Let’s Defend: SOC141 — Phishing URL Detected alert Walkthrough

It’s the first week of February and that just means one thing. Let’s Defend has released a new set of SOC Alerts for us blue teamers to investigate and solve and here, we will be solving the SOC 141— Phishing URL alert.

Let’s jump right into it!

There’s also a Gitbooks version of the same alert, written by me. You can go ahead and check it out!

NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.

Alert Details

Let’s take ownership of the case

Reading the alert’s summary, it’s plain to see that a phishing URL was sent to the victim, wanting him/her to click it

Create a case book for the same

Collection of Data

Q)Please check alert details for the following below:-

Source Address
Destination Address
User-Agent

From the alert summary, we can determine

A)Source Address — 172.16.17.88
Destination Address — 192.64.119.190
User Agent — Mozilla — Windows

Search Log

Q)Please search in Log Management for details.

Let’s search the Source IP address, on the Log Management screen

We can see two corresponding entries for the address

Upon expanding the logs, we find the following information:-

Analyze the given URL

Analyze URL in 3rd party tools. Please click “Malicious” if it is malicious and click “Non-malicious” if it isn’t.

You can use the free products/services below.

AnyRun
VirusTotal
URLHouse
URLScan
HybridAnalysis

Let’s analyze using our go-to go tools VirusTotal and Hybrid-Analysis

Taking the URL — http://nuangaybantiep.xyz, and searching it up on VirusTotal brought the following results:-

It says that the domain is not malicious at all Reading the comment under the ‘Community’ section gives us the following note:-

That’s why I stick by the rule of verifying with multiple platforms
Reading Joe Sandbox’s HTML report of the malicious domain, we come across the following analysis of the domain:-

Seems like a malicious domain and is capable of spreading Trojan(take a look at the pie chart)

Let’s analyze it on the Hybrid-Analysis platform as well, where 2 search results pop up for the domain

Both incidents determine that the file is not malicious through

Though the domain may be distributing malware, it’s not classified as a malicious domain by these threat intel platforms.

Let’s click on “Malicious” and proceed forward

Has anyone accessed IP /URL Domain?

In the very next screen, we are asked to provide answers to the following questions:-

From the log expansion evidence provided above, we can answer these:-

A)Apr, 04, 2021, 11:10 PM

A)172.16.17.88

A)192.64.119.190

A)Mark

A)Mozilla — Windows

A)No

A)Yes

Containment

Proceed to contain the victim host

Submission of case artifacts

In the very next screen, we are asked to submit artifacts derived from the case

From the ‘Links’ tab of the domain’s analysis on VirusTotal, we can see some outgoing links from it

Unable to graph any mail addresses from this suspicious domain, we can very well state that the origin of the attack is from Reykjavik, the capital of Iceland

Mapped using Maltego
This is what the malicious domain looks like

Our Artifacts

Analyst’s Note

Finish the playbook!

Close Alert

Proceed to close the alert and provide parting remarks about the case

Alert Scorecard

This is awesome!

Every alert solved is a step towards perfection and I am pretty happy with the score I received.

Conclusion

This SOC alert exercise was a breath of fresh air, as I performed threat hunting after repeated blue team activities on Try Hack Me.

Thank you for reading this blog entry. Stay tuned, as I go hunting some pcap files out there….

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by giving it a clap!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store