CYBERSECURITY JOB HUNTING GUIDE
Letsdefend part 2
Author: Stefan Waldvogel
A real password stealer attack with LetsDefend
Overview:
This time I will do a different task, we try to solve a password stealer attack. Under "Monitoring", we pick a Medium problem with the name "SOC143 Password Stealer Detected".
This time I will do a different task, we try to solve a password stealer attack. Under "Monitoring", we pick a Medium problem with the name "SOC143 Password Stealer Detected".
What information do we have?
EventID: Not important for us.
Event time: April 26, 2021, 11:03 p.m. -> important, we have to see and find matching logs.
Rule: SOC143 - Password Stealer Detected -> in our case just the name
SMTP: 180.76.101.229 -> Important for logs and reseach
Device Action: Allowed -> we know someone opened or received the mail
Source Address: [email protected] -> most likely not the real name, we have to see the code
Destination Address: [email protected] -> goes to us
Subject: . -> a weird subject
We can check the email:
EventID: Not important for us.
Event time: April 26, 2021, 11:03 p.m. -> important, we have to see and find matching logs.
Rule: SOC143 - Password Stealer Detected -> in our case just the name
SMTP: 180.76.101.229 -> Important for logs and reseach
Device Action: Allowed -> we know someone opened or received the mail
Source Address: [email protected] -> most likely not the real name, we have to see the code
Destination Address: [email protected] -> goes to us
Subject: . -> a weird subject
We can check the email:
Download the file, unzip and load it up to Joe's Sandbox.
This looks like a phishing site and the traffic is not going to Microsoft. The playbook asks us these questions:
When was it sent? April 26, 2021, 11:03 p.m
What is the email's SMTP address? 180.76.101.229
What is the sender address? [email protected]
What is the recipient address? [email protected]
Is the mail content suspicious? yes
Are there any attachment? yes
--> Answer the next questions. The URL question is in the code (obfuscated) or Joe's tells us the URL.
When was it sent? April 26, 2021, 11:03 p.m
What is the email's SMTP address? 180.76.101.229
What is the sender address? [email protected]
What is the recipient address? [email protected]
Is the mail content suspicious? yes
Are there any attachment? yes
--> Answer the next questions. The URL question is in the code (obfuscated) or Joe's tells us the URL.
Add the artifacts. I am not sure about all fields because they are not clear. We have multiple IPs, email sender -> IP, real sender or name?
Email domain could be letsdefend.io / microsoft.com but sender or receiver?
Email domain could be letsdefend.io / microsoft.com but sender or receiver?
Next question.
I we do not have a c2 in our network. The log do not show that, but Joe's Sandbox saw a access:
I selected NO, but it looks like the wanted answer is yes.
I tried to see the exchange server log files, but nothing.
Conclusion
This was a small task, but not all incidents are huge or complicated. Do not be afraid. If you get a job, your software is clear or you can ask people.
Conclusion
This was a small task, but not all incidents are huge or complicated. Do not be afraid. If you get a job, your software is clear or you can ask people.
© 2021. This work is licensed under a CC BY-SA 4.0 license