MISP Exercise 2

MISP Lab02: Phising E-mail

1. Introduction

The Malware Information Sharing Platform can be used for tracking different types of security incidents in your company. In this Lab you will learn how to compose Events in MISP with focus on phishing emails.

2. Setup

Starting docker image

cd /home/hacker/misp-docker-image docker-compose up

Login with the following credentials:

User: investigator@misp-lab2.com Password: compass

3. Create a MISP Event

The IT department notified you, that several employees in your company received a phishing email from Microsoft. Fortunately, nobody clicked on the malicious link. Your job is now, to record this security incident as an event in your MISP instance.

You should see now the Add Event prompt. Here you just fill in the basic information about your incident. Detailed information will be recorded later.

Date: Please fill in here, when the event occurred (in this case the date, when the email was received)

Distribution: Since you don't want to share your event to other organisations now, set distribution as Your organisation only

Threat Level: The thread level can be set as Low, nobody clicked on the link.

Analysis: Set Analysis to Initial - The Event has just been created

Event Info: Write a quick description about the event.

Extends Event: This can be left blank. You don't have any special ID for your event. MISP will generate one automatically for you.

Click the Submit button to save your new event.

4. Add Objects to your MISP Event

Unfortunately, you can't get any useful information about the source from that screenshot. Lucky, they attached the original message for you. Please download the mail phishing-mail-1.eml and open it with your preferred editor. As you can see, the sender tried to fool the spam filter of your mail server.

You have provided now all information for this given event.

Click on Add Object -> All Objects -> email

First seen date / Last seen date: 2021-11-10

First seen time / last seen time: 16:03:09+01:00

Screenshot: Upload the screenshot

Subject: Your account will be deleted permanently

To: marius.zindel@ost.ch

From-display-name: MlCROSOFT

From: eve.johnson4242@gmail.com

Eml: Upload the EML file

Email-body: Copy and paste the body from the EML file

Ip-src: 209.85.216.46

I did convert the eml file to a html file with the following command:

sudo apt install mhonarc
mhonarc -single phising_mail01.eml > phising_mail01.html

If you have filled in the provided information, click the Submit and then the Create new object button.

5. Add an attribute to your event

You properly noticed, that the sender email address is eve.johnson4242@gmail.com. So it is quite possible that our sender's name is Eve Johnson. Let's add her as an attribute to our event.

Click on Add Attribute and a new prompt will open.

Category Person

Type first-name

Distribution Inherit event

Value Eve

Repeat this step and create a second attribute for the lastname.

6. Merge attributes into an object

The goal is it now, to link the first-name with the last-name, so you're able to see the correlation between these names. Go back to your Event and select the two checkboxes from the already created Person attributes and click the Group selected Attributes into an Object Button.

7. New Phising Mail received

The IT service desk notified you, that somebody again sent some phishing emails to your company. The screenshot looks to you quite familiar:

Create again a new MISP event, but don't add any objects or attributes yet.

If you need assistance, recap step 3.

Download the second eml file phishing-mail-2.eml and open it with your preferred editor.

Unlike before, you don't add the informations manual "by hand". In this step, you will use the Freetext import.

This can be done by clicking on Populate from... -> Freetext import

8. Corelation Graph

You have now successfully created two different event. You suspect that they are most likely related. To analyse the correlation between events you can use the Correlation Graph Tool.

Open the tool by clicking View Correlation Graph.

FLAG: eve.johnson4242@gmail.com

9. Security Questions

1. What is the difference between attributes and objects in an event?

2. Why are you just able to merge to person object and not to a employee object in step 6?

3. Why does the IP address not show up as a correlation between the two events?

10. Answers

1. Attributes are single piece of informations like network indicators for a specific MISP Event. You can put different attributes that belong together to an object. An object is like a container with different attributes.

2. That's because we didn't create a attribute for employee yet.

3. Ther's no correlation because the senders IP address is different.