Threat Intelligence Tools

Task 1: Room Outline

This room will introduce us to common tools used in cyber threat intelligence. In this room, we will:

Understand the basics of threat intelligence & its classifications
Use UrlScan.io to scan for malicious URLs
Use Abuse.ch to track malware and botnet indicators
Investigate phishing emails using PhishTool
Use Cisco's Talos Intelligence platform for intelligence gathering

Task 2: Threat Intelligence

Threat intelligence analyzes data to understand how to defend risks associated with existing or emerging threats targeting organizations, industries, or governments. There are a few different types of intelligence:

Strategic intel: Looks into the organization's threat landscape and maps out risk areas
Technical intel: Looks into evidence and artifacts of an attack performed by an adversary
Tactical intel: Assesses adversaries' tactics, techniques, and procedures (TTPs)
Operational intel: Looks into the adversary's motives and intent to attack

Task 3: UrlScan.io

is a free application that assists in scanning and analyzes websites. The service includes information such as HTTP connections, redirects, links, behaviors, etc.

What was TryHackMe's Cisco Umbrella Rank based on the screenshot?

345612

This information is listed in the first section of the Summary.

How many domains did UrlScan.io identify on the screenshot?

This information is listed in the first section of the Summary.

What was the main domain registrar listed on the screenshot?

NAMECHEAP INC

This information is listed in the Live information section of the Summary.

What was the main IP address identified for TryHackMe on the screenshot?

2606:4700:10::ac43:1b0a

This information is listed in the first section of the Summary.

Task 4: Abuse.ch

is a research project hosted at Bern University of Applied Sciences. The project identifies and tracks malware and botnets through various platforms.

is an all-in-one malware collection and analysis database.
is a resource that tracks botnet command and control (C2) infrastructure linked with Emotet, Dridex and TrickBot.
is a tool that identifies and detects malicious SSL connections, identified by certificates and JA3/JA3s fingerprints.
is a tool that shares malicious URLs used for malware distribution
is a resource for searching and sharing indicators of compromise (IOCs) associated with malware

The IOC 212.192.246.30:5555 is identified under which malware alias name on ThreatFox?

Katana

Search ioc:212.192.246.30:5555 in the ThreatFox database.

Which malware is associated with the JA3 Fingerprint 51c64c77e60f3980eea90869b68c58a8 on SSL Blacklist?

Dridex

Go to JA3 Fingerprints in SSL Blacklist and search 51c64c77e60f3980eea90869b68c58a8.

From the statistics page on URLHaus, what malware-hosting network has the ASN number AS14061?

DIGITALOCEAN-ASN

Go to the statistics page on URLHaus and scroll down to "Top Malware Hosting Networks".

Which country is the botnet IP address 178.134.47.166 associated with according to FeodoTracker?

Georgia

Go to the browse tab on FeodoTracker and type 178.134.47.166 in the search bar.

Task 5: PhishTool

PhishTool performs email analysis, heuristic intelligence, and classification and reporting to help analysts uncover and prevent breaches arising from phishing.

The email to be analyzed is located in the folder called "Emails" located on the Desktop. Double click on the email. For this exercise, you can setup Thunderbird arbitrarily.

What is the senders email address?

darkabutla@sc500.whpservers.com

This information can be found at the top of the email.

What is the recipient's email address?

cabbagecare@hotsmail.com

This information can be found at the top of the email.

What is the Originating IP address? Defang the IP address.

204[.]93[.]183[.]11

Click more (on the upper-right side of the email), and then click view source. Find the part of the line that says "sender ip is". Put brackets around the period to defang.

How many hops did the email go through to get to the recipient?

Click more (on the upper-right side of the email), and then click view source. There are four "Received" headers, indicating 4 jumps.

Task 6: Cisco Talos Intelligence

Cisco Talos Intelligence provides actionable intelligence, visibility on indicators, and protection against emerging threats through data collected from Cisco products. The Cisco Talos team is comprised of six subteams: (1) Threat Intelligence & Interdiction, (2) Detection Research, (3) Engineering and Development, (4) Vulnerability Research and Discovery, (5) Communities, and (6) Global Outreach.

What is the listed domain of the IP address from the previous task?

scnet.net

Enter the IP address into Talos Intelligence's Reputation Center.

What is the customer name of the IP address?

Complete Web Reviews

Use the command whois <ip_address> to find this information.

Task 7: Scenario 1

Analyze Email2.eml on the attacked VM to answer the following questions.

According to Email2.eml, what is the recipient's email address?

chris.lyons@supercarcenterdetroit.com

This information can be found at the top of the email.

From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H...

HIDDENEXT/Worm.Gen

Download this file and run the command sha256sum <