Let’s Defend: SOC141 — Phishing URL Detected
Hey blue teamers, hope you are hale and hearty!
This is yet another blog entry, where we will be focusing on solving Let’s Defend’s SOC141 — Phishing URL Detected alert
Spoiler alert: There is something awesome being mentioned at the end of this article, so hang tight!
There is a Gitbooks version of the same alert, written by me. Go ahead and have a look!
NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.
Introduction to the Alert
We are given the alert details to understand. By going through it, we can determine that this is a classic phishing attack attempt
Take ownership of the case
Proceed to create the case
Start the playbook
Collection of Data
Below, we are given a few details to source. The required information is specified in the alert summary
Source Address — 172.16.17.49
Destination Address — 184.108.40.206
User-Agent — Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
Now checking Log Management
We try to filter out existing network logs, by entering the source and destination IP’s as input. The resulting two entries show some data being accessed from the victim host
Analyze URL Address
Domain for analysis — http://firstname.lastname@example.org
To fulfill my curiosity, I decided to visit this domain
Remember to analyze alerts on a VM
We find that the domain is hosted on WordPress and seems to be a dead-end
Let’s submit this domain, to Virustotal. It will determine whether the site is malicious or not
Turns out, the site was indeed malicious and is classified as a phishing domain
Virustotal analysis of domain (mogagrocol.ru)
This domain is classified under the ‘Phishing’ domain
So we select — Malicious
Has Anyone Accessed IP/URL/Domain?
Accessing Log Management and viewing logs from both Source and Destination IP’s
When verifying against contacted hosts — Image 11 and 10(1)
We can find that the host hasn't contacted the malicious domain — from the ‘Contacted Hosts’ history, from Hybrid-Analysis
Answering the questions from above:-
A)Mar, 22, 2021, 09:23 PM
A)Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
In retrospect, I was initially confused whether the host had accessed the phishing domain and decided to go against it. Hence I selected ‘No’
From the evidence above, it is evident that the victim had accessed the domain. This is an honest write-up after all.No cheating or cutting corners!
I wouldn't want you to make the same mistake
We select ‘Not accessed’
To hunt down any mail addresses associated with this phishing domain, I used Maltego to trace out every information it had, related to the site
Safe to say, it did not fail us, but I was unable to glean any useful information
However, we have a few IPs, outgoing links, and a malicious domain to submit as case artifacts!
Click on next to submit the artifacts
Finish the playbook and close the alert
We proceed to add a few notes, before closing the case. List every incident in a crisp manner
This is not a bad score at all, but I wish I had been a bit more careful, in getting the wrong answer right. Every alert solved is a step towards perfection and I am pretty happy with the score I received
A perfect ending
Upon submitting my answers, I was met with this beauty of a badge. It looks pretty awesome and I am proud of myself, for having achieved it!
I would encourage you to give Let’s Defend a try and see how you enjoy and learn from it!
Summary of the alert
A phishing mail was sent to a host, on the Let’s Defend network (EmilyComp). From the network logs, it was found that the victim host had accessed the phishing domain.
Running the domain on VirusTotal confirmed our suspicions and to close the case, important artifacts were collected and submitted
The case was a true positive for a phishing attack and the analyst responsibly provided artifacts and notes, discussing the case characteristics and results
Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……
Your opinion matters
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by giving it a clap!