Hey all, this is the eigth installment in my walkthrough series on TryHackMe’s SOC Level 1 path and the second room in this module on Cyber Threat Intelligence, where we will learn about identifying and using available security knowledge to mitigate and manage potential adversary actions.
This room will explore different OSINT tools used to conduct security threat assessments and investigations.
We’re starting to get into the tools more and more now, very exciting, let’s get after it.
Task 1: Room Outline
This room will cover the concepts of Threat Intelligence and various open-source tools that are useful. The learning objectives include:
- Understanding the basics of threat intelligence & its classifications.
- Using UrlScan.io to scan for malicious URLs.
- Using Abuse.ch to track malware and botnet indicators.
- Investigate phishing emails using PhishTool
- Using Cisco’s Talos Intelligence platform for intel gathering.
Task 2: Threat Intelligence
Threat Intelligence is the analysis of data and information using tools and techniques to generate meaningful patterns on how to mitigate against potential risks associated with existing or emerging threats targeting organisations, industries, sectors or governments.
To mitigate against risks, we can start by trying to answer a few simple questions:
- Who’s attacking you?
- What’s their motivation?
- What are their capabilities?
- What artefacts and indicators of compromise should you look out for?
Threat Intelligence Classifications:
Threat Intel is geared towards understanding the relationship between your operational environment and your adversary. With this in mind, we can break down threat intel into the following classifications:
- Strategic Intel: High-level intel that looks into the organisation’s threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
- Technical Intel: Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms.
- Tactical Intel: Assesses adversaries’ tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
- Operational Intel: Looks into an adversary’s specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that may be targeted.
Task 3: UrlScan.io
Urlscan.io is a free service developed to assist in scanning and analysing websites. It is used to automate the process of browsing and crawling through websites to record activities and interactions.
When a URL is submitted, the information recorded includes the domains and IP addresses contacted, resources requested from the domains, a snapshot of the web page, technologies utilised and other metadata about the website.
The site provides two views, the first one showing the most recent scans performed and the second one showing current live scans.
Scan Results
URL scan results provide ample information, with the following key areas being essential to look at:
- Summary: Provides general information about the URL, ranging from the identified IP address, domain registration details, page history and a screenshot of the site.
- HTTP: Provides information on the HTTP connections made by the scanner to the site, with details about the data fetched and the file types received.
- Redirects: Shows information on any identified HTTP and client-side redirects on the site.
- Links: Shows all the identified links outgoing from the site’s homepage.
- Behaviour: Provides details of the variables and cookies found on the site. These may be useful in identifying the frameworks used in developing the site.
- Indicators: Lists all IPs, domains and hashes associated with the site. These indicators do not imply malicious activity related to the site.
Note: Due to the dynamic nature of internet activities, data searched can produce different results on different days as new information gets updated.
Scenario
You have been tasked to perform a scan on TryHackMe’s domain. The results obtained are displayed in the image below. Use the details on the image to answer the questions:
Answer the questions below
3a. What was TryHackMe’s Cisco Umbrella Rank based on the screenshot?
They’re warming us up with some softballs…
Answer: 345612
3b. How many domains did UrlScan.io identify on the screenshot?
Same location…
Answer: 13
3c. What was the main domain registrar listed on the screenshot?
Answer: NAMECHEAP INC
3d. What was the main IP address identified for TryHackMe on the screenshot?
Answer: 2606:4700:10::ac43:1b0a
Task 4: Abuse.ch
Abuse.ch is a research project hosted by the Institute for Cybersecurity and Engineering at the Bern University of Applied Sciences in Switzerland. It was developed to identify and track malware and botnets through several operational platforms developed under the project. These platforms are:
- Malware Bazaar: A resource for sharing malware samples.
- Feodo Tracker: A resource used to track botnet command and control (C2) infrastructure linked with Emotet, Dridex and TrickBot.
- SSL Blacklist: A resource for collecting and providing a blocklist for malicious SSL certificates and JA3/JA3s fingerprints.
- URL Haus: A resource for sharing malware distribution sites.
- Threat Fox: A resource for sharing indicators of compromise (IOCs).
Let us look into these platforms individually.
MalwareBazaar
As the name suggests, this project is an all in one malware collection and analysis database. The project supports the following features:
- Malware Samples Upload: Security analysts can upload their malware samples for analysis and build the intelligence database. This can be done through the browser or an API.
- Malware Hunting: Hunting for malware samples is possible through setting up alerts to match various elements such as tags, signatures, YARA rules, ClamAV signatures and vendor detection.
