SOC141 - Phishing URL Detected Alert
Let's analyze a phishing mail, with a suspicious URL ... (Event ID - 88)
Last updated
Let's analyze a phishing mail, with a suspicious URL ... (Event ID - 88)
Last updated
It’s the first week of February and that just means one thing. Let’s Defend has released a new set of SOC Alerts for us blue teamers to investigate and solve and here, we will be solving the SOC 141— Phishing URL alert.
Let’s jump right into it!
NOTE: Always remember to investigate alerts from Let's Defend, on a VM.
These are the alert details being given to us:-
Let’s take ownership of the case
Reading the alert’s summary, it’s plain to see that a phishing URL was sent to the victim, wanting him/her to click it
Create a case book for the same
Q) Please check alert details for the following below:-
Source Address Destination Address User-Agent
From the alert summary, we can determine
A) Source Address — 172.16.17.88 Destination Address — 192.64.119.190 User Agent — Mozilla — Windows
Q) Please search in Log Management for details.
Let’s search the Source IP address, on the Log Management screen
We can see two corresponding entries for the address
Upon expanding the logs, we find the following information:-
Q) Analyze URL in 3rd party tools. Please click “Malicious” if it is malicious and click “Non-malicious” if it isn’t.
You can use the free products/services below.
AnyRun VirusTotal URLHouse URLScan HybridAnalysis
Let’s analyze using our go-to go tools VirusTotal and Hybrid-Analysis
It says that the domain is not malicious at all Reading the comment under the ‘Community’ section gives us the following note:-
Seems like a malicious domain and is capable of spreading Trojan(take a look at the pie chart)
Both incidents determine that the file is not malicious through
Though the domain may be distributing malware, it’s not classified as a malicious domain by these threat intel platforms.
Let’s click on “Malicious” and proceed forward
A) Maliciious
In the very next screen, we are asked to provide answers to the following questions:-
From the log expansion evidence provided above, we can answer these:-
A) Apr, 04, 2021, 11:10 PM
A) 172.16.17.88
A) 192.64.119.190
A) Mark
A) Mozilla — Windows
A) No
A) Yes
Proceed to contain the victim host
In the very next screen, we are asked to submit artifacts derived from the case
From the ‘Links’ tab of the domain’s analysis on VirusTotal, we can see some outgoing links from it
Unable to graph any mail addresses from this suspicious domain, we can very well state that the origin of the attack is from Reykjavik, the capital of Iceland
Mapped using Maltego
This is what the malicious domain looks like
Finish the playbook!
Proceed to close the alert and provide parting remarks about the case
This is awesome!
Every alert solved is a step towards perfection and I am pretty happy with the score I received.
A phishing mail was sent from source 172.16.17.88, with a suspicious link embedded within it. Unfortunately, the victim ended up falling for it. Relevant network logs provide evidence of this. The suspicious domain was analyzed and showed evidence of peddling malware in the past
The case was a true positive for a phishing attack and the analyst responsibly provided artifacts and notes, discussing the case characteristics and results
This SOC alert exercise was a breath of fresh air, as I performed threat hunting after repeated blue team activities on Try Hack Me.
Thank you for reading this blog entry. Stay tuned, as I go hunting behind some pcap files out there....
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting any one of the emojis below!
Taking the URL — , and searching it up on brought the following results:-
That’s why I stick by the rule of verifying with multiple platforms Reading Joe Sandbox’s , we come across the following analysis of the domain:-
Let’s analyze it on the platform as well, where 2 search results pop up for the domain
