LetsDefend — Discord Forensics Challenge Walkthrough
Endpoint DFIR Investigation using ChromeCacheView
Introduction:
Welcome to my weekly walkthrough! Have you ever wondered how an adversary could use social engineering to lure a victim to Discord and then compromise them with malware?
We’re about to investigate how this can happen by working through the Discord Forensics Challenge over on LetsDefend! This is an incident response challenge that has us defenders investigating an infected Windows endpoint. To understand how the attack unfolded, we’ll need to review artifacts on the system like the Discord cache and determine how the malware was delivered.
So, whether you’re here to learn more about Discord cache analysis, check out some new tools, or are just looking for a reference walkthrough for the LetsDefend Discord Forensics Challenge, you’ve stumbled on the right blog.
Now, let’s put on our detective hats and have some fun with forensics! Thanks for reading along!
Challenge Link: https://app.letsdefend.io/challenge/discord-forensics
Challenge Scenario:
Our SIEM alerted that AV blocked malware from running on an employee’s machine. For further investigation, the incident response team quickly acquired an image of that machine. To find out how this malware got on the machine, their task is to find the entry point of the attack and trace the attacker.
Questions 1, 2, & 3:
1. What is the name of the attacker?
2. What application is used for messaging?
3. What is the attacker’s username on the application?
Let’s get comfortable with our virtual analysis environment and extract the challenge file from the Challenge folder.
While the archive is extracting, let’s also check out our Tools folder which will help us get an idea of what utilities we have at our disposal to solve this challenge.
We’ve got a couple of interesting utilities but the two mail clients seem out of place. Maybe Email is a good place to start the investigation? We will see if we can discover any email files that we can check through to understand if there was any phishing involved for initial access.
Let’s check the standard Outlook and Thunderbird data file locations to see if any locally saved items are available:
Outlook: C:\Users\LetsDefend\Desktop\ChallengeFile\Discord\Administrator\AppData\Local\Microsoft\Outlook
Thunderbird: C:\Users\LetsDefend\Desktop\ChallengeFile\Discord\Administrator\AppData\Roaming\Thunderbird\Profiles
Unfortunately, there is nothing in either directory. But hope is not lost — what about the built-in Windows Mail client? Maybe the victim was using that application? Let’s check!
C:\Users\LetsDefend\Desktop\ChallengeFile\Discord\Administrator\AppData\Local\Microsoft\Windows Live Mail
There we go! We have several emails to read through. Let’s launch Thunderbird and open the 3 “Job Offer” messages.
The sender’s FROM field name is abdlhameed. We’ll use this information to answer Question 1.
Once we get to the last email in the thread, Job Offer3.eml, we’ll find a couple of new pieces of information in the body of the email that we can use to answer Questions 2 & 3.
From the thread, we can see that the attacker is attempting to move the conversation from email to Discord. If you aren’t familiar, Discord is:
Pivoting to a legitimate web service is a common defense evasion technique (MITRE ATT&CK T1102). Moving a victim to a service which is outside of the purview of the security team/tools and into attacker-controlled infrastructure can allow for unimpeded next steps in the attack.
Question 4: When did an attacker send the first message to the victim on this application?
Now let’s really dig deep. Since we know that the victim was lured to contact the attacker on Discord to discuss the “job offer,” there must be some artifacts in the image that we can analyze.
We’ll start by doing some research on Google to see if we can gather any intelligence about what data Discord stores on a local system. Fortunately, we stumble across a fantastic write up about artifacts stored within the Discord cache folder!
According to this researcher, Discord data is structured very similarly to the Google Chrome cache — this means that we can probably leverage ChromeCacheView from our Tools folder to perform further analysis.
Let’s load up ChromeCacheView, press File, then Select Cache Folder. We’ll browse for the folder manually and point to the Discord cache folder within the victim image:
C:\Users\LetsDefend\Desktop\ChallengeFile\Administrator\AppData\Roaming\discord\Cache
The is a lot of data here but we can narrow our search scope a bit. Press View > Use Quick Filter.
Now we will search for “message” and see if we get any results…
Okay, now we’re getting somewhere! We can actually review the content of these JSON files by right clicking the entry, selecting “Open selected cache file with…,” and selecting a plain text editor like Notepad.
We’re interested in the contents of the private chat between the attacker and the victim. After reviewing the data within the JSON files, let’s focus first on the one with the file size of 767.
While the data is initially difficult to comprehend, I have highlighted the snippet above with the general format of each message — they seem to start with “id” and end with “components.” In the excerpt above we can see the initial message on Discord from the attacker to the victim including the timestamp!
