Welcome #
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation involving an Exchange alert.
Alert Details #
| Key | Value |
|---|---|
| EventID: | 82 |
| Event Time: | Mar, 21, 2021, 12:26 PM |
| Rule: | SOC140 - Phishing Mail Detected - Suspicious Task Scheduler |
| Severity Level: | Security Analyst |
| SMTP Address: | 189.162.189.159 |
| Source Address: | [email protected] |
| Destination Address: | [email protected] |
| E-mail Subject: | COVID19 Vaccine |
| Device Action: | Blocked |
Initial Triage #
Actions: #
- Copied alert details to notes
- Created case
- Began threat intelligence analysis
Thoughts: #
“Luckily it was blocked. Now to see if it was a false positive, and/or if anything else slipped through.”
Threat Intelligence Analysis #
Tools Used: #
SMTP IP: #
| Key | Value |
|---|---|
| VirusTotal: | Green (Low Community Score) |
| Talos Intelligence: | Neutral |
| AbuseIPDB: | 204 Reports (SSH Brute-Force) |
Thoughts: #
“Once again reinforcing why many sources of information in important.”
Email: #
From: [email protected]To: [email protected]Subject: COVID19 VaccineDate: Mar, 21, 2021, 12:26 PMAction: Blocked
Hey, did you read breaking news about Covid-19. Open it now!
password: infected
Attachments
72c812cf21909a48eb9cceb9e04b865d
Email Attachment: #
| Key | Value |
|---|---|
| VirusTotal: | 25/63 security vendors flagged this file as malicious |
| Hybrid Analysis: | Threat Score: 100/100 |
Thoughts: #
“The sender password protected the attachment, probably to try and bypass malware scans. Also, no reliable C2 address in the sandbox analysis.”
Findings: #
| Key | Value |
|---|---|
| Reputation Results: | malicious |
| Sandbox Consensus: | malicious |
| Malware Family: | trojan.fraud |
| Confidence Level: | high |
Thoughts: #
“True Positive; good thing it was blocked.”
Determination #
Verdict: #
- True Positive.
- Close Case.
Reasoning: #
- The email was indeed phishing with malware attached.
- The email was blocked.
Playbook #
Questions: #
| Question | Answer |
|---|---|
| Are there attachments or URLs in the email? | Yes |
| Analyze Url/Attachment | Malicious |
| Check If Mail Delivered to User? | Not Delivered |
Artifacts: #
| Value | Comment | Type |
|---|---|---|
189.162.189.159 |
IP of Phishing SMTP | IP Address |
[email protected] |
Phisher | E-mail Sender |
cmail.carleton.ca |
Phishing Domain | E-mail Domain |
72c812cf21909a48eb9cceb9e04b865d |
Malicious PDF | MD5 Hash |
957774f297ae3c13d233bb0ba2dfc352 |
Malicious Zip | MD5 Hash |
Notes: #
Verdict: True Positive. Blocked.
Summary: Verified as phishing email, with malicious attachment. Email was blocked before delivery.
Validated via: threat intel, sandbox, email security, log management, endpoint security.
Actions taken: None.
Lessons Learned #
“A lot of my time is used on doing Threat Intelligence Validation. It’d be nice if we could use the SOAR to automate the lookup of the data from the different threat intelligence channels automatically. Since that is unlikely, I’ll have to design a little local webpage to do that.”
