“ SOC141 — Phishing URL Detected ” investigation
Hello, today I will write about investigation of “SOC141 — Phishing URL Detected” alarm from letdefend.io.
The alert is appears in our investigation channel. After that, we proceed to build the case.
Let’s start the playbook.
The first step is to ‘Parse Email’ and gather information about the incoming email. The alert itself contains the majority of the information:
· The alarm was triggered as high severity at 21:23(9.23 p.m.) on 22 March 2021.
· Source Address — 172.16.17.49
· Destination Address — 91.189.114.8
· User-Agent — Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
· As the device action shows as “Allowed”, we can understand that the mail has reached the user.
As far as we understand from the content of the alarm, we understand that an e-mail with a malicious url has reached the inside user. Therefore, it is necessary to take action by examining the relevant e-mail urgently.
For log research, we go to the Log Management section on the platform and filter the source and destination IPs with the collected data.
As shown in the screenshots above, a request made to a URL is visible in the proxy type log record.
Note: The URL has been killed because it may be malicious, it will not redirect.
So, we must perform online analysis this URL using AnyRun and VirusTotal.
AnyRun results:
I make a request for the URL we found on the AnyRun platform, and in the screenshot above, I see that the domain is hosted on wordpress and appears to be dead.
In addition, we can see all the connection addresses from the IOC section.
VirusTotal results:
Turns out, the site was indeed malicious and is classified as a phishing domain
When we search for the “172.16.17.49” IP address from the Endpoint Security section, we can see the “EmilyComp” server didn’t do something in 2021.
After completing our review, we need to create a case on letsdefend.io and progress the relevant playbook.
First, an information page comes up explaining what we need to examine, and when we pass it, we are greeted by a step asking whether there is a file and url in the e-mail we examined.
Finally, a page welcomes us and informs us that the host of the relevant user should be marked as Containment.
Before completing the case, we continue by adding the findings we found during the review phase to close it.
Summary:
