Open in app

Sign in

Write

Sign in

Let’s Defend: SOC101 — Phishing Mail Detected alert Walkthrough

Noel Varghese
4 min readFeb 10, 2022

Hello, blue teamers. In this blog entry, join me as I attempt to conquer the SOC 101 — Phishing Mail Detected alert, hosted on Let’s Defend.

There’s also a Gitbooks version of the same alert, written by me. You can go ahead and check it out!

NOTE: Always remember to investigate challenges from Let’s Defend, on a VM.

Alert details

Let’s have a good look at it, to familiarize ourselves with the details

Proceed to take ownership of the case
Create case

Initial enumeration

Since the SOC alert deals with phishing mail, let’s have a look at Let’s Defend’s mailbox, titled ‘Exchange’, and search by the mail address of the victim — mark@letsdefend.io

This is the sent mail in question:-

We’ve got our first bit of evidence here, a malicious domain — http://nuangaybantiep.xyz

Seems like an email was sent to Mark’s Phone. It’s not a desktop endpoint that we are looking for here

Checking the ‘Endpoint Security’ section, we come across Mark’s phone, titled ‘MarksPhone’

Incident details

Let’s proceed to start the playbook

Parsing the email

These answers are visible from our alert summary:-

A1)April 4, 2021, 11 p.m.
A2)146.56.195.192
A3)lethuyan852@gmail.com
A4)mark@letsdefend.io
A6)No

Is the content malicious?

To check it, let’s run the given domain (http://nuangaybantiep.xyz) on a few threat intel platforms namely VirusTotal and Hybrid-Analysis, and Joe sand Box

While the former two returned clean checks on the domain, Joe Sandbox had something else to say, which can be seen below:-

The site was suspicious but had no malware configuration evidence attached to it

A)Non-suspicious

Attachments or URLs in the mail?

A)Yes

Analyze Url/Attachment

From JoeSandbox we understand that the domain was earlier used to spread trojan, but is now unreachable to us and is not causing any harm.

Analysis of the domain, from VirusTotal and Hybrid-Analysis, is testament to that

Hence, the domain is non-malicious

A)Non-malicious

Adding artifacts

Let’s fill in the table, with the evidence and related information, collected so far

From VirusTotal, we can get information about the serving IP Address and final domain destination, from the suspected domain

Click next, to submit them

Analyst’s Note

This is the analyst’s opinion on the alert

Finish the playbook

Close the alert

Parting notes

Alert Scorecard

We were not able to achieve the objectives required to completely solve this alert. Let’s take it as a learning opportunity, to go ahead and crush other incoming SOC alerts!

Conclusion

Thank you for reading this blog entry. Stay tuned, as I go hunting some pcap files out there….

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by giving it a clap!

Lets Defend
Phishing
Virustotal
Hybrid Analysis

--

--

Noel Varghese

Written by Noel Varghese

103 Followers

Security+ | eJPT | Connect with me on LinkedIn — https://www.linkedin.com/in/noel--varghese

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams