Let’s Defend: SOC141 — Phishing URL Detected alert Walkthrough
It’s the first week of February and that just means one thing. Let’s Defend has released a new set of SOC Alerts for us blue teamers to investigate and solve and here, we will be solving the SOC 141— Phishing URL alert.
Let’s jump right into it!
There’s also a Gitbooks version of the same alert, written by me. You can go ahead and check it out!
NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.
Alert Details
Let’s take ownership of the case
Reading the alert’s summary, it’s plain to see that a phishing URL was sent to the victim, wanting him/her to click it
Create a case book for the same
Collection of Data
Q)Please check alert details for the following below:-
Source Address
Destination Address
User-Agent
From the alert summary, we can determine
A)Source Address — 172.16.17.88
Destination Address — 192.64.119.190
User Agent — Mozilla — Windows
Search Log
Q)Please search in Log Management for details.
Let’s search the Source IP address, on the Log Management screen
We can see two corresponding entries for the address
Upon expanding the logs, we find the following information:-
Analyze the given URL
Analyze URL in 3rd party tools. Please click “Malicious” if it is malicious and click “Non-malicious” if it isn’t.
You can use the free products/services below.
AnyRun
VirusTotal
URLHouse
URLScan
HybridAnalysis
Let’s analyze using our go-to go tools VirusTotal and Hybrid-Analysis
Taking the URL — http://nuangaybantiep.xyz, and searching it up on VirusTotal brought the following results:-
It says that the domain is not malicious at all Reading the comment under the ‘Community’ section gives us the following note:-
That’s why I stick by the rule of verifying with multiple platforms
Reading Joe Sandbox’s HTML report of the malicious domain, we come across the following analysis of the domain:-
Seems like a malicious domain and is capable of spreading Trojan(take a look at the pie chart)
Let’s analyze it on the Hybrid-Analysis platform as well, where 2 search results pop up for the domain
Both incidents determine that the file is not malicious through
Though the domain may be distributing malware, it’s not classified as a malicious domain by these threat intel platforms.
Let’s click on “Malicious” and proceed forward
Has anyone accessed IP /URL Domain?
In the very next screen, we are asked to provide answers to the following questions:-
From the log expansion evidence provided above, we can answer these:-
A)Apr, 04, 2021, 11:10 PM
A)172.16.17.88
A)192.64.119.190
A)Mark
A)Mozilla — Windows
A)No
A)Yes
Containment
Proceed to contain the victim host
Submission of case artifacts
In the very next screen, we are asked to submit artifacts derived from the case
From the ‘Links’ tab of the domain’s analysis on VirusTotal, we can see some outgoing links from it
Unable to graph any mail addresses from this suspicious domain, we can very well state that the origin of the attack is from Reykjavik, the capital of Iceland
Our Artifacts
Analyst’s Note
Finish the playbook!
Close Alert
Proceed to close the alert and provide parting remarks about the case
Alert Scorecard
This is awesome!
Every alert solved is a step towards perfection and I am pretty happy with the score I received.
Conclusion
This SOC alert exercise was a breath of fresh air, as I performed threat hunting after repeated blue team activities on Try Hack Me.
Thank you for reading this blog entry. Stay tuned, as I go hunting some pcap files out there….
Your opinion matters
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by giving it a clap!