FeodoTracker
With this project, Abuse.ch is targeting to share intelligence on botnet Command & Control (C&C) servers associated with Dridex, Emotes (aka Heodo), TrickBot, QakBot and BazarLoader/BazarBackdoor. This is achieved by providing a database of the C&C servers that security analysts can search through and investigate any suspicious IP addresses they have come across. Additionally, they provide various IP and IOC blocklists and mitigation information to be used to prevent botnet infections.
SSL Blacklist
Abuse.ch developed this tool to identify and detect malicious SSL connections. From these connections, SSL certificates used by botnet C2 servers would be identified and updated on a denylist that is provided for use. The denylist is also used to identify JA3 fingerprints that would help detect and block malware botnet C2 communications on the TCP layer.
You can browse through the SSL certificates and JA3 fingerprints lists or download them to add to your deny list or threat hunting rulesets.
URLhaus
As the name points out, this tool focuses on sharing malicious URLs used for malware distribution. As an analyst, you can search through the database for domains, URLs, hashes and filetypes that are suspected to be malicious and validate your investigations.
The tool also provides feeds associated with country, AS number and Top Level Domain that an analyst can generate based on specific search needs.
ThreatFox
With ThreatFox, security analysts can search for, share and export indicators of compromise associated with malware. IOCs can be exported in various formats such as MISP events, Suricata IDS Ruleset, Domain Host files, DNS Response Policy Zone, JSON files and CSV files.
Answer the questions below
4a. The IOC 212.192.246.30:5555 is identified under which malware alias name on ThreatFox?
Finally, we’re doing some analysis! Click the link to ThreatFox and click ThreatFox database
From there I pasted the IP address and got nothing, then I saw the Search Syntax box below the search field and that’s where we learn how to phrase our query so the database can read it.
Since we’re looking for an IOC here, we want to use the syntax at the top:
Append “ioc:” to the front of that IP address and we will find the IOC in question, then click on the IOC and we will get our solution:
Answer: Katana
4b. Which malware is associated with the JA3 Fingerprint 51c64c77e60f3980eea90869b68c58a8 on SSL Blacklist?
Navigate to the SSL Blacklist, then click JA3 Fingerprints, from here, paste the JA3 fingerprint, click through to the entry and we have our answer:
Answer: Dridex
4c. From the statistics page on URLHaus, what malware-hosting network has the ASN number AS14061?
Click statistics on the top right, then scroll down to Top Malware Hosting Networks and your answer is there:
Answer: DIGITALOCEAN-ASN
4d. Which country is the botnet IP address 178.134.47.166 associated with according to FeodoTracker?
Go to the FeodoTracker site and click browse, then search by the IP and we will get the result:
After typing in “Germany” and feeling about as dumb as most non-Americans think that we actually are, you will google it and find out that it’s referring to the country of “Georgia”. Yes I knew it was a real country, leave me alone.
Answer: Georgia
Task 5: PhishTool
Before going into the task, click the Start Machine button to start the attached VM and open it in Split View. You will be using the same machine through tasks 7 and 8.
This task will introduce you to a tool, PhishTool, that you would add to your toolkit of email analysis tools. Please take note that it would not be necessary to use it to complete the task; however, the principles learnt would be helpful.
Email Phishing
Email phishing is one of the main precursors of any cyber attack. Unsuspecting users get duped into opening and accessing malicious files and links sent to them by email, as they appear to be legitimate. As a result, adversaries infect their victims’ systems with malware, harvesting their credentials and personal data and performing other actions such as financial fraud or conducting ransomware attacks.
For more information and content on phishing, check out these rooms:
PhishTool seeks to elevate the perception of phishing as a severe form of attack and provide a responsive means of email security. Through email analysis, security analysts can uncover email IOCs, prevent breaches and provide forensic reports that could be used in phishing containment and training engagements.
PhishTool has two accessible versions: Community and Enterprise. We shall mainly focus on the Community version and the core features in this task. Sign up for an account via this link to use the tool.
The core features include:
- Perform email analysis: PhishTool retrieves metadata from phishing emails and provides analysts with the relevant explanations and capabilities to follow the email’s actions, attachments, and URLs to triage the situation.
- Heuristic intelligence: OSINT is baked into the tool to provide analysts with the intelligence needed to stay ahead of persistent attacks and understand what TTPs were used to evade security controls and allow the adversary to social engineer a target.
- Classification and reporting: Phishing email classifications are conducted to allow analysts to take action quickly. Additionally, reports can be generated to provide a forensic record that can be shared.
Additional features are available on the Enterprise version:
- Manage user-reported phishing events.
- Report phishing email findings back to users and keep them engaged in the process.
- Email stack integration with Microsoft 365 and Google Workspace.
We are presented with an upload file screen from the Analysis tab on login. Here, we submit our email for analysis in the stated file formats. Other tabs include:
- History: Lists all submissions made with their resolutions.
