Let’s Defend: SOC143 — Password Stealer Detected Walkthrough

Hello readers, welcome to this blog entry as I document my journey through the world of Blue Teaming. Today, we will be trying our hand at the SOC143 Password Stealer Detected alert, on the Let’s Defend platform.

There’s also a Gitbooks version of the same challenge, written by me. You can go ahead and check it out!

NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.

Introduction to the Case

The case particulars are given to us, to analyze and understand:-

Next steps:-

Take ownership of case

Create Case

This case will be extra sweet to solve, as we get to analyze a phishing password stealer, that was used in a real-world Cyberattack

Start Playbook — a special component of investigation.Gives us a blueprint of steps to follow in a case,in an automated manner

Questions

Let’s have a look at our mailbox-for any information about the same. We were able to find this, a blank mail, with a single attachment.​

Now, let’s download the attached file and unzip it, using the ‘unzip’ command and using the passphrase: infected

Enumeration

We recover a file titled [email protected]_63963964Application.HTML, which is an HTML file. Now, let’s view it on the browser, which gives us:-

​At first glance, it looks like a Microsoft personalized phishing website designed to steal Ellie’s password, if she tries to login onto this page

Digging through the page source did not give us any red lights

Let’s go through the playbook’s questions:-

Are there attachments or URLs in the email? Please click “Yes” if there are an attachments or URLs in the email, if there are no attachments or URLs in the email please click “No”.

Contains Attachment or Url?

A)Yes

Analyze Url/Attachment in 3rd party sandboxes. Please click “Malicious” if it is malicious and click “Non-malicious” if it isn’t.

Analysis of infected file

We submit the HTML file for analysis on Virustotal and Hybrid-Analysis

First, over at Virus Total — 5 vendors classify the file as malicious​

​They classify the file as a part of a phishing attempt

Now onto Hybrid-Analysis

We find that the file has been run on two OS’ — Windows 7 (32 and 64 bit)-where both found the file to be malicious

​So the file is indeed malicious

A)Malicious

Q)Check If Mail Delivered to User? Answer the following question by determining whether the e-mail is delivered by looking at the “device action” part of the alert details.

Yes, we can find from the case particulars that device action has been set to allow

A)Delivered

Q)Check If Someone Opened the Malicious File/URL? Please go to the “Log Management” page and check if the c2 address accessed. You can check if the malicious file is run by searching the c2 addresses of the malicious file.

Please click “Yes” if someone has accessed the malicious address. Otherwise please click “No” button.

We click yes

Adding artifacts to the casefile

Now, it’s time to add a few artifacts to the case

Digging through more details, we find:-

MD5 Hash of file — bd05664f01205fa90774f42468a8743a

SHA — 1 Hash of file — f3df825ef2e3c70a5bc70f4a7c935be10a65bf57

This information was sourced from VirusTotal, under the ‘Details’ tab.

We add artifacts, that were collected during the enumeration process:-

Further Analysis of HTML File

From the community section of VirusTotal, we find the Joe sandbox analysis of the same file​

As an analyst, we conclude the case, by jotting some notes about the same

​Finish Playbook

Close Alert — by providing notes and classifying the alert as either true or false positive

Alert Scorecard

20/25 points acquired. We got it wrong in one question. Further enumeration would have prevented us from committing that error

Every alert solved is a step towards perfection and I am pretty happy with the score I received.

Summary of Case

A SOC Alert came in, asking us if a suspected phishing mail and its attachment was indeed malicious. Upon closer inspection, we found that it was designed to capture a user’s password, mimicking Microsoft’s Outlook login page, which is a classic example of a Phishing attack

Conclusion

Thank you for devouring this blog entry and stay tuned as I try to close down more SOC alerts……

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by giving it a clap!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store