Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. SOC Alerts/

(Writeup) LetsDefend EventID: 45 - [SOC114 - Malicious Attachment Detected - Phishing Alert]

LetsDefend Malware Phishing SIEM SOC Talos_Intelligence True_Positive Type_Exchange VirusTotal Writeup
Table of Contents

Welcome!
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup is for an alert on the LetsDefend simulated SOC.

The Alert:
#

Let’s copy the alert details into our notes and create the case.

Before we start the playbook, let’s throw the SMTP Address into Talos Intelligence Center to see if it’s labeled as a malicious domain.

No information.

Playbook:
#

We are missing the determination of its suspiciousness and whether there are attachments; let’s get the information from Email Security.

Investigating Email:
#

Throwing in the source email address filters down to the email we are looking for.

It does indeed contain an attachment. I would say this is suspicious, but let’s investigate the attached file just in case.

Uploading Malware to VirusTotal:
#

After unzipping it and uploading to VirusTotal, we have our answer. It is indeed malicious. We can continue with the playbook now.

Yes, we know all this information now!

Yes, attachments!

They are indeed malicious!

According to the alert details, it was delivered!

“You got it, boss.” Momentarily back to Email Security.

Trash can button -> Delete.

Deleted!

Investigating Logs for C2 Connections:
#

Let’s find the C2 addresses on VirusTotal’s “BEHAVIOR” tab inside the file report.

When multiple sandboxes agree, you usually get the correct C2 addresses.

Used the filter URL and found that: Yes, the computer did connect to the C2 server. It ran the malware and got infected. Looks like we’ll need to initiate containment on that endpoint.

The malware was indeed run.

Containing Infected Endpoint:
#

Containment on the way!

Searched for the endpoint based on which machine reached out to the C2 servers. Containment initiated!

Finishing Up:
#

Added the IP of the SMTP server from which we received the phishing email. If we had more artifact locations, I’d add the phishing address and malware hashes, too.

Quick analyst note: “Phishing was received and run by the end user. C2 traffic exists in logs. The email has been deleted, and the endpoint containment was initiated.”

Playbook finish!

Alert finish; with note: “Phishing was received and run. Malware. True Positive. Email deleted. Endpoint containment initiated.”

Results:
#

Hope this helps!

Reed Eggleston
Author
Reed Eggleston
B.S. in Cybersecurity | SSCP | CySA+ | PenTest+ | Project+