some answers can be found outside of the provided artifacts to complete fully.

Artefacts

After extracting the provided ZIP archive, we receive two files (Fig. 1):

• IOCs.txt - a list of IOCs gathered by the analyst,
• NDA_Instructions.pdf - instructions for the steps that the insider should follow.

  

Solution

Task 1

When did the suspect first start Direct Message (DM) conversations with the external entity (a possible threat actor group which targets organizations by paying employees to leak sensitive data)? (UTC)

The IOCs.txt file contains only two URLs detected by the analyst (Fig. 2). The first URL is a link to a CDN, which likely hosted the file containing instructions for the insider. Upon closer inspection, I noticed that this link contains two timestamp-like values, specifically 1152635915429232640 and 1156461980652154931. After a quick Google search, I found a tool called Discord Snowflake to Timestamp Converter. Both values decode correctly into a date format. After decoding the first value, I obtained the date: 2023-09-16T16:03:37.178Z, which turned out to be the correct answer.

Answer: 2023-09-16 16:03:37

Task 2

What was the name of the file sent to the suspected insider threat?

From the same Discord CDN link (Fig. 2), it appears that the file shared with the insider is NDA_Instructions.pdf. The file name is identical to the one found in the archive containing the task artifacts.

Answer: NDA_Instructions.pdf

Task 3

When was the file sent to the suspected insider threat? (UTC)

From the Discord CDN link (Fig. 2), the second timestamp I discovered, 1156461980652154931, when decoded using the Timestamp Converter, yielded the result 2023-09-27T05:27:02.212Z.

To summarize, the Discord CDN link has the following structure: https://cdn.discordapp.com/attachments/<conversation start timestamp>/<file sent timestamp>/<file name>.

Answer: 2023-09-27 05:27:02

Task 4

The suspect utilized Google to search something after receiving the file. What was the search query?

The IOCs.txt file contains a second URL with search data performed by the suspect using Google (Fig. 3). From the URL, I extracted the following information:

1. q=how+to+zip+a+folder+using+tar+in+linux

   • The q parameter represents the search query, in this case: “how to zip a folder using tar in linux”.

2. sxsrf=AM9HkKkFWLlX_hC63KqDpJwdH9M3JL7LZA%3A1695792705892

   • The sxsrf parameter is a Cross-Site Request Forgery (CSRF) protection token. The value 1695792705892 could indicate a timestamp for the search, in this case: 2023-09-27 05:31:45 UTC.

3. oq=How+to+archive+a+folder+using+tar+i

   • The oq parameter refers to the original query entered by the user before confirming or clicking on a search suggestion. In this case: “How to archive a folder using tar i”.

Answer: how to zip a folder using tar in linux

Task 5

The suspect originally typed something else in the search tab but found a Google search result suggestion which they clicked on. Can you confirm which words were written in the search bar by the suspect originally?

Parameter oq from Task 4.

Answer: How to archive a folder using tar i

Task 6

When was this Google search made? (UTC)

Parameter sxsrf from Task 4.

Answer: 2023-09-27 05:31:45

Task 7

What is the name of the Hacker group responsible for bribing the insider threat?

Upon opening the NDA_Instructions.pdf sent by the attacker to the insider, at the very beginning, the attacker introduces their criminal group and provides the recipient’s name (Fig. 4).

Answer: AntiCorp Gr04p

Task 8

What is the name of the person suspected of being an Insider Threat?

From the solution to Task 7 (Fig. 4).

Answer: Karen Riley

Task 9

What is the anomalous stated creation date of the file sent to the insider threat? (UTC)

Using the exiftool, I extracted the information contained in the metadata of the NDA_Instructions.pdf file (Fig. 5). It contained a creation date that was set in the future.

Answer: 2054-01-17 22:45:22

Task 10

The Forela threat intel team is working on uncovering this incident. Any OpSec mistakes made by the attackers are crucial for Forela’s security team. Try to help the TI team and confirm the real name of the agent/handler from Anticorp.

After entering the address AntiCorp.Gr04p into Google, the first search result was a link to a profile on LinkedIn (Fig. 6).

Upon checking the profile, it turned out to be an employee of the criminal group I was looking for (Fig. 7).

Answer: Abdullah Al Sajjad

Task 11

Which City does the threat actor belong to?

Based on the information contained in the discovered profile of the AntiCorp Gr04p employee (Fig. 7).

Answer: Bahawalpur