Blue Team Labs Online - Security Operations
Table of Contents
Overview
Some fun looking through the Security Operations category on Blue Team Labs Online. Allowed me to obtain some notes for common things that I already do on a day to day basis. Along with some things that may be useful in the future to reference.
Phishing Analysis
Scenario
A user has received a phishing email and forwarded it to the SOC. Can you investigate the email and attachment to collect useful artifacts?
There is a file provided for the phishing email.
Challenge Submission
Objective is to review the email and the attachment associated with it. Most of this challenge was completed by viewing the email in a text editor.
Looks like the name of the file is Website contact form submission.eml
.
1. Who is the primary recipient of this email?
Below is the primary recipient of the email. Opened the eml
file
and checked the file at the bottom of the message.
kinnar1975@yahoo.co.uk
2. What is the subject of this email?
Undeliverable: Website contact form submission
3. What is the date and time the email was sent?
18 March 2021 04:14
4. What is the Originating IP?
Below is the value for the email header X-Originating-IP
. A good
command to easily find this would be to use the collowing grep command.
grep -i "X-Originating-IP" Website\ contact\ form\ submission.eml
Below is the correct answer for the question.
103.9.171.10
5. Perform reverse DNS on this IP address, what is the resolved host? (whois.domaintools.com)
Command used to complete the submission is below.
dig -x 103.9.171.10
Correct answer is below.
c5s2-1e-syd.hosting-services.net.au.
6. What email address will receive replies to this email?
Used the following command to find the In-Reply-To
email header
value for the correct submission.
grep -i "In-Reply-To" Website\ contact\ form\ submission.eml
Below is the correct answer for the email submission.
E1lMk2z-00086Y-Jw@se7-syd.hostedmail.net.au
7. What is the name of the attached file?
Website contact form submission.eml
8. What is the URL found inside the attachment?
URL is to a blogspot instance that is taken down.
https://35000usdperwwekpodf.blogspot.sg?p=9swghttps://35000usdperwwekpodf.blogspot.co.il?o=0hnd
9. What service is this webpage hosted on?
blogspot
10. Using URL2PNG, what is the heading text on this page? (Doesn’t matter if the page has been taken down!)
Blog has been removed