Heartbreaker-Denouement Sherlock Q.11

Hello,
About Heartbreaker-Denouement (Sherlock), I’ve successfully answered all the questions but Question 11.
For some reason I can’t find the ARNs especially when using the opposite filter of Question 10.
Any idea of what field I should be looking at (resources.ARN, responseElement.ARN…) ?

1 Like

Did you figure this one out? I am also stuck

Hi there, no sadly I haven’t. I’m stuck on 93% completion…

Dang :sweat_smile:

Ok someone helped me out. Filter by IPs, filter out error, filter for events with describe, list, get. Then filter out the ARM that is tied to the instance. Should be 2

1 Like

Thanks a lot !!! It worked like a charm.

Out of curiosity, how did handled the thousands of log files. I’ve developed a quick python script to parse to Elastic and Kibana.

No problem. I used free splunk. First had to run some Linux cli stuff to get the json logs consolidated into one file.

Any tips on Tasks 8 and 13? I can only see one account ID, where else should I be looking?

Task 8 :
So you have unveiled the username : xxxxxx-xxx
Now, filter on username and successful API calls.
A successful API call is a call on which errorCode or errorMessage don’t exist.
You should find two regions, which are from the same country.

Taks 13 :
We know that the attacker has created DB Snapshots.
And now, here we are, the attacker is finally going to exfiltrate the data.
That can’t be a coincidence, right ?

Luckily, we can filter events on the eventName : xxxxxxDBSnapshotxxxxxxxxx.
Then, within the logs, we look for requestParameters.valuesxxxxx, and that’s the answer.

Good luck !

1 Like