Welcome #
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation involving an internal test of the firewall via attempting to connect out to a malicious URL.
Alert Details #
| Key: | Value |
|---|---|
| EventID: | 28 |
| Event Time: | Oct, 29, 2020, 07:34 PM |
| Rule: | SOC105 - Requested T.I. URL address |
| Level: | Security Analyst |
| Source Address: | 172.16.17.47 |
| Source Hostname: | BillPRD |
| Destination Address: | 115.99.150.132 |
| Username: | Bill |
| Request URL: | http://115.99.150.132:56841/Mozi.m |
| User Agent: | Firewall Test - Dont Block |
| Device Action: | Blocked |
Initial Triage #
Actions #
- Copied alert details to notes
- Created case
- Check for “Firewall Test” email.
Thoughts #
“That user-agent… Is it actually or firewall test, or just pretending to be one?”
Email #
“Searching for ‘Firewall Test’ or the destination address comes up with the following email:
From: [email protected]
To: [email protected]
Subject: Firewall Test
Date: Oct, 28, 2020, 09:28 AM
Action: Allowed
Hi team,
We'll do a test on the Firewall tomorrow.
You may see some malicious traffic to the 115.99.150.132 IP address.
Ignore it.
Regards
Thoughts #
“In the real world, I’d be doing a phone call to verify. In this exercise, I believe we just take it at face value.”
Playbook #
Step 1. Analyze Threat Intel Data #
VirusTotal #
| Key: | Value |
|---|---|
| URL | 8/94 |
| Body Hash | 0/61 (-60 Community Score) |
Thoughts #
“Odd… While the URL has some malicious reports, the body is an image? And that image isn’t coming back with anything. I’m gonna check the internal threat intel feed.”
Internal Threat Intel Feed #
| Key: | Value |
|---|---|
| Date | Oct, 29, 2020, 07:43 PM |
| Data Type | URL |
| Data | http://115.99.150.132:56841/Mozi.m |
| Tag | malware |
| Data Source | Abuse ch |
Thoughts #
“If I were to guess, I imagine enough time has passed that the original data we were meant to find isn’t there anymore. We’ll go with
Maliciousfor the sake of the exercise.”
Step 2. Interaction with Threat Intelligence Data #
Log Management #
| Key: | Value |
|---|---|
| type: | Proxy |
| source_address: | 172.16.17.47 |
| source_port: | 46938 |
| destination_address: | 115.99.150.132 |
| destination_port: | 56841 |
| time: | Oct, 29, 2020, 07:34 PM |
| Request URL: | http://115.99.150.132:56841/Mozi.m |
| Request Method: | GET |
| Device Action: | Blocked |
| Process: | chrome.exe |
| Parent Process: | explorer.exe |
| Parent Process MD5: | 8b88ebbb05a0e56b7dcc708498c02b3e |
Thoughts #
“I thought for a moment that they might’ve not actually used the endpoint, and instead spoofed a TCP SYN, but this log looks too enriched for that.”
Endpoint Security #
Thoughts #
“Looks like it was successfully blocked; no ’network action’ connections there. Also keeping in mind that it’s a test…
Not Accessed”
Step 3. Artifacts #
Value |
Comment | Type |
|---|---|---|
http://115.99.150.132:56841/Mozi.m |
Malware (TI: Abuse ch) | URL |
Step 4. Analyst Notes #
“Verdict: False Positive. Closing Case. Summary: Firewall Test via ([email protected]) email. Was real malicious URL. Validated via: Log Management, Endpoint Security, Threat Intel, Email Security. Actions taken: None.”
Determination #
Verdict #
- False Positive
- Close Case
Reasoning #
- This was an internal firewall test, no action needed.
Final Thoughts #
“The wording was a bit odd when you have to view it from the lens of handling an internal test. Also, I believe some of the data we were supposed to be viewing was destroyed… Worked out in the end by checking more TI feeds.”
“Also, the playbook is missing the ‘check email to see if it’s an internal test’ step.”
