Welcome
#
- LetsDefend is a Blue Team Training platform.
- This writeup documents a SOC alert investigation involving a Proxy alert.
Alert Details
#
| Key |
Value |
| EventID: |
86 |
| Event Time: |
Mar, 22, 2021, 9:23 PM |
| Rule: |
SOC141 - Phishing URL Detected |
| Level: |
Security Analyst |
| Source Address: |
172.16.17.49 |
| Source Hostname: |
EmilyComp |
| Destination Address: |
91.189.114.8 |
| Destination Hostname: |
mogagrocol.ru |
| Username: |
ellie |
| Request URL: |
http://mogagrocol.ru/wp-content/plugins/akismet/fv/[email protected] |
| User Agent: |
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36 |
| Device Action: |
Allowed |
Initial Triage
#
Actions:
#
- Copied alert details to notes
- Created case
- Began threat intelligence analysis
Thoughts:
#
“It was allowed? Oh boy…”
Threat Intelligence Analysis
#
Tools Used:
#
IP:
#
Domain:
#
URL:
#
Findings:
#
| Key |
Value |
| Reputation Results: |
Malicious |
| Sandbox Consensus: |
Error - 403 |
| Conclusion: |
Phishing page destroyed before analysis. |
| Confidence Level: |
Medium |
Thoughts:
#
“Can’t analyze the page due to the 403 error, but from the reputation it was most likely malicious.”
Email Analysis
#
Thoughts:
#
“There are no email logs to analyze! Emily’s email is in the URL. It makes me worry that logs aren’t making it to the SIEM.”
Log Analysis
#
| Field |
Value |
| type |
Proxy |
| source_address |
172.16.17.49 |
| source_port |
55662 |
| destination_address |
91.189.114.8 |
| destination_port |
80 |
| time |
Mar, 22, 2021, 9:23 PM |
| Request URL |
http://mogagrocol.ru/wp-content/plugins/akismet/fv/[email protected] |
| Field |
Value |
| type |
Firewall |
| source_address |
172.16.17.49 |
| source_port |
55662 |
| destination_address |
91.189.114.8 |
| destination_port |
80 |
| time |
Mar, 22, 2021, 9:23 PM |
Thoughts:
#
“Nothing new to learn from this information. We already knew the endpoint connected to the website, as the alert was from the proxy log. The firewall log doesn’t contain a ‘allow/deny’ field, which would’ve made things clearer. Luckily I already know from experience that logs like that mean it allowed it through.”
Indicators of Compromise (IOCs)
#
Thoughts:
#
“Due to us being unable to get a copy of the phishing page or malware sample, the only indicator we have is the connection log. Which in this organization is enough for containment.”
Endpoint Analysis
#
| Key |
Value |
| File Execution: |
Unknown - missing data from EDR agent |
| File Quarentined: |
No |
| Infection Status: |
Possibly Infected |
| EDR Status: |
Anomalous - missing data |
Thoughts:
#
“In this organization, if a machine has the possibility of being infected we are supposed to initiate containment. Do remember that not all organizations are like this.”
Determination
#
Verdict:
#
- True Positive
- Escalate Case
Reasoning:
#
- The endpoint contacted out to the malicious URL without being stopped
- Execution of malware is unknown (Missing Logs)
- The EDR Agent is acting anomalous (Missing Logs)
Actions:
#
- Initiate endpoint containment
Playbook
#
Questions:
#
| Question |
Answer |
| Analyze URL Address |
Malicious |
| Has Anyone Accessed IP/URL/Domain? |
Accessed |
| Containment |
Initiated |
Artifacts:
#
| Value |
Comment |
Type |
91.189.114.8 |
Phishing IP |
IP Address |
http://mogagrocol.ru/wp-content/plugins/akismet/fv/[email protected] |
Phishing Address |
URL Address |
Notes:
#
Verdict: True Positive. Containment Initiated. Escalating.
Summary: Endpoint reached out to a malicious domain that was alerted on as phishing. No logs for quarantine. EDR Agent missing relevant logs. Containment initiated.
Validated via: threat intel, log management, endpoint security.
Actions taken: Containment Initiated.
Lessons Learned
#
“Moving without information isn’t optimal. I’m surprised the EDR agent hadn’t had updated logs all this time, and no alerts had set off. I’m also surprised the proxy didn’t grab at least a snapshot of the phishing page. If this was a real situation, I’d ask people.”