- In-tray: An Enterprise feature used to receive and process phish reports posted by team members through integrating Google Workspace and Microsoft 365.
Analysis Tab
Once uploaded, we are presented with the details of our email for a more in-depth look. Here, we have the following tabs:
- Headers: Provides the routing information of the email, such as source and destination email addresses, Originating IP and DNS addresses and Timestamp.
- Received Lines: Details on the email traversal process across various SMTP servers for tracing purposes.
- X-headers: These are extension headers added by the recipient mailbox to provide additional information about the email.
- Security: Details on email security frameworks and policies such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).
- Attachments: Lists any file attachments found in the email.
- Message URLs: Associated external URLs found in the email will be found here.
We can further perform lookups and flag indicators as malicious from these options. On the right-hand side of the screen, we are presented with the Plaintext and Source details of the email.
Above the Plaintext section, we have a Resolve checkmark. Here, we get to perform the resolution of our analysis by classifying the email, setting up flagged artefacts and setting the classification codes. Once the email has been classified, the details will appear on the Resolution tab on the analysis of the email.
You can now add PhishTool to your list of email analysis tools.
Scenario
You are a SOC Analyst and have been tasked to analyse a suspicious email, Email1.eml. To solve the task, open the email using Thunderbird on the attached VM, analyse it and answer the questions below.
Answer the questions below
5a. What social media platform is the attacker trying to pose as in the email?
So we’re a SOC Analyst, and we’ve got a few sus emails to check. Launch the VM as instructed, if a split screen with the VM does not open, manually click Show Split View at the top to force it:
Now wait for it to load, then open the Emails folder on the Desktop, and double-click Email1.eml to open it with Thunderbird.
When Thunderbird loads, it’s going to ask you to setup an account, just cancel out of this, followed by exit to confirm, we don’t need to do that for this scenario:
Thunderbird will now open the email, and you can tell right away it’s trying to protect us by blocking remote content and we can see the answer we’re looking for in the emails text:
You can see the attackers are doing a pretty decent job of disguising their email to look legitimate in the body of the email at least. One thing they skipped out on was disguising the sender’s address.
Answer: LinkedIn
5b. What is the senders email address?
They didn’t put any effort at all into disguising this address to make it look legitimate, dead giveaway:
Answer: darkabutla@sc500.whpservers.com
5c. What is the recipient's email address?
Answer: cabbagecare@hotsmail.com
5d. What is the Originating IP address? Defang the IP address.
Couple ways to find this, the first and most clean way to do it is by using PhishTool, which is the subject of this task and an amazing resource. You’ll need to create an account to use this, however, and you can do so here. The second way to find this information is by manually analyzing the headers which is honestly a good thing to probably learn even if you do want to use PhishTool. Either way, we’re going to need to see the headers.
To open the headers, click More > View Source, and there we have them.
To do this via manual header analysis, do a ctrl+f to search for “sender IP” in the headers, your answer will be on that line:
BUT WAIT, we’re not done. We now need to defang the IP address. According to IBM, “Defanged IP addresses and URLs are entries that have been modified in a standardized way such as to prevent accidental access”. In other words, we’re taking precautions dealing with and sending potentially malicious URLs/IPs so that we, or whoever we send them to, doesn’t accidentally click something malicious. To do this we can use an amazing tool, that you’ll be using a lot in the field. You can find their GitHub here.
So go to CyberChef, search for “Defang IP”, double click that “recipe” and in the input screen, paste in the IP you found from PhishTool and it will be output below:
To do this via PhishTool, we need to be connected to the internet and seeing as this VM isn’t connected, I copied the headers to my machine locally and saved them to a file. Select them all and copy into the text editor of your choice, then save the file as a .txt file. Next upload that into PhishTool once you are logged in by clicking Analysis at the top right followed by choosing the file from wherever you saved it:
Then it will load the automated analysis based off the headers and your answer will be on the resulting screen:
BUT WAIT, we’re not done. We now need to defang the IP address. According to IBM, “Defanged IP addresses and URLs are entries that have been modified in a standardized way such as to prevent accidental access”. In other words, we’re taking precautions dealing with and sending potentially malicious URLs/IPs so that we, or whoever we send them to, doesn’t accidentally click something malicious. To do this we can use an amazing tool, that you’ll be using a lot in the field. You can find their GitHub here.
So go to CyberChef, search for “Defang IP”, double click that “recipe” and in the input screen, paste in the IP you found from PhishTool and it will be output below:
Answer: 204[.]93[.]183[.]11
5e. How many hops did the email go through to get to the recipient?
To manually find this is a little more tricky, again do a ctrl+f and search “Received:” and any line that begins with this string is a hop (the hop IPs are parenthesis).
