In this lab, we assume the role of a Security Operations Center (SOC) analyst tasked with investigating a network compromise that resulted in significant disruption. The initial findings from incident responders indicate that the attack originated from a single user account, suggesting the possibility of an insider threat. The primary objective is to trace the attacker’s actions, identify the compromised account, and uncover the methods used to execute and exfiltrate data. This walkthrough provides a step-by-step investigation into the insider’s digital footprint and malicious activities, leveraging OSINT techniques and analyzing artifacts found in the attacker’s GitHub repositories.
The investigation begins with exploring the suspect’s online presence to identify critical information, including exposed API keys, plaintext credentials, and software repositories. By analyzing these repositories, we identify potential tools used in the attack, such as cryptocurrency mining software, and highlight insecure coding practices that facilitated unauthorized access. Tools like Sherlock, an OSINT utility, help correlate online profiles and uncover additional accounts, including those on social platforms and gaming websites, which may provide further insights into the insider’s activities.
Throughout this walkthrough, we employ a combination of open-source intelligence gathering, code analysis, and metadata inspection to unravel the insider’s methods. Key findings include the discovery of hardcoded API keys, encoded plaintext passwords, and evidence of cryptocurrency mining software configured for unauthorized resource ex