Skip to main content
Policy to Packets
Policy to Packets
  1. Policy to Packets/
  2. Writeups/
  3. LetsDefend/
  4. SOC Alerts/

(Writeup) LetsDefend EventID: 93 - [SOC146 - Phishing Mail Detected - Excel 4.0 Macros]

LetsDefend Malware Phishing SIEM SOC Talos_Intelligence True_Positive Type_Exchange VirusTotal Writeup
Table of Contents

Welcome!
#

  • LetsDefend is a Blue Team Training platform.
  • This writeup is for an alert on the LetsDefend simulated SOC.

The Alert:
#

Device Action: Allowed. Let’s hope it isn’t phishing!
Let’s copy the alert details into our notes, then create the case!

Let’s throw the SMTP Address into Talos Intelligence real quick.

Talos Intelligence:
#

While not outright malicious, it doesn’t inspire confidence.

Let’s get going with the playbook.

Playbook:
#

Well, have the first four from the alert details. Let’s check out the Email Security section to find out the last two.

Email Security:
#

A quick filter on the source address gave us the email.

Well, I guess we have to examine the attachments.

After unzipping the two layers of the zip archive, we have the .xls file. (If I’m correct, the reason the DLLs are included is that the domains they are supposed to be downloaded from have been removed. ) Throwing the research-1646684671.xls file into VirusTotal.

VirusTotal:
#

Malicious, well, at least it saves us the step of doing dynamic analysis ourselves.

We are aware of the email; it is indeed a phishing attempt with attached malware.

Yes, there are attachments!

Malicious attachments!

It was delivered; the alert details said: “Device Action: Allowed”.

Quick jump back to Email Security.

We’ve deleted it!

We can grab the C2 addresses from VirusTotal in the “BEHAVIOR” tab under “IP Traffic”:

The IPs where multiple sandboxes agree tend to be accurate. Let’s search for those IPs in Log Management.

Log Management:
#

The second C2 IP returned logs. The request URL is a perfect match. The endpoint is infected. I imagine the next step in the playbook is to quarantine the box.

Yes, it was opened, and the endpoint is infected!

My gut was right, it was the next step!

Endpoint Security:
#

Searching for the IP that connected to the C2, we find LarsPRD, which makes sense for [email protected]. We initiate containment for this endpoint.

We contained it!

Clean Up:
#

If I could add more artifacts, I would. I thought it would be best to leave the IP address of the SMTP server from which we received the phishing email.

Now, just to finish up with some notes.

Result:
#

Hope this helps!

Reed Eggleston
Author
Reed Eggleston
B.S. in Cybersecurity | SSCP | CySA+ | PenTest+ | Project+