This is a Write up for the Threat Intelligence Tools Room Created by Tryhackme & SecurityNomad

Task5: PhishTool

PhishTool is a link to the tool we will be learning.

This rooms looks to show us how to use the phishtool. Also keep in mind there are two versions: Community and Enterprise, Its required to sign up for an community account to complete this room.

The core features include:

Perform email analysis: PhishTool retrieves metadata from phishing emails and provides analysts with the relevant explanations and capabilities to follow the email’s actions, attachments, and URLs to triage the situation.
Heuristic intelligence: OSINT is baked into the tool to provide analysts with the intelligence needed to stay ahead of persistent attacks and understand what TTPs were used to evade security controls and allow the adversary to social engineer a target.
Classification and reporting: Phishing email classifications are conducted to allow analysts to take action quickly. Additionally, reports can be generated to provide a forensic record that can be shared.

What are we missing by not using the enterprise version?

Can’t manage user-reported phishing events
Can’t report phishing email findings back to users to keep them updated
No integrations with o365 or google

After we submit a file .eml, .msg. and .txt

Finally time for the Scenario:

You are a SOC Analyst and have been tasked to analyze a suspicious email, Email1.eml. To solve the task, open the email using Thunderbird on the attached VM, analyze it and answer the questions below.

Go to the “Emails” folder that in on the desktop > Right-Click the file Email1.eml > open with Thunderbird.

Questions:

What social media platform is the attacker trying to pose as in the email?

The icon on top left did not load for me as the hint mentioned, but we can easily identify if we haven’t not seen this email many times before by looking at the text at bottom.

The Answer is Linkedin

What is the senders email address?

See the “From” field on top

The Answer is darkabutla@sc500.whpservers.com

What is the recipient’s email address?

See the “To” Field on top

The Answer is cabbagecare@hotsmail.com

What is the Originating IP address? Defang the IP address.

Since the room machine does not have access to internet lets boot up our attack machine (see top of room)

On the Target machine:

cd Desktop
cd Emails
python3 -m http.server

On the Attacker box:

cd Desktop
wget http://iptargetmachine:8000/Email1.eml

I forgot the files were case sensitive, hence you will see my first attempt to wget the file fails.

Lets load up PhishTool in our attack Box to finally use this new tool!

Clicking on Analysis we can upload our Email1.eml to investigate further.

Going back to the questions of what is the Originating IP address, we can clearly see it. Next the question asked up to Defang it.

If you don’t know the practice of Defanging in the security world, here is a quick breakdown;

Defanging is the process of modifying potentially harmful content such as URLs, scripts, or malware code so that it becomes harmless and cannot be accidentally executed or clicked. This is commonly done when sharing malicious links, file paths, or exploit code in reports, documentation, or forums to prevent unintentional activation.

Defanging URLs
- Original: http://malicious-site.com
- Defanged: hxxp://malicious-site[.]com
- The http is changed to hxxp, and . is replaced with [.] to prevent accidental clicks.
Defanging IP Addresses
- Original: 192.168.1.1
- Defanged: 192[.]168[.]1[.]1
- This prevents automatic recognition as a valid IP address.

Now that its clear lets use Cyberchef (a quick google search will guide you to it) to make this easy for us:

What is the Originating IP address? Defang the IP address.

The Answer is:“204[.]93[.]183[.]11“

How many hops did the email go through to get to the recipient?

For this answer we just need to click on the originating IP to show all the “hops”

The answer is: 4

Cisco Talos Intelligence

IT and Cybersecurity companies collect massive amounts of information that could be used for threat analysis and intelligence. Being one of those companies, Cisco assembled a large team of security practitioners called Cisco Talos to provide actionable intelligence, visibility on indicators, and protection against emerging threats through data collected from their products. The solution is accessible as Talos Intelligence.

Cisco Talos encompasses six key teams:

Threat Intelligence & Interdiction: Quick correlation and tracking of threats provide a means to turn simple IOCs into context-rich intel.
Detection Research: Vulnerability and malware analysis is performed to create rules and content for threat detection.
Engineering & Development: Provides the maintenance support for the inspection engines and keeps them up-to-date to identify and triage emerging threats.
Vulnerability Research & Discovery: Working with service and software vendors to develop repeatable means of identifying and reporting security vulnerabilities.
Communities: Maintains the image of the team and the open-source solutions.
Global Outreach: Disseminates intelligence to customers and the security community through publications.

More information about Cisco Talos can be found on their White Paper

Talos Dashboard

Accessing the open-source solution, we are first presented with a reputation lookup dashboard with a world map. This map shows an overview of email traffic with indicators of whether the emails are legitimate, spam or malware across numerous countries. Clicking on any marker, we see more information associated with IP and hostname addresses, volume on the day and the type.

At the top, we have several tabs that provide different types of intelligence resources. The primary tabs that an analyst would interact with are:

Vulnerability Information: Disclosed and zero-day vulnerability reports marked with CVE numbers and CVSS scores. Details of the vulnerabilities reported are provided when you select a specific report, including the timeline taken to get the report published. Microsoft vulnerability advisories are also provided, with the applicable snort rules that can be used.

