# KC7 Case: A Rap Beef

> Two hip-hop artists are caught in a musical feud that extends into cyberspace. One artist's oversharing in his lyrics makes him a target, leading the rival label to hire a hacker to exploit vulnerabilities. As a security analyst for OWL Records, your role involves investigating these cyber activities by using data queries to uncover phishing attempts and unauthorized access.

## Introduction

Alright, I’ll state the obvious: rappers are bad at OSPEC. Think about it. The rap industry relies heavily on street cred, flashiness, and representing where you’re from and what you’ve done. So, they often end up telling people things they shouldn’t. As we will find out in the following KC7 threat hunting exercise, this makes them vulnerable.

In this scenario, two hip-hop artists, Dwake and Present, are in the midst of a musical feud. Following long-stewing tensions between the artists, they have begun taking jabs at each other through their music. Dwake, who is signed with OWL Records, was the first to strike. His newest song was intended to insult his arch-nemesis, Present, who is signed with Dollar Currency Records. However, he made a crucial mistake in his verse that took the feud in a different direction.

No, not in the direction you think; everyone is still alive.

Anyways, the role we play is that of a security analyst for OWL Records. Our job is to keep the company's information safe so the artists don't get exposed during this ongoing feud.

## Dwake Drops His Verse

Dwake pulled no punches. After dropping this verse, he had everyone on social media talking and laughing at Present.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729705360854/0d3a9b6a-e16a-4519-80be-faefc7fe1345.png align="center")

And just like that, the beef escalated. I’m sure Dwake telling everyone certain details about his personal life won’t have far-reaching consequences.

![High Quality in the business we call this foreshadowing Blank Meme Template](https://i.imgflip.com/54q8pn.png align="left")

Now, understandably, Present was not pleased. In a fit of anger, Present asked his label, Dollar Currency Records (DCR), to dig up some dirt on Dwake that he could use to retaliate. Our “homeboy” (who works in the cyber underground) gave us a tip that we might see nefarious cyber activity as a result. For the high price of $20, he recounted a rumor he heard that DCR had hired a hacker who used the IP `18.66.52[.]227` to poke around our company’s website in early April.

Now that we have a starting point, we can begin digging into the company's data to find clues that will help us solve the mysteries at hand. We'll manipulate our data using KQL (Kusto Query Language) queries. Time to pivot!

## Initial Investigation

We are going to be manipulating the OwlRecords database, which has the following tables.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729775775792/1c78c838-5b46-43a4-8b0c-4e03e66411b5.png align="center")

The first question KC7 asks is, “What is the name of the OWL Records CEO?” This can be answered with a simple query.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729707837344/776addfb-7f89-4ff2-8cc5-8c02fe93a88e.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729708481115/7d1bd35d-522e-41ab-b2eb-03043ba17c9b.png align="center")

The next question is how many results we get back from running the following query:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729708615964/ae3fa6e5-e128-4d95-9d5b-9e4ac63c5c08.png align="center")

The answer lies in the upper right corner!

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729708713144/14e9a816-0d2d-4112-a59b-fd2bcc82a780.png align="center")

Sidenote: These are some *interesting* results. Somebody’s curious. We definitely should dig into these more.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729708786566/b76ec847-0cf3-4758-8cbe-f0d43922c90d.png align="center")

The results we are looking at represent someone browsing and searching for information on OWL Records' website. This operator (the person browsing the website) was clearly looking to find information about various artists who work for OWL Records, especially Dwake. Thanks to our contact, it looks like we are on the right path. However, a question remains: What key piece of information were they looking to get for Dwake? The answer lies in that first result.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729709060253/7d63e22a-92fa-403a-aa61-7279b9c1a096.png align="center")

Let's continue looking at the results from the previous query to answer the next question. The operator also expressed strong opinions about Dwake's music. What were they wondering?

