n3s0 || journal

Blue Team Labs Online - Security Operations

Posted on 2 mins

Overview

Some fun looking through the Security Operations category on Blue Team Labs Online. Allowed me to obtain some notes for common things that I already do on a day to day basis. Along with some things that may be useful in the future to reference.

Phishing Analysis

Scenario

A user has received a phishing email and forwarded it to the SOC. Can you investigate the email and attachment to collect useful artifacts?

There is a file provided for the phishing email.

Challenge Submission

Objective is to review the email and the attachment associated with it. Most of this challenge was completed by viewing the email in a text editor.

Looks like the name of the file is Website contact form submission.eml.

1. Who is the primary recipient of this email?

Below is the primary recipient of the email. Opened the eml file and checked the file at the bottom of the message.

2. What is the subject of this email?

3. What is the date and time the email was sent?

4. What is the Originating IP?

Below is the value for the email header X-Originating-IP. A good command to easily find this would be to use the collowing grep command.

Below is the correct answer for the question.

5. Perform reverse DNS on this IP address, what is the resolved host? (whois.domaintools.com)

Command used to complete the submission is below.

Correct answer is below.

6. What email address will receive replies to this email?

Used the following command to find the In-Reply-To email header value for the correct submission.

Below is the correct answer for the email submission.

7. What is the name of the attached file?

8. What is the URL found inside the attachment?

URL is to a blogspot instance that is taken down.

9. What service is this webpage hosted on?

10. Using URL2PNG, what is the heading text on this page? (Doesn’t matter if the page has been taken down!)