This one is pretty easy in PhishTool, it’s on the same page we found the originating IP:
Answer: 4
Task 6: Cisco Talos Intelligence
IT and Cybersecurity companies collect massive amounts of information that could be used for threat analysis and intelligence. Being one of those companies, Cisco assembled a large team of security practitioners called Cisco Talos to provide actionable intelligence, visibility on indicators, and protection against emerging threats through data collected from their products. The solution is accessible as Talos Intelligence.
Cisco Talos encompasses six key teams:
- Threat Intelligence & Interdiction: Quick correlation and tracking of threats provide a means to turn simple IOCs into context-rich intel.
- Detection Research: Vulnerability and malware analysis is performed to create rules and content for threat detection.
- Engineering & Development: Provides the maintenance support for the inspection engines and keeps them up-to-date to identify and triage emerging threats.
- Vulnerability Research & Discovery: Working with service and software vendors to develop repeatable means of identifying and reporting security vulnerabilities.
- Communities: Maintains the image of the team and the open-source solutions.
- Global Outreach: Disseminates intelligence to customers and the security community through publications.
More information about Cisco Talos can be found on their White Paper
Talos Dashboard
Accessing the open-source solution, we are first presented with a reputation lookup dashboard with a world map. This map shows an overview of email traffic with indicators of whether the emails are legitimate, spam or malware across numerous countries. Clicking on any marker, we see more information associated with IP and hostname addresses, volume on the day and the type.
At the top, we have several tabs that provide different types of intelligence resources. The primary tabs that an analyst would interact with are:
- Vulnerability Information: Disclosed and zero-day vulnerability reports marked with CVE numbers and CVSS scores. Details of the vulnerabilities reported are provided when you select a specific report, including the timeline taken to get the report published. Microsoft vulnerability advisories are also provided, with the applicable snort rules that can be used.
- Reputation Center: Provides access to searchable threat data related to IPs and files using their SHA256 hashes. Analysts would rely on these options to conduct their investigations. Additional email and spam data can be found under the Email & Spam Data tab.
Task
Use the information gathered from inspecting the Email1.eml file from Task 5 to answer the following questions using Cisco Talos Intelligence. Please note that the VM launched in Task 5 would not have access to the Internet.
Answer the questions below
6a. What is the listed domain of the IP address from the previous task?
Open the Talos Intelligence page and paste in the IP in the search field, on the resulting screen it’ll display our answer:
Answer: scnet.net
6b. What is the customer name of the IP address?
So I looked for the WHOIS information in Talos but wasn’t able to find it there. However, if you pop back over to PhishTool, you will find our answer in the WHOIS information there:
Answer: Complete Web Reviews
Task 7: Scenario 1
Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.
Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email2.eml found on the VM attached to Task 5 and use the information to answer the questions.
Answer the questions below
7a. According to Email2.eml, what is the recipient’s email address?
Just open it the same way that we did with Email1 and it’s right there:
Answer: chris.lyons@supercarcenterdetroit.com
7b. From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H...
To get this answer, I downloaded the attachment, then got the SHA256 hash from it by opening a terminal and typing “sha256 sum/home/ubuntu/<path-to-file>.
Once you have the hash, search via it in Cisco Talos.
Now we’re looking for the alias that starts with an ‘H’, it’s the second down:
Answer: HIDDENEXT/Worm.Gen
Task 8: Scenario 2
Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.
Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email3.eml found on the VM attached to Task 5 and use the information to answer the questions.
Answer the questions below
8a. What is the name of the attachment on Email3.eml?
Open it up the same as the others, it’s right there at the bottom:
Answer: sales_receipt5606.xlsx
8b. What malware family is associated with the attachment on Email3.eml?
Let’s get the hash again using the same method, sha256sum, and then search the hash in Talos. Once there, you should see a family that sticks out to you that we know about from a previous task in this room:
Answer: Dridex
Task 9: Conclusion
There’s More Out There
You have come to the end of the room. However, this is just the tip of the iceberg for open-source threat intelligence tools that can help you as an analyst triage through incidents. There are plenty of more tools that may have more functionalities than the ones discussed in this room.
Check out these rooms to dive deeper into Threat Intelligence:
This concludes the Threat Intelligence Tools room on TryHackMe. This room was very fun and a nice change of pace from the very easy previous room. We learned how to use tools like UrlScan.io, the Abuse.ch suite, (MalwareBazaar, FeodoTracker, SSL Blacklist, URLhaus, & ThreatFox), PhishTool, and Cisco Talos Intelligence. We analyzed some phishy emails while putting those tools to use.
Thanks for joining me on this walkthrough and we’ll see you in the next one where we will take a deep dive into the malware identification and classification tool, YARA.
