📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • MISP Lab02: Phising E-mail
  • 1. Introduction
  • 2. Setup
  • 3. Create a MISP Event
  • 4. Add Objects to your MISP Event
  • 5. Add an attribute to your event
  • 6. Merge attributes into an object
  • 7. New Phising Mail received
  • 8. Corelation Graph
  • 9. Security Questions
  • 10. Answers

Was this helpful?

  1. Threat Intelligence

MISP Exercise 2

PreviousMISP Exercise 1NextMISP Exercise 3

Last updated 3 years ago

Was this helpful?

MISP Lab02: Phising E-mail

1. Introduction

The Malware Information Sharing Platform can be used for tracking different types of security incidents in your company. In this Lab you will learn how to compose Events in MISP with focus on phishing emails.

2. Setup

Starting docker image

cd /home/hacker/misp-docker-image docker-compose up

Login with the following credentials:

User: investigator@misp-lab2.com Password: compass

3. Create a MISP Event

The IT department notified you, that several employees in your company received a phishing email from Microsoft. Fortunately, nobody clicked on the malicious link. Your job is now, to record this security incident as an event in your MISP instance.

You should see now the Add Event prompt. Here you just fill in the basic information about your incident. Detailed information will be recorded later.

Date: Please fill in here, when the event occurred (in this case the date, when the email was received)

Distribution: Since you don't want to share your event to other organisations now, set distribution as Your organisation only

Threat Level: The thread level can be set as Low, nobody clicked on the link.

Analysis: Set Analysis to Initial - The Event has just been created

Event Info: Write a quick description about the event.

Extends Event: This can be left blank. You don't have any special ID for your event. MISP will generate one automatically for you.

Click the Submit button to save your new event.

4. Add Objects to your MISP Event

Unfortunately, you can't get any useful information about the source from that screenshot. Lucky, they attached the original message for you. Please download the mail phishing-mail-1.eml and open it with your preferred editor. As you can see, the sender tried to fool the spam filter of your mail server.

You have provided now all information for this given event.

Click on Add Object -> All Objects -> email

First seen date / Last seen date: 2021-11-10

First seen time / last seen time: 16:03:09+01:00

Screenshot: Upload the screenshot

Subject: Your account will be deleted permanently

To: marius.zindel@ost.ch

From-display-name: MlCROSOFT

From: eve.johnson4242@gmail.com

Eml: Upload the EML file

Email-body: Copy and paste the body from the EML file

Ip-src: 209.85.216.46

I did convert the eml file to a html file with the following command:

sudo apt install mhonarc
mhonarc -single phising_mail01.eml > phising_mail01.html

If you have filled in the provided information, click the Submit and then the Create new object button.

5. Add an attribute to your event

You properly noticed, that the sender email address is eve.johnson4242@gmail.com. So it is quite possible that our sender's name is Eve Johnson. Let's add her as an attribute to our event.

Click on Add Attribute and a new prompt will open.

Category Person

Type first-name

Distribution Inherit event

Value Eve

Repeat this step and create a second attribute for the lastname.

6. Merge attributes into an object

The goal is it now, to link the first-name with the last-name, so you're able to see the correlation between these names. Go back to your Event and select the two checkboxes from the already created Person attributes and click the Group selected Attributes into an Object Button.

7. New Phising Mail received

The IT service desk notified you, that somebody again sent some phishing emails to your company. The screenshot looks to you quite familiar:

Create again a new MISP event, but don't add any objects or attributes yet.

If you need assistance, recap step 3.

Download the second eml file phishing-mail-2.eml and open it with your preferred editor.

Unlike before, you don't add the informations manual "by hand". In this step, you will use the Freetext import.

This can be done by clicking on Populate from... -> Freetext import

8. Corelation Graph

You have now successfully created two different event. You suspect that they are most likely related. To analyse the correlation between events you can use the Correlation Graph Tool.

Open the tool by clicking View Correlation Graph.

FLAG: eve.johnson4242@gmail.com

9. Security Questions

  1. What is the difference between attributes and objects in an event?

  2. Why are you just able to merge to person object and not to a employee object in step 6?

  3. Why does the IP address not show up as a correlation between the two events?

10. Answers

  1. Attributes are single piece of informations like network indicators for a specific MISP Event. You can put different attributes that belong together to an object. An object is like a container with different attributes.

2. That's because we didn't create a attribute for employee yet.

3. Ther's no correlation because the senders IP address is different.