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729714662958/a64bbf94-ec0e-4f9a-b630-34b346481871.png align="center")

When we continue to look at these logs, we discover that the operator discovered Dwake's email address at some point.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729714774352/a451d57c-4bc8-4547-9a80-88e22bcae98b.png align="center")

The operator then attempted to take over Dwake's account by resetting his password. We know this because of the `reset-password` parameter in the last `url` they accessed. When employees at OWL records need to reset their passwords, they must answer a set of challenge questions to prove who they are. These are the challenge questions offered on the OWL records website:

1. What is your mother's maiden name?
    
2. What street did you grow up on as a child?
    
3. What is your childhood pet's name?
    
4. What is the color of your first car?
    

You see what I’m seeing, right? Based on the questions, we can conclude that our favorite rap artist accidentally self-snitched in his last verse.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729715230162/b9d2e462-1230-4aca-93ff-bba3062dd640.png align="center")

The operator used these bits of information to reset Dwake's password. By using a certain query, we can actually see the adversary doing this.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729715429429/b32074ac-e774-44a0-8f7e-9f6d50a6b864.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729715442598/a4f42f01-7960-4a82-9995-f338b4b7c9d8.png align="center")

This worked in the hacker’s favor, and after taking over Dwake's email account, they were able to reset the password for Dwake's Instagram account as well. The following day, the adversaries posted an embarrassing image to Drake's Instagram.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729715633353/c0afcb2b-2094-4ab2-a537-4635ef5638de.png align="center")

Yikes.

The higher-ups at OWL records deliberated the event in a private meeting. In that meeting was Dwake himself, who was seething about what had taken place. After 6 hours of deliberation, the company declared it a settled issue. However interestingly enough, they never officially specified how they dealt with the situation.

![](https://miro.medium.com/v2/resize:fit:375/1*nqeGw1lvZk99SrQAILcxVA.jpeg align="left")

The following day, a random hacker on the dark web threatened to release damaging information on Present the rapper, if he did not announce his retirement in the next 30 days.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729716001126/8bc85e59-e421-4271-badb-372751718e77.png align="center")

OWL Records is totally not involved. 😃

We can't really prove that OWL Records management had anything to do with the dark web post (and honestly, we don't have any reason to try). But we know this could cause us more headaches if it's not sorted out. So, we hit up our contact in the cyber underground again, and he hinted that any payback might come through phishing. It's a bit of a vague clue, but we're pros, so we can definitely figure something out.

## Hunting for Phish

We already know one thing about the bad guys! They used IP `18.66.52[.]227` in their operations. If we can track down a domain name linked to this IP, it might lead us to those phishing emails.

We can look in the PassiveDNS table for ip &lt;-&gt; domain relationships to find the adversary’s domain.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729820097645/e9a14045-78bd-4f24-a9b6-fe14f29262b6.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729820113152/6df34597-a152-43d8-be1d-85e7b0faa972.png align="center")

Woohoo! We've got a domain name! Things should be a lot easier now! Let's dive into the email logs to see if this domain was used. Before peering at the logs, we need to inspect the email table.

Let's check out the table layout and figure out which column probably has our domain. By using "take 10" to show just the top ten results, we can see that the link column has URLs. That's probably where we'll find our domain.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729820287136/c1bcf3a1-c73d-49c4-91f5-74f358c1570a.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729820406133/e12e60ef-076e-4c44-86d8-d8247ad34097.png align="center")

Now, we should look for the “betterlyrics4u\[.\]com” domain.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729820662166/6a00d25c-2b14-4630-b2ce-7e8ee8853938.png align="center")

The query returns 13 results. Each row represents an email sent to someone at OWL records! We need to find the email address that sent most of the emails. Multiple emails sent from the same external domain to different company email addresses could be a sign of a targeted phishing campaign.

