SOC143 - Password Stealer Detected Alert
Let's explore the working of a password stealer in action...
Last updated
Let's explore the working of a password stealer in action...
Last updated
Hello readers, welcome to this blog entry as I document my journey through the world of Blue Teaming. Today, we will be trying our hand at the SOC143 — Password Stealer Detected alert, on the Let’s Defend platform.
NOTE: Always remember to investigate alerts from Let's Defend, on a VM.
The alert particulars are given to analyze and understand:-
Next steps:-
Take ownership of case
Create Case
This case will be extra sweet to solve, as we get to analyze a phishing password stealer, that was used in a real-world cyberattack
Start Playbook — a special component of investigation.Gives us a blueprint of steps to follow in a case,in an automated manner
Let’s have a look at our mailbox-for any information about the same. We were able to find this, a blank mail, with a single attachment.
Now, let’s download the attached file and unzip it, using the ‘unzip’ command and using the passphrase: infected
We recover a file titled [email protected]_63963964Application.HTML, which is an HTML file. Now, viewing it on the browser, gives us the following webpage:-
At first glance, it looks like a Microsoft personalized phishing website designed to steal Ellie’s password, if she tries to login onto this page
Digging through the page source did not give us any red lights
Q) Are there attachments or URLs in the email? Please click “Yes” if there are an attachments or URLs in the email, if there are no attachments or URLs in the email please click “No”.
Contains Attachment or Url?
A) Yes
Q) Analyze Url/Attachment in 3rd party sandboxes. Please click “Malicious” if it is malicious and click “Non-malicious” if it isn’t.
We submit the HTML file for analysis on Virustotal and Hybrid-Analysis
First, over at Virus Total — 5 vendors classify the file as malicious
They classify the file as a part of a phishing attempt
Now onto Hybrid-Analysis
We find that the file has been run on two OS’ — Windows 7 (32 and 64 bit)-where both found the file to be malicious
So the file is indeed malicious
A) Malicious
Q) Check If Mail Delivered to User? Answer the following question by determining whether the e-mail is delivered by looking at the “device action” part of the alert details.
Yes, we can find from the case particulars that device action has been set to allow
A) Delivered
Q) Check If Someone Opened the Malicious File/URL? Please go to the “Log Management” page and check if the c2 address accessed. You can check if the malicious file is run by searching the c2 addresses of the malicious file.
Please click “Yes” if someone has accessed the malicious address. Otherwise please click “No” button.
We click yes
A) Yes
Now, it’s time to add a few artifacts to the case
Digging through more details, we find:-
MD5 Hash of file — bd05664f01205fa90774f42468a8743a
SHA — 1 Hash of file — f3df825ef2e3c70a5bc70f4a7c935be10a65bf57
This information was sourced from VirusTotal, under the ‘Details’ tab.
We add artifacts, that were collected during the enumeration process
From the community section of VirusTotal, we find the Joe sandbox analysis of the same file
As an analyst, we conclude the case, by jotting some notes about the same
Finish Playbook
Close Alert — by providing notes and classifying the alert, either as a true or false positive
20/25 points acquired. We got it wrong in one question. Further enumeration would have prevented us from committing that error.
Every alert solved is a step towards perfection and I am pretty happy with the score I received.
A SOC Alert came in, asking us if a suspected phishing mail and its attachment was indeed malicious. Upon closer inspection, we found that it was designed to capture a user’s password, mimicking Microsoft’s Outlook login page, which is a classic example of a Phishing attack
Thank you for reading this blog entry. Stay tuned, as I go hunting behind some pcap files out there....
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting any one of the emojis below!
