Threat Intelligence Tools | Task 5-8 TryHackMe Write-up

This is a Write up for the Threat Intelligence Tools Room Created by Tryhackme & SecurityNomad

Task5: PhishTool

PhishTool is a link to the tool we will be learning.

This rooms looks to show us how to use the phishtool. Also keep in mind there are two versions: Community and Enterprise, Its required to sign up for an community account to complete this room.

The core features include:

  • Perform email analysis: PhishTool retrieves metadata from phishing emails and provides analysts with the relevant explanations and capabilities to follow the email’s actions, attachments, and URLs to triage the situation.
  • Heuristic intelligence: OSINT is baked into the tool to provide analysts with the intelligence needed to stay ahead of persistent attacks and understand what TTPs were used to evade security controls and allow the adversary to social engineer a target.
  • Classification and reporting: Phishing email classifications are conducted to allow analysts to take action quickly. Additionally, reports can be generated to provide a forensic record that can be shared.

What are we missing by not using the enterprise version?

  • Can’t manage user-reported phishing events
  • Can’t report phishing email findings back to users to keep them updated
  • No integrations with o365 or google

After we submit a file .eml, .msg. and .txt

Finally time for the Scenario:

You are a SOC Analyst and have been tasked to analyze a suspicious email, Email1.eml. To solve the task, open the email using Thunderbird on the attached VM, analyze it and answer the questions below.

Go to the “Emails” folder that in on the desktop > Right-Click the file Email1.eml > open with Thunderbird.

Questions:

  • What social media platform is the attacker trying to pose as in the email?

The icon on top left did not load for me as the hint mentioned, but we can easily identify if we haven’t not seen this email many times before by looking at the text at bottom.

The Answer is Linkedin

  • What is the senders email address?

    See the “From” field on top

    The Answer is darkabutla@sc500.whpservers.com

    • What is the recipient’s email address?

    See the “To” Field on top

    The Answer is cabbagecare@hotsmail.com

    • What is the Originating IP address? Defang the IP address.

    Since the room machine does not have access to internet lets boot up our attack machine (see top of room)

    On the Target machine:

    cd Desktop
cd Emails
python3 -m http.server

    On the Attacker box:

    cd Desktop
wget http://iptargetmachine:8000/Email1.eml

    I forgot the files were case sensitive, hence you will see my first attempt to wget the file fails.

    Lets load up PhishTool in our attack Box to finally use this new tool!

    Clicking on Analysis we can upload our Email1.eml to investigate further.

    Going back to the questions of what is the Originating IP address, we can clearly see it. Next the question asked up to Defang it.

    If you don’t know the practice of Defanging in the security world, here is a quick breakdown;

    Defanging is the process of modifying potentially harmful content such as URLs, scripts, or malware code so that it becomes harmless and cannot be accidentally executed or clicked. This is commonly done when sharing malicious links, file paths, or exploit code in reports, documentation, or forums to prevent unintentional activation.

    1. Defanging URLs
      • Original: http://malicious-site.com
      • Defanged: hxxp://malicious-site[.]com
      • The http is changed to hxxp, and . is replaced with [.] to prevent accidental clicks.
    2. Defanging IP Addresses
      • Original: 192.168.1.1
      • Defanged: 192[.]168[.]1[.]1
      • This prevents automatic recognition as a valid IP address.

    Now that its clear lets use Cyberchef (a quick google search will guide you to it) to make this easy for us:

    • What is the Originating IP address? Defang the IP address.

    The Answer is:204[.]93[.]183[.]11

    • How many hops did the email go through to get to the recipient?

    For this answer we just need to click on the originating IP to show all the “hops”

    The answer is: 4

    Cisco Talos Intelligence

    IT and Cybersecurity companies collect massive amounts of information that could be used for threat analysis and intelligence. Being one of those companies, Cisco assembled a large team of security practitioners called Cisco Talos to provide actionable intelligence, visibility on indicators, and protection against emerging threats through data collected from their products. The solution is accessible as Talos Intelligence.