Question 5: The attacker has sent a server invitation URL to the victim, what is the full URL?
Let’s continue to analyze the JSON file we retrieved from ChromeCacheView.
In the same private chat that we analyzed in Question 4, the attacker states that they are going to create and invite the victim to a “server” — this is Discord shorthand for group chat/community on the platform. Then, the attacker provides a Discord URL where the victim can join the server.
Question 6: How many people were on the Discord server?
Along with the server URL from the previous question, the attacker also states that the server has a “two other employee” in addition to the attacker and victim.
just me and you and two other employee
My math might be terrible otherwise, but I know that 2+2=4.
Question 6: What is the MD5 hash of the attachment file that the victim sent to the attacker?
Let’s go back into ChromeCacheView. This time, we are going to view the JSON file for the server channel instead of the private chat. Let’s open the cache file with the size of 1,392.
After browsing the contents of the chat, we can see the attackers are coercing the victim to prove that he is the right candidate for the “job” by asking for the details of some (presumably) confidential research.
A short time later, we can see that the victim uploads the requested private data to the Discord server in an archive file called Private.7z
It’s pretty likely that the victim uploaded the data from his own device, so why don’t we check the image and simply search for the file name?
There we go, we found it in the user’s Documents folder!
Let’s grab the file hash of the archive. We can utilize the HashCalc utility from the Tools folder or leverage the PowerShell Get-FileHash command.
For this walkthrough, I used the PowerShell option. Since the Get-FileHash command defaults to using SHA256, we’ll need to specify that we want the MD5 hash instead.
Get-FileHash -Algorithm MD5 <filename>
Okay, now that we have the MD5 hash of the exfiltrated archive, let’s submit the answer and continue our analysis!
Question 7: What is the victim’s country?
Okay this one is a bit tricky to find. None of the Discord chat data that we have discovered appears to have any details regarding geolocation for the victim.
To save you some time, I tried extracting the attachment file in the 7z archive, analyzing the email headers for the communication between the attacker and victim, and going through the Microsoft Edge cache for URLs related to a specific country. All of these came up without any evidence.
Then, I remembered this is a Discord challenge and went back to ChromeCacheView and searched the cache for “location” instead of “message” like we did for Questions 4,5, & 6
Now, this gives us a misleading result in the metadata. Let’s lean on the question hint to tell us where we went wrong:
Whoops! So, let’s pivot and try to search for “country” in our quick filter instead of “location” — This will give us more results with a second country code (Not Egypt) in the URLs.
We might have stumbled there, but we figured it out. Great job!
Question 8: What is the URL of the attachment that the attacker sent to the victim?
After the victim ran the malicious file, there seems to be some follow-up chat in Discord where the victim is reaching out to the attacker to no avail.
Let’s go back to his email where we can find another thread with the Subject field “idk” — where the attackers are blackmailing the victim. The attacker is threatening to tell the victim’s employer about the data leak unless they download and execute a file from a link in the email…
Despite the victim initially protesting, it appears that they were afraid of losing their job…
While out of scope for this challenge, we can check the victim’s browser history to see if we have any URL history.
Unfortunately, the evidence suggests that the victim did access the payload sent by the attacker. After that, the SIEM alerted us to the malware being blocked by the victim’s endpoint antivirus software. Whew!
Conclusion:
Great work! We successfully completed the Discord Forensics Challenge.
Our investigation led us to the discovery that the victim was lured to Discord through a phishing email with the promise of a job offer. The victim was then convinced to exfiltrate sensitive research data to the attackers on the Discord server. This was followed by a blackmail attempt, coercing the victim to download and execute a malware payload in exchange for not disclosing the victim’s mistake to their employer. Having identified how the attack unfolded, we can now conclude our investigation.
I appreciate you joining me in this investigation and reading along. I hope that you had as much fun as I did and learned something useful too!
A big thank you to LetsDefend for providing us with the opportunity to sharpen our skills in Discord cache analysis! It was cool to see how we could utilize ChromeCacheView beyond its typical applications and deepen our understanding of the artifacts left behind by Discord that can be analyzed during incident response.
Until next week — stay curious! Thanks!
Tools & References:
NirSoft ChromeCacheView: https://www.nirsoft.net/utils/chrome_cache_view.html
MITRE ATT&CK (Phishing): Phishing, Technique T1566 — Enterprise | MITRE ATT&CK®
Microsoft OST File Location: Introduction to Outlook Data Files (.pst and .ost) — Microsoft Support
Finding Discord app chats in Windows: https://abrignoni.blogspot.com/2018/03/finding-discord-app-chats-in-windows.html
Microsoft Learn Get-FileHash: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-7.4
