This post is a write-up or clues on how to resolve the KC7 investigation case of CloutHaus: Social Media leads to Compromise . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.
Section 1: Got Clout? 🤳
Question 1: Based on Afomiya’s Instagram profile, what is the email address she uses for brand deals?
You Got this 👾
Question 2: Which of the following signs should Afomiya look for to determine if an email offering a brand deal is a phishing attempt?
You Got this 👾
Question 3: What technique is the threat actor using to manipulate her into revealing personal information that could compromise her email or Instagram account?
The hint is clear but think of MITRE ATT&CK Tactic T1684 .
Question 4: What answer did the attacker enter to try and bypass the security questions? Enter one of the answers the attacker submitted.
You Got this 👾
Question 5: What security measure saved Afomiya’s email account from being hacked, despite the threat actor having access to her security question answers?
You Got this 👾. We are talking MITRE ATT&CK mitigations M1032 .
Question 6: According to CloutHaus internal employee logs, what is Afomiya’s designated professional email?
afomiya_storm@clouthaus.com
Question 7: What is Afomiya’s role with CloutHaus?
Influencer Partner
Question 8: Based on the CloutHaus employee table, what is the status of Multi-Factor Authentication (MFA) for Afomiya’s account?
False
Question 9: What is the sender’s email address in the email Afomiya received from “Dior”?
collabs@dior-partners.com
Question 10: What is the subject line of the email Afomiya received from “Dior”?
Email
| where recipient == "afomiya_storm@clouthaus.com"
| where subject contains "Dior" or links contains "exclusive"
| distinct subject
Question 11: What is the link provided in the email?
You Got this 👾
Question 12: When did Afomiya click on the link? Paste the entire timestamp.
OutboundNetworkEvents
| where url contains "super-brand-offer.com"
Question 13: What username did she enter?
Check the url 😉.
Question 14: What is the IP address associated with the domain?
PassiveDns
| where domain contains "super-brand-offer.com"
Question 15: How many distinct domains are linked to the suspicious IP address?
PassiveDns
| where ip contains "198.51.100.12"
| distinct domain
- super-brand-offer.com
- dior-partners.com
- influencer-deals.net
Question 16: You Got this 👾
Question 17: What are the followers really investing in: a great deal or a phishing scam?
You Got this 👾
Question 18: Based on the images showing the apartment view and amenities from Afomiya’s Instagram post, use a reverse image search to identify the name of the apartment building.
You Got this 👾
Question 19: You Got this 👾
Question 20: What should you never reuse across different sites to protect your accounts?
You Got this 👾
Question 21: You Got this 👾
Section 2: Inside the Clout Breach 🐾
Question 1: What IP address was used to gain access?
You Got this 👾
Question 2: 👉 What domains are associated with this IP? (enter one)
- influencer-deals.net
- dior-partners.com
Question 3: 👉 What part of the User-Agent string indicates the suspicious browser and operating system? (Submit either the browser name/version or the operating system name/version.)
You Got this 👾
Question 4: ❓ What country did the login originate from?
You Got this 👾
Question 5: According to the attacker’s web search history on the site, what were they trying to hack?
It is best to use distinct to filter out the other columns while investigating the url column.
InboundNetworkEvents
| where src_ip contains "182.45.67.89"
| distinct url
Question 6: According to another search log, what kind of personal info were they sneakily trying to uncover (and pretending to ask “for a friend”)?
Follow the same strategy from question 5 and I know You Got this 👾
Question 7: ❓ What kind of account or app does that log suggest they were targeting?
You Got this 👾
Question 8: Based on another search, what shady and fake event were they pretending to plan as a way to lure Afomiya?
You Got this 👾
Question 9: ❓ What external email address received messages forwarded from Afomiya’s account?
The analyst notes are golden! I used the following to query to identify the forwarding markers: -"[FORWARD]"
- “Fwd:”
- “FW:”
Email
| where sender contains "afomiya_storm@clouthaus.com"
| where (subject contains "FORWARD" or subject contains "FW" or subject contains "FWD")
| where recipient !contains "clouthaus.com"
By analyzing the results we can identity the [EXTERNAL] banner.
Email
| where sender contains "afomiya_storm@clouthaus.com"
| where subject contains "EXTERNAL"
| where recipient !contains "clouthaus.com"
| distinct recipient
Question 10: ❓ Which forwarded email contained Afomiya’s payment details or direct deposit form?
You Got this 👾
Question 11: What forwarded email subject included a passport scan?
You Got this 👾
Question 12: ❓ Which forwarded email subject contained either Afomiya’s bank statement or year-end tax documents?
You Got this 👾
Question 13: Based on everything you’ve discovered, what do you think the attacker’s true objective was?
You Got this 👾
Community Help
Join Discord to discuss the module KC7 Discord #CloutHaus: Social Media leads to Compromise .