    Cisco Talos encompasses six key teams:

    • Threat Intelligence & Interdiction: Quick correlation and tracking of threats provide a means to turn simple IOCs into context-rich intel.
    • Detection Research: Vulnerability and malware analysis is performed to create rules and content for threat detection.
    • Engineering & Development: Provides the maintenance support for the inspection engines and keeps them up-to-date to identify and triage emerging threats.
    • Vulnerability Research & Discovery: Working with service and software vendors to develop repeatable means of identifying and reporting security vulnerabilities.
    • Communities: Maintains the image of the team and the open-source solutions.
    • Global Outreach: Disseminates intelligence to customers and the security community through publications.

    More information about Cisco Talos can be found on their White Paper

    Talos Dashboard

    Accessing the open-source solution, we are first presented with a reputation lookup dashboard with a world map. This map shows an overview of email traffic with indicators of whether the emails are legitimate, spam or malware across numerous countries. Clicking on any marker, we see more information associated with IP and hostname addresses, volume on the day and the type.

    At the top, we have several tabs that provide different types of intelligence resources. The primary tabs that an analyst would interact with are:

    • Vulnerability Information: Disclosed and zero-day vulnerability reports marked with CVE numbers and CVSS scores. Details of the vulnerabilities reported are provided when you select a specific report, including the timeline taken to get the report published. Microsoft vulnerability advisories are also provided, with the applicable snort rules that can be used.

    • Reputation Center: Provides access to searchable threat data related to IPs and files using their SHA256 hashes. Analysts would rely on these options to conduct their investigations. Additional email and spam data can be found under the Email & Spam Data tab.

    Task 6

    Use the information gathered from inspecting the Email1.eml file from Task 5 to answer the following questions using Cisco Talos Intelligence.

    Answer the questions below

    • What is the listed domain of the IP address from the previous task?

    Using Cusco Talos we can put in the IP we found from the last task and we can gather the needed info.

    The Answer is: scnet.net

    • What is the customer name of the IP address?

    The WHOIS was not pulling any data for me, so in terminal on attackbox I did a
    whois 204.93.183.11 and scrolled down till I could pull the Answer to the question.

    The Answer is: Complete Web Reviews

    Task 7

    Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported. 

    Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email2.eml found on the VM attached to Task 5 and use the information to answer the questions.

    Answer the questions below

    • Question: According to Email2.eml, what is the recipient’s email address?

      Lets upload this email into Phishtool and see what it can who us!

      Ok this is an easy one! Who was the email sent to?

      The answer is: chris.lyons@supercarcenterdetroit.com

      • Question: On VirusTotal, the attached file can also be identified by a Detection Alias, which starts with an H.

      Lets view the attachment section and what we will want to copy is the SHA-256 hash.

      Then upload it to virustotal.com via the search to find the following information


      As we expected! This file is most likely not the one our recipient was looking for :-).

      The Answer is: HIDDENEXT/Worm.Gen

      Task 8

      Scenario2 : You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported. 

      Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email3.eml found on the VM attached to Task 5 and use the information to answer the questions.

      Answer the questions below

      1. What is the name of the attachment on Email3.eml?
      2. What malware family is associated with the attachment on Email3.eml?

      Just like last time, lets copy the SHA-256 hash and search it in virus total.

      The Family Labels here should help us answer this question:

      Lets also look this up in another tool we learned a while back MalwareBazaar | Malware sample exchange

      Note: When searching in MalwareBazarr make sure to add a search Syntax

      Bazarr is screaming out the answer for us under signature, and the large red box!

      The Answer is: dridex

      Congratulations on completing Threat Intelligence Tools!!! 🎉

      Trending now

      MITRE TryHackMe Write-up
      Threat Intelligence Tools | Task 5-8 TryHackMe Write-up
      Introduction to Cryptography Notes
      How I Passed the CompTIA Pentest+ (PT0-002) – My Study Plan & Resources 🎯