Here are my side projects
I did a TryHackMe room where I investigated an incident involving a suspicious e-mail! Here is how I did it!
Step 1: Examining the E-Mail File
I opened up the e-mail file, and noted the recipient of the e-mail which is highlighted in the screenshot below:
The e-mail also had an attachment which I saved to my virtual machine in TryHackMe.
Step 2: Calculating the Hash Value of the Attachment.
I then went into the Properties of the attachment, and went to the "Digests" tab, there I got the hash values of the attachment. The SHA256 value will be the one used for later.
Step 3: Using Cisco's Talos Intelligence Tool
I then went to https://www.talosintelligence.com/ then clicked on the circled menu option, then I selected the "File Reputation Lookup"
Step 4: Input the SHA256 Value
This is a pretty straightforward step, it appears you can only use a SHA256 value.
Step 5: Analyzing the File Reputation
Here is the output of the results. The file reputation is labeled as malicious. It also includes detection aliases, which are the names that are also associated with the file. As noted in the screenshot, this is all limited to a SHA256 lookup.
Step 6: Finding Information Through The IP Address
If you examine the file with Pluma that is already available on the virtual machine TryHackMe provides, you can find an IP address. Here we are going to work with 188.8.131.52 that is highlighted in green.
Step 7: IP Lookup with Cisco Talos Intelligence
You can also do a lookup by IP. Again, another pretty straightforward step which is to enter the necessary value, in this case an IP address.
Step 8: Analyzing the Output
Here we are given a few important pieces of information. The location of the IP is the Netherlands. it doesn't appear to be in any block lists, and has a neutral sender IP reputation.
Step 9: Using VirusTotal to Confirm if File is Malicious
When investigating, multiple tools should be used to ensure you are getting accurate results since not all tools will have the information on a specific file, hash value, or IP. Many of these tools are databases in which people will enter in information themselves. I used a the hash value, and was able to find other names associated with that hash value.
Step 10: Viewing the Activity Summary on VirusTotal
Another cool feature of VirusTotal is that it tells you which files and registry keys have been opened by the executable. It also shows. processes created or terminated are done by the executable.
This was my most favorite activity yet! I will be doing another one as well!