The following was is the Phishing Prevention room in the Try Hack Me Soc 1 path.
Phishing Case 1 Scenario: You are a Level 1 SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email for your team to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails.
Task: Use the tools discussed throughout this room (or use your own resources) to help you analyze each email header and email body.
What brand was this email tailored to impersonate?
I am using Google Admin Toolbox Messageheader to examine the header of the email.
Answer:
Netflix
What is the From email address?
What is the originating IP? Defang the IP address. The originating ip address also found in the header
Or
Cyberchef provide the defang answer. 209[.]85[.]167[.]226
From what you can gather, what do you think will be a domain of interest? Defang the domain.
This is found in the header of the email
The Cyberchef defanged answer is
What is the shortened URL? Defang the URL.
Phishing Case 2
Scenario: You are a Level 1 SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email for your team to implement the appropriate rules to prevent colleagues from receiving additional spam/phishing emails.
A malicious attachment from a phishing email inspected in the previous Phishing Room was uploaded to Any Run for analysis.
Task: Investigate the analysis and answer the questions below.
What does AnyRun classify this email as? AnyRun classify the email as
Suspicious Activity
What is the name of the PDF file? Payment-updateid.pdf
What is the SHA 256 hash for the PDF file?
SHA 256: cc6f1a04b10bcb168aeec8d870b97bd7c20fc161e8310b5bce1af8ed420e2c24
What two IP addresses are classified as malicious? Defang the IP addresses. (answer: IP_ADDR,IP_ADDR) An easier way to get this to click “Text report”.
Scroll to connections
By clicking “NEXT” in the connections category we can find the second malicious ip address.
From there we can defang the addresses in Cyberchef
The answer according to requested format is 2[.]16[.]107[.]24,2[.]16[.]107[.]83
What Windows process was flagged as Potentially Bad Traffic? In the same Text Report under process we can find the Windows process.
svchost.exe
Phishing Case 3 What is this analysis classified as? [The screenshot answers the first 3 questions] Text Report
Malicious activity
What is the name of the Excel file? CBJ200620039539.xlsx
What is the SHA 256 hash for the file? 5F94A66E0CE78D17AFC2DD27FC17B44B3FFC13AC5F42D3AD6A5DCFB36715F3EB
What domains are listed as malicious? Defang the URLs & submit answers in alphabetical order. (answer: URL1,URL2,URL3)
The text report under DNS or domain will give us the three malicious domains.
We can then question ask us to defang and sort alphabetically. The recipe we use is defang url and sort [alphabetically]
What IP addresses are listed as malicious? Defang the IP addresses & submit answers from lowest to highest. (answer: IP1,IP2,IP3) The IP addresses are under connections and DNS requests in the text report.
Then we defang and sort in Cyberchef.
204[.]11[.]56[.]48,75[.]2[.]11[.]242,103[.]224[.]182[.]251
What vulnerability does this malicious attachment attempt to exploit?
CVE-2017-11882
Phishing Email 4 - SMTP Status Codes
What Wireshark filter can you use to narrow down the packet output using SMTP status codes? smtp.response.code
What Wireshark filter can you use to narrow down the packet output using SMTP status codes? We’re using Wireshark to find the code by searching with smtp.response.code == 220
The answer being Service ready
One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)
I am using the display filter in Wireshark with the string “spamhaus.org”
Here we can see the packet number is 156 and the code is 553
Based on the packet from the previous question, what was the message regarding the mailbox?
mailbox name not allowed
What is the status code that will typically precede a SMTP DATA command?
Base on the hint provided for this question [the server is now waiting for the “body” of the message], we can deduce that the status code is 354
SMTP Traffic Analysis
What port is the SMTP traffic using? From networking we know it is port 25, or to see it in Wireshark
How many packets are specifically SMTP? By searching for smtp we see the at the bottom right 512.
What is the source IP address for all the SMTP traffic? Wireshark.org gives us a clue where to start with this search
We are using im.address
This returns the result of
10.12.19.101
What is the filename of the third file attachment?
Searching for SMTP with the string search of “filename” located the third file attachment. Attachment.scr
How about the last file attachment?
Using the same search criteria as above and cycling through to the last attachment, we can see that the answer is .zip