Let’s Defend: SOC101 — Phishing Mail Detected alert Walkthrough
Hello, blue teamers. In this blog entry, join me as I attempt to conquer the SOC 101 — Phishing Mail Detected alert, hosted on Let’s Defend.
There’s also a Gitbooks version of the same alert, written by me. You can go ahead and check it out!
NOTE: Always remember to investigate challenges from Let’s Defend, on a VM.
Alert details
Let’s have a good look at it, to familiarize ourselves with the details
Proceed to take ownership of the case
Create case
Initial enumeration
Since the SOC alert deals with phishing mail, let’s have a look at Let’s Defend’s mailbox, titled ‘Exchange’, and search by the mail address of the victim — mark@letsdefend.io
This is the sent mail in question:-
We’ve got our first bit of evidence here, a malicious domain — http://nuangaybantiep.xyz
Seems like an email was sent to Mark’s Phone. It’s not a desktop endpoint that we are looking for here
Checking the ‘Endpoint Security’ section, we come across Mark’s phone, titled ‘MarksPhone’
Incident details
Let’s proceed to start the playbook
Parsing the email
These answers are visible from our alert summary:-
A1)April 4, 2021, 11 p.m.
A2)146.56.195.192
A3)lethuyan852@gmail.com
A4)mark@letsdefend.io
A6)No
Is the content malicious?
To check it, let’s run the given domain (http://nuangaybantiep.xyz) on a few threat intel platforms namely VirusTotal and Hybrid-Analysis, and Joe sand Box
While the former two returned clean checks on the domain, Joe Sandbox had something else to say, which can be seen below:-
The site was suspicious but had no malware configuration evidence attached to it
A)Non-suspicious
Attachments or URLs in the mail?
A)Yes
Analyze Url/Attachment
From JoeSandbox we understand that the domain was earlier used to spread trojan, but is now unreachable to us and is not causing any harm.
Analysis of the domain, from VirusTotal and Hybrid-Analysis, is testament to that
Hence, the domain is non-malicious
A)Non-malicious
Adding artifacts
Let’s fill in the table, with the evidence and related information, collected so far
From VirusTotal, we can get information about the serving IP Address and final domain destination, from the suspected domain
Click next, to submit them
Analyst’s Note
This is the analyst’s opinion on the alert
Finish the playbook
Close the alert
Parting notes
Alert Scorecard
We were not able to achieve the objectives required to completely solve this alert. Let’s take it as a learning opportunity, to go ahead and crush other incoming SOC alerts!
Conclusion
Thank you for reading this blog entry. Stay tuned, as I go hunting some pcap files out there….
Your opinion matters
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by giving it a clap!