🌟
Noel's Cyberkshetra Blogspace
LinkedIn ProfileGithub ProfilePersonal Blogspot
  • Welcome to my Gitbooks Page
  • 💽Let's Defend Blue Team Walkthroughs
    • SOC164 - Suspicious Mshta Behavior Alert
    • SOC147 - SSH Scan Activity Alert
    • SOC146  -  Phishing Mail Detected Alert
    • SOC145 - Ransomware Detected Alert
    • SOC144  -  New scheduled task created Alert
    • SOC143 - Password Stealer Detected Alert
    • SOC141  -  Phishing URL Detected Alert
    • SOC141 - Phishing URL Detected Alert
    • SOC137 — Malicious File/Script Download Attempt: A Walkthrough
    • SOC109  -  Emotet Malware Detected Alert
    • SOC104 - Malware Detected Alert
    • SOC101  -  Phishing Mail Detected Alert
    • HTTP Basic Auth: Let's Defend DFIR Challenge
    • ShellShock Attack: Let’s Defend Challenge
    • 2021’s 0-Day MSHTML: Let's Defend Lab
  • 🤺BTLO Walkthroughs
    • BTLO: Network Analysis-Web Shell Challenge
    • BTLO: Suspicious USB Stick Challenge
  • 💒WiCYS CyberStart
    • Chapter 1 - Amsterdam A Running Start
      • WiCYS CyberStart (Amsterdam) Challenge 1
      • WiCYS CyberStart (Amsterdam) Challenge 2
      • WiCYS CyberStart (Amsterdam) Challenge 3
      • WiCYS CyberStart (Amsterdam) Challenge 4
    • Chapter 2 - Tokyo Patterns of Behaviour
      • WiCYS CyberStart (Tokyo) Challenge 1
      • WiCYS CyberStart (Tokyo) Challenge 2
      • WiCYS CyberStart (Tokyo) Challenge 3
      • WiCYS CyberStart (Tokyo) Challenge 4
    • Chapter 3 - Barcelona In the thick of it
      • WiCYS CyberStart (Barcelona) Challenge 1
      • WiCYS CyberStart (Barcelona) Challenge 2
      • WiCYS Cyberstart (Barcelona) Challenge 3
      • WiCYS CyberStart (Barcelona) Challenge 4
  • 📕Technical Cyber articles
    • An in-depth analysis of an Intrusion Prevention System
    • DevSecOps-Making a difference from traditional DevOps
    • CVE - 2020–1472 (Zerologon Vulnerability)-Exploitation & Remediation
    • Computer Forensics Acquisition
    • Cyber Hygiene Tips
    • Hack your System - Linux Edition
    • Markovian Parallax Denigrate-Breaking the cipher
    • SIEM-Incorporating Incident Response into Network Security
    • Social Engineering-A leading cause for vulnerability occurrence
    • Report Writing in Digital & Multimedia Forensics
    • Zero-Day Vulnerabilities: A short overview
    • Zero Trust Network Access-A solution to Network Security
  • 🧑‍💻Hack The Box : Starting Point Machines
    • Meow
    • Fawn
    • Dancing
    • Redeemer
Powered by GitBook
On this page
  • Introduction to the Alert
  • Collection of Data
  • Search Log
  • Analyze URL Address
  • Has anyone accessed IP /URL Domain?
  • Containment
  • Submission of case artifacts
  • Case Artifacts
  • Analyst’s Note
  • Close Alert
  • Alert Scorecard
  • Summary of the alert
  • Conclusion
  • Your opinion matters
  1. Let's Defend Blue Team Walkthroughs

SOC141  -  Phishing URL Detected Alert

Let's analyze a phishing mail, with a suspicious URL ... (Event ID - 88)

PreviousSOC143 - Password Stealer Detected AlertNextSOC141 - Phishing URL Detected Alert

Last updated 3 years ago

It’s the first week of February and that just means one thing. Let’s Defend has released a new set of SOC Alerts for us blue teamers to investigate and solve and here, we will be solving the SOC 141— Phishing URL alert.

Let’s jump right into it!

NOTE: Always remember to investigate alerts from Let's Defend, on a VM.

Introduction to the Alert

These are the alert details being given to us:-

Let’s take ownership of the case

Reading the alert’s summary, it’s plain to see that a phishing URL was sent to the victim, wanting him/her to click it

Create a case book for the same

Collection of Data

Q) Please check alert details for the following below:-

Source Address Destination Address User-Agent

From the alert summary, we can determine

A) Source Address — 172.16.17.88 Destination Address — 192.64.119.190 User Agent — Mozilla — Windows

Search Log

Q) Please search in Log Management for details.

Let’s search the Source IP address, on the Log Management screen

We can see two corresponding entries for the address

Upon expanding the logs, we find the following information:-

Analyze URL Address

Q) Analyze URL in 3rd party tools. Please click “Malicious” if it is malicious and click “Non-malicious” if it isn’t.

You can use the free products/services below.

AnyRun VirusTotal URLHouse URLScan HybridAnalysis

Let’s analyze using our go-to go tools VirusTotal and Hybrid-Analysis

It says that the domain is not malicious at all Reading the comment under the ‘Community’ section gives us the following note:-

Seems like a malicious domain and is capable of spreading Trojan(take a look at the pie chart)

Both incidents determine that the file is not malicious through

Though the domain may be distributing malware, it’s not classified as a malicious domain by these threat intel platforms.

Let’s click on “Malicious” and proceed forward

A) Maliciious

Has anyone accessed IP /URL Domain?

In the very next screen, we are asked to provide answers to the following questions:-

From the log expansion evidence provided above, we can answer these:-

A) Apr, 04, 2021, 11:10 PM

A) 172.16.17.88

A) 192.64.119.190

A) Mark

A) Mozilla — Windows

A) No

A) Yes

Containment

Proceed to contain the victim host

Submission of case artifacts

In the very next screen, we are asked to submit artifacts derived from the case

From the ‘Links’ tab of the domain’s analysis on VirusTotal, we can see some outgoing links from it

Unable to graph any mail addresses from this suspicious domain, we can very well state that the origin of the attack is from Reykjavik, the capital of Iceland

Mapped using Maltego

This is what the malicious domain looks like

Case Artifacts

Analyst’s Note

Finish the playbook!

Close Alert

Proceed to close the alert and provide parting remarks about the case

Alert Scorecard

This is awesome!

Every alert solved is a step towards perfection and I am pretty happy with the score I received.

Summary of the alert

A phishing mail was sent from source 172.16.17.88, with a suspicious link embedded within it. Unfortunately, the victim ended up falling for it. Relevant network logs provide evidence of this. The suspicious domain was analyzed and showed evidence of peddling malware in the past

The case was a true positive for a phishing attack and the analyst responsibly provided artifacts and notes, discussing the case characteristics and results

Conclusion

This SOC alert exercise was a breath of fresh air, as I performed threat hunting after repeated blue team activities on Try Hack Me.

Thank you for reading this blog entry. Stay tuned, as I go hunting behind some pcap files out there....

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by selecting any one of the emojis below!

Taking the URL —  , and searching it up on brought the following results:-

That’s why I stick by the rule of verifying with multiple platforms Reading Joe Sandbox’s , we come across the following analysis of the domain:-

Let’s analyze it on the platform as well, where 2 search results pop up for the domain

💽
http://nuangaybantiep.xyz
VirusTotal
HTML report of the malicious domain
Hybrid-Analysis