We can easily spot the outlier.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729821061688/bed52276-56e4-4c82-b870-197e5578c558.png align="center")

However, we also see a second email address of interest. Luckily emails from this one were blocked.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729821160830/80e4a7fd-5681-4dd6-8c09-10d022bb2a0f.png align="center")

Okay, we managed to pivot from the domain to find the email addresses for the phishing campaign. To further support our position that this is indeed a targeted effort, we should find out which job role was targeted the most. We need to inspect the email table by assigning it to a variable, filter out unique recipients, and cross-reference the results with the email\_addr column in the Employees table.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729821514947/c3949687-f09d-4e37-b87e-ca7a890897f8.png align="center")

It seems our attacker only wanted to target the rappers.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729821730365/38921a88-c679-4ab9-9478-f7c58d2921ba.png align="center")

Interesting! There is only one result for the lead rapper. I wonder who it could be.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729821815645/f1d5d5c2-ea24-496d-9fbc-a60fd1835859.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729821824116/b5e631c5-25fa-40a2-9cf6-7d9440f313aa.png align="center")

Oh. Yeah, that makes sense, I guess. Personally, I think Snoop is better, but that’s just me. 🤷🏾‍♂️

Before we pivot off this, we should note Dwake’s IP address. If the phishing attack was successful, this will help later if we need to check the authentication logs.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729822084985/33f91f2f-8729-4ba0-b1a3-1c1dfeece018.png align="center")

The next question we have to answer is: What is the subject of the email sent to Dwake? Since this is a spear-phishing attack, it has to be interesting enough for him to open.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729822294896/4097aef0-e8d9-484c-9f71-2dface766f41.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729822306257/2f6e485c-c78a-4a4c-98f1-005fb8c167cf.png align="center")

Besides noticing that Dwake probably doesn’t write his own bars, we get quite a bit of information from this result. For one, this email got through the spam filter and was dubbed “CLEAN.” We also see the link the attacker wants him to follow. Let’s inspect the actual contents of the email to get a better idea of what we’re working with.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729822563319/cb593c38-8e87-495e-82e8-5008632d793b.png align="center")

If Dwake clicked the link, we would see the data in the OutboundNetworkEvents table. By examining the data here, we can confirm there was a GET request for the malicious URL and the timeframe in which it happened.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729825034267/ae41739e-b87e-4a52-9990-ffa8b76adc19.png align="center")

After Dwake clicked on the link in the email, he was presented with this phishing page:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729825430980/d5e30864-962e-42f5-904e-3892653dfc6f.png align="center")

Most likely, he entered his username and password, and the credentials were sent to a remote server controlled by the attacker. Now that they have his credentials, the attackers would need to verify them by logging into Dwake's account. As I mentioned earlier, we can check the AuthenticationEvents table to see if the attackers were able to log in to Dwake's account. We'll need to use the attacker's IP address for this.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729825469728/937168de-c556-4b65-af1b-e689cfaa8266.png align="center")

It seems the attacker was able to successfully login.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729825516195/16f969fc-3658-4b1e-ae22-35566b77de5f.png align="center")

Now that the adversaries have logged into Dwake's account, they will want to look for important information to steal. Since we already know the adversary's IP address, we can check for InboundNetwork events during that timeframe and hunt for activity against Dwake's account.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729825725227/ee5a6487-df64-448a-a704-0eeb00deca5c.png align="center")

We get ten records with this query and some suspicious URL parameters.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729825738075/4d08a616-e2c0-4ec0-8950-4a283f2c21df.png align="center")

It looks like the attacker accomplished their goal. We see evidence of data exfiltration using a zip file.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1729825966773/79081f5d-2878-4b4b-b9c9-08762886a606.png align="center")

## Conclusion

Dwake and Present have a lot of dirt on each other now. After some back-and-forth through some middlemen, they decided to call a truce. Luckily, this didn’t escalate beyond cyberspace. Everything's chill in the Rap World for now!

This KC7 exercise demonstrated the entire cyber attack process—from reconnaissance and phishing to account compromise and data theft—in an entertaining way. It highlighted the importance of detailed data analysis, the effectiveness of KQL for threat hunting, and the value of communication in engaging both technical and non-technical audiences. It also showed the importance of training employees on operational security (OPSEC), especially in industries where reputation and persona are public-facing.

If personal info gets leaked or shared too much, it can be used in social engineering attacks. I'm definitely going to keep using KC7 as a hands-on learning tool. This exercise was a big reminder that cybersecurity needs to tackle both the technical and human sides to really work well.
