This post is a write-up or clues on how to resolve the KC7 investigation case of CloutHaus: Social Media leads to Compromise . You can use it as a helpful guide when you encounter an obstacle, as it structured as a fill-in-the-blanks solution.
Section 1: Got Clout? 🤳
Question 1: Based on Afomiya’s Instagram profile, what is the email address she uses for brand deals?
You Got this 👾
Question 2: Which of the following signs should Afomiya look for to determine if an email offering a brand deal is a phishing attempt?
You Got this 👾
Question 3: What technique is the threat actor using to manipulate her into revealing personal information that could compromise her email or Instagram account?
The hint is clear but think of MITRE ATT&CK Tactic T1684 .
Question 4: What answer did the attacker enter to try and bypass the security questions? Enter one of the answers the attacker submitted.
You Got this 👾
Question 5: What security measure saved Afomiya’s email account from being hacked, despite the threat actor having access to her security question answers?
You Got this 👾. We are talking MITRE ATT&CK mitigations M1032 .
Question 6: According to CloutHaus internal employee logs, what is Afomiya’s designated professional email?
afomiya_storm@clouthaus.com
Question 7: What is Afomiya’s role with CloutHaus?
Influencer Partner
Question 8: Based on the CloutHaus employee table, what is the status of Multi-Factor Authentication (MFA) for Afomiya’s account?
False
Question 9: What is the sender’s email address in the email Afomiya received from “Dior”?
collabs@dior-partners.com
Question 10: What is the subject line of the email Afomiya received from “Dior”?
Email
| where recipient == "afomiya_storm@clouthaus.com"
| where subject contains "Dior" or links contains "exclusive"
| distinct subject
Question 11: What is the link provided in the email?
You Got this 👾
Question 12: When did Afomiya click on the link? Paste the entire timestamp.
OutboundNetworkEvents
| where url contains "super-brand-offer.com"
Question 13: What username did she enter?
Check the url 😉.
Question 14: What is the IP address associated with the domain?
PassiveDns
| where domain contains "super-brand-offer.com"
Question 15: How many distinct domains are linked to the suspicious IP address?
PassiveDns
| where ip contains "198.51.100.12"
| distinct domain
- super-brand-offer.com
- dior-partners.com
- influencer-deals.net
Question 16: You Got this 👾
Question 17: What are the followers really investing in: a great deal or a phishing scam?
You Got this 👾
Question 18: Based on the images showing the apartment view and amenities from Afomiya’s Instagram post, use a reverse image search to identify the name of the apartment building.
You Got this 👾
Question 19: You Got this 👾
Question 20: What should you never reuse across different sites to protect your accounts?
You Got this 👾
Question 21: You Got this 👾
Section 2: Inside the Clout Breach 🐾
Question 1: What IP address was used to gain access?
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
Community Help
Join Discord to discuss the module KC7 Discord #CloutHaus: Social Media leads to Compromise .