Let’s Defend: SOC141 — Phishing URL Detected

Hey blue teamers, hope you are hale and hearty!

This is yet another blog entry, where we will be focusing on solving Let’s Defend’s SOC141 — Phishing URL Detected alert

Spoiler alert: There is something awesome being mentioned at the end of this article, so hang tight!

There is a Gitbooks version of the same alert, written by me. Go ahead and have a look!

NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.

Introduction to the Alert

We are given the alert details to understand. By going through it, we can determine that this is a classic phishing attack attempt

Take ownership of the case
Proceed to create the case

Start the playbook

Collection of Data

Below, we are given a few details to source. The required information is specified in the alert summary

Source Address — 172.16.17.49
Destination Address — 91.189.114.8
User-Agent — Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

Search Log

Now checking Log Management

We try to filter out existing network logs, by entering the source and destination IP’s as input. The resulting two entries show some data being accessed from the victim host

Analyze URL Address

Domain for analysis — http://mogagrocol.ru/wp-content/plugins/akismet/fv/index.php?email=ellie@letsdefend.io

To fulfill my curiosity, I decided to visit this domain

Remember to analyze alerts on a VM

We find that the domain is hosted on WordPress and seems to be a dead-end

Domain Analysis

Let’s submit this domain, to Virustotal. It will determine whether the site is malicious or not

Turns out, the site was indeed malicious and is classified as a phishing domain

Virustotal analysis of domain (mogagrocol.ru)

This domain is classified under the ‘Phishing’ domain

So we select — Malicious

A)Malicious

Has Anyone Accessed IP/URL/Domain?

Accessing Log Management and viewing logs from both Source and Destination IP’s

When verifying against contacted hosts — Image 11 and 10(1)

We can find that the host hasn't contacted the malicious domain — from the ‘Contacted Hosts’ history, from Hybrid-Analysis

Answering the questions from above:-

A)Mar, 22, 2021, 09:23 PM

A)172.16.17.49

A)91.189.114.8

A)ellie

A)Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36

A)Allowed

In retrospect, I was initially confused whether the host had accessed the phishing domain and decided to go against it. Hence I selected ‘No’

From the evidence above, it is evident that the victim had accessed the domain. This is an honest write-up after all.No cheating or cutting corners!

I wouldn't want you to make the same mistake

We select ‘Not accessed’

A)Not accessed

Add Artifacts

To hunt down any mail addresses associated with this phishing domain, I used Maltego to trace out every information it had, related to the site

Safe to say, it did not fail us, but I was unable to glean any useful information

However, we have a few IPs, outgoing links, and a malicious domain to submit as case artifacts!

Click on next to submit the artifacts

Finish the playbook and close the alert

Parting Notes

We proceed to add a few notes, before closing the case. List every incident in a crisp manner

Alert Scorecard

This is not a bad score at all, but I wish I had been a bit more careful, in getting the wrong answer right. Every alert solved is a step towards perfection and I am pretty happy with the score I received

A perfect ending

Upon submitting my answers, I was met with this beauty of a badge. It looks pretty awesome and I am proud of myself, for having achieved it!

I would encourage you to give Let’s Defend a try and see how you enjoy and learn from it!

Summary of the alert

A phishing mail was sent to a host, on the Let’s Defend network (EmilyComp). From the network logs, it was found that the victim host had accessed the phishing domain.

Running the domain on VirusTotal confirmed our suspicions and to close the case, important artifacts were collected and submitted

The case was a true positive for a phishing attack and the analyst responsibly provided artifacts and notes, discussing the case characteristics and results

Conclusion

Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by giving it a clap!

--

--

--

Security+ | eJPT | Connect with me on LinkedIn — https://www.linkedin.com/in/noel--varghese

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Is my kid buying drugs from the dark net?

{UPDATE} Sniper Shooter: Gun Shooting Hack Free Resources Generator

How to achieve confidentiality and anonymity of privacy in web3

{UPDATE} Matemáticas rápidas para niños Educación Juego Hack Free Resources Generator

TryHackMe | John The Ripper Writeup

{UPDATE} 閃亂神樂 百花繚亂 Hack Free Resources Generator

10 WAYS OF EMPLOYEE ENGAGEMENT DURING CYBERSECURITY MONTH

{UPDATE} DiveChamp Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Noel Varghese

Noel Varghese

Security+ | eJPT | Connect with me on LinkedIn — https://www.linkedin.com/in/noel--varghese

More from Medium

It’s Not You! Windows Security Logs Don’t Make Sense

BTLO: Suspicious USB Stick Challenge Walkthrough

Detecting Kerberos Relaying Attacks

Incident Response Part 2.2 : Analysis