The Logs Aren’t Alright

Description

A new social media star arises, fans asking personal questions, sponsor emails raining like crazy… The case CloutHaus: Social Media leads to Compromise teaches security awareness going beyond corp boundaries.

Afomiya Instagram

Note: The scope of this write-up will be explaining the KQL queries used to solve the exercise questions. If you wanna enjoy the full story, go check KC7 Game, it’s free.

Tasks

According to CloutHaus internal employee logs, what is Afomiya’s designated professional email?

The table Employees includes all the personnel information. Here we may look for Afomiya’s email.

This query will solve questions 1 to 3:
```
Employees
| where name contains "afomiya"
```
- Employees sets the table to be looked at, which optimizes the searching performance.
- where shows results based on satisfied conditions to extract the relevant logs from noise.
- name is the field that the query is interested in, do please note that it is case-sensitive.
- contains searches for strings containing the provided characters, for example the records may include afomiya123 or xyzafomiya.
So, Afomiya’s designated professional email can be found at the field email_addr.

Answer: afomiya_storm@clouthaus[.]com
What is Afomiya’s role with CloutHaus?

The role of Afomiya is within the field role.

Answer: Influencer Partner
Based on the CloutHaus employee table, what is the status of Multi-Factor Authentication (MFA) for Afomiya’s account?

Look at the mfa_enabled field, bad practice but it is what it is.

Answer: False
What is the sender’s email address in the email Afomiya received from “Dior”?

Now, we’re looking through the Email table, then use the recipient email and do a general search with the keyword dior.

This query will solve questions 4 to 6:
```
Email
| where recipient == "afomiya_storm@clouthaus.com"
| where subject contains "dior" or links contains "dior"
```
- == is the equal operator, which must match every character of the provided string.
- or unites two conditions, if one of them are satisfied, then it returns the matched row.
Then, the sender email is found at the sender field.

Answer: collabs@dior-partners[.]com
What is the subject line of the email Afomiya received from “Dior”?

Search for the field subject and you got it.

Answer: [EXTERNAL] Exclusive Partnership Opportunity with Dior
What is the link provided in the email?

Look at the list field called links.

Answer: hxxps[:]//super-brand-offer[.]com/login
When did Afomiya click on the link? Paste the entire timestamp.

The OutboundNetworkEvents table records whenever a user visits a website, let’s write it down.

This query will solve questions 7 to 8:
```
OutboundNetworkEvents
| where url contains "https://super-brand-offer.com/login"
```
This is the first time Afomiya clicked the URL:

And this is the login attempt performed by Afomiya:

So, better take the first generated event’s timestamp.

Answer: 2025-04-03T11:20:00.000Z
What username did she enter?

Within the url value there is a parameter called username.

Answer: afstorm
What is the IP address associated with the domain?

Every IP could have an associated domain, that’s when PassiveDNS table comes into play.
```
PassiveDns
| where domain contains "super-brand-offer.com"
```
Check the ip field.

Answer: 198[.]51[.]100[.]12
How many distinct domains are linked to the suspicious IP address?

The previous query may be updated to search all the domains that have shared the same IP address.
```
PassiveDns
| where ip == "198.51.100.12"
| distinct domain
```
- distinct serves to display just one entry for each match, for example if there are three rows with the same domain, then the results will show that domain once.
Then, the count sums 3 different domains.

Answer: 3
What IP address was used to gain access?

The AuthenticationEvents table may provide the information related to account access attempts.

This query will solve questions 11 and 13:
```
AuthenticationEvents
| where username == "afstorm"
```
Here, the question focuses on Afomiya’s email, then correlate the MAIL-SERVER01 with the src_ip.

Answer: 182[.]45[.]67[.]89
What domains are associated with this IP? (enter one)

Let’s use the reliable PassiveDNS table for this question.
```
PassiveDns
| where ip == "182.45.67.89"
| distinct domain
```
So, just provide one of the two domains.

Answer: influencer-deals[.]net
What part of the User-Agent string indicates the suspicious browser and operating system? (Submit either the browser name/version or the operating system name/version.)

Look at the question 11 results, there is a field called user_agent

Answer: Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 5.2; Trident/4.1)
What country did the login originate from?