Reputation Center: Provides access to searchable threat data related to IPs and files using their SHA256 hashes. Analysts would rely on these options to conduct their investigations. Additional email and spam data can be found under the Email & Spam Data tab.

Task 6

Use the information gathered from inspecting the Email1.eml file from Task 5 to answer the following questions using Cisco Talos Intelligence.

Answer the questions below

What is the listed domain of the IP address from the previous task?

Using Cusco Talos we can put in the IP we found from the last task and we can gather the needed info.

The Answer is: scnet.net

What is the customer name of the IP address?

The WHOIS was not pulling any data for me, so in terminal on attackbox I did a
whois 204.93.183.11 and scrolled down till I could pull the Answer to the question.

The Answer is: Complete Web Reviews

Task 7

Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.

Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email2.eml found on the VM attached to Task 5 and use the information to answer the questions.

Answer the questions below

Question: According to Email2.eml, what is the recipient’s email address?

Lets upload this email into Phishtool and see what it can who us!

Ok this is an easy one! Who was the email sent to?

The answer is: chris.lyons@supercarcenterdetroit.com

Question: On VirusTotal, the attached file can also be identified by a Detection Alias, which starts with an H.

Lets view the attachment section and what we will want to copy is the SHA-256 hash.

Then upload it to virustotal.com via the search to find the following information

As we expected! This file is most likely not the one our recipient was looking for :-).

The Answer is: HIDDENEXT/Worm.Gen

Task 8

Scenario2 : You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.

Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email3.eml found on the VM attached to Task 5 and use the information to answer the questions.

Answer the questions below

What is the name of the attachment on Email3.eml?
What malware family is associated with the attachment on Email3.eml?

Just like last time, lets copy the SHA-256 hash and search it in virus total.

The Family Labels here should help us answer this question:

Lets also look this up in another tool we learned a while back MalwareBazaar | Malware sample exchange

Note: When searching in MalwareBazarr make sure to add a search Syntax

Bazarr is screaming out the answer for us under signature, and the large red box!

The Answer is: dridex

Congratulations on completing Threat Intelligence Tools!!! 🎉

This is a Write up for the MITRE Room Created by heavenraiza

TASK 1 & 2 are simple click and complete tasks

TASK 3

Question 1: Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)

Question 2: we need to head over to https://attack.mitre.org/

*Keep in mind it mentions to start your research on the Phishing page

Question 3: is found under the Mitigations section on the Phishing page

Question 4: can be found under the Detection section of this same page

Question 5: Is located on the same page near the top

Question 6: click on the Groups link to learn more about them and the information is located under

Associated Group Descriptions

Question 7: is located under the Software Section

Question 8: is found when we click the hyperlink for PsExec we are led to a page about the tool and who has been known to use it and this will help us answer this question.

Question 9: Click on the FIN5 Group hyperlink to be taken to their page to find the next answers

Question 10: This located under the software section where we learn that the Windows Credential Editor is used by FIN5

And here is our TASK 3 Recap

Task 4

Question 1: Splunk search is pseudo

Question 2: Head to https://attack.mitre.org/ and click on the search icon on the top right and enter TA0003, if we click on the first link we are then taken to What type of Tactic this is.

Question 3: Head to https://car.mitre.org/ and I searched for Zeek

Question 4: Head to https://car.mitre.org/analytics/ and I searched for hash ( only 3 results )

Question 5: There is a section for Test Cases located on the same page

TASK 4 Recap

TASK 5

Question 1 & 2: we need to go tohttps://shield.mitre.org/ > Matrix > this lists all the techniques and we see that Detect has the most.

Question 3: all we need to do is a quick search from the search bar shows that DTE0011 is Decoy Content >

Question 4: involves continuing your search from the DTE0011

Question 5: https://shield.mitre.org/attack_mapping/mapping_all > get here by using the navigation bar and clicking Att&ck Mapping > Overview > then a few lines down there is a hyperlink for the complete mapping.

Task 5 Recap

TASK 6

Question 1: Click the APT3 hyperlink they provided in the room to find this answer

Question 2: This can be located viahttps://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf > Phase 2 > Persistence | utilize the table of contents to find this easily!

Question 3: This can be found by reading the First Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow

Question 4: This can be found by reading the Second Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow

Task 6 Recap

TASK7

Question 1 & 2: We need to head back to MITRE and use the navigation bar to search groups ( or here is a link https://attack.mitre.org/groups/ ) a search on the page for Aviation reveals that APT33 is the group who may target us in this scenario

Question 3: Go to the APT33 Group page https://attack.mitre.org/groups/G0064/ > scroll to software

Question 4: If we Take a look at what Techniques they use under T1078.004 we find the information below to help us find this answer

Question 5: Further on this page we have a Detection writeup that we can use.

Question 6: On the top right of the page we will find the ID information to finish up this room!

Task 7 Recap

Thanks for stopping by and I hope this is able to help you complete any tasks/questions that were proving difficult to find!

Threat Intelligence Tools | Task 5-8 TryHackMe Write-up