Here, KC7 recommends the tool MaxMind to look for the IP Geolocation.

In this case, just put the country that resides in the Location field.

Answer: China
According to the attacker’s web search history on the site, what were they trying to hack?

Let’s check the OutboundNetworkEvents activity from the ip 182[.]45[.]67[.]89.
```
InboundNetworkEvents
| where src_ip == "182.45.67.89"
```
Looking through the url records, one stands out for containing the keyword hack and so the target.

Answer: Location
According to another search log, what kind of personal info were they sneakily trying to uncover (and pretending to ask “for a friend”)?

Let’s check the OutboundNetworkEvents activity from the ip 182[.]45[.]67[.]89.
```
InboundNetworkEvents
| where src_ip == "182.45.67.89"
| where url has "friend"
```
abc

Answer: Home Address

Raw Results

This is a space for saving the query results in text format, useful whenever a value is needed.

Employees

"hire_date": 2024-10-10T00:00:00.000Z,
"name": Afomiya Storm,
"user_agent": Mozilla/5.0 (Windows NT 10.0; rv:51.0) Gecko/20100101 Firefox/51.0,
"ip_addr": 10.10.0.3,
"email_addr": afomiya_storm@clouthaus.com,
"username": afstorm,
"role": Influencer Partner,
"hostname": OQPA-DESKTOP,
"mfa_enabled": False,
"company_domain": clouthaus.com

Email

"timestamp": 2025-04-03T10:41:00.000Z,
"sender": collabs@dior-partners.com,
"reply_to": collabs@dior-partners.com,
"recipient": afomiya_storm@clouthaus.com,
"subject": [EXTERNAL] Exclusive Partnership Opportunity with Dior,
"verdict": CLEAN,
"links": [
	"https://super-brand-offer.com/login"
],
"attachments": 

OutboundNetworkEvents

"timestamp": 2025-04-03T11:20:00.000Z,
"method": GET,
"src_ip": 10.10.0.3,
"user_agent": Mozilla/5.0 (Windows NT 10.0; rv:51.0) Gecko/20100101 Firefox/51.0,
"url": https://super-brand-offer.com/login

"timestamp": 2025-04-03T11:20:02.000Z,
"method": GET,
"src_ip": 10.10.0.3,
"user_agent": Mozilla/5.0 (Windows NT 10.0; rv:51.0) Gecko/20100101 Firefox/51.0,
"url": https://super-brand-offer.com/login?username=afstorm&password=**********

"timestamp": 2025-04-03T14:23:21.000Z,
"method": GET,
"src_ip": 182.45.67.89,
"user_agent": Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 5.2; Trident/4.1),
"url": https://clouthaus.com/search=How+to+hack+an+influencer’s+location+from+their+Instagram+story,
"referrer": https:clouthaus.com/search,
"status_code": 200

PassiveDNS

"timestamp": 2025-03-31T10:20:34.000Z,
"ip": 198.51.100.12,
"domain": super-brand-offer.com

"timestamp": 2025-04-01T10:20:34.000Z,
"ip": 198.51.100.12,
"domain": super-brand-offer.com

super-brand-offer.com
dior-partners.com
influencer-deals.net

AuthenticationEvents

"timestamp": 2025-04-03T12:20:00.000Z,
"hostname": MAIL-SERVER01,
"src_ip": 182.45.67.89,
"user_agent": Mozilla/5.0 (compatible; MSIE 5.0; Windows NT 5.2; Trident/4.1),
"username": afstorm,
"result": Successful Login,
"password_hash": a2feaddef8e617fa9cf861b3b49b1dd5,
"description": User successfully logged into their email account.

Cheat Sheet

where shows results based on satisfied conditions to extract the relevant logs from noise.
name is the field that the query is interested in, do please note that it is case-sensitive.
contains searches for strings containing the provided characters, for example if the keyword is “afomiya”, then the records may include afomiya123 or xyzafomiya.
== is the equal operator, which must match every character of the provided string.
or unites two conditions, if one of them are satisfied, then it returns the matched row.
distinct serves to display just one entry for each match, for example if there are three rows with the same domain, then the results will show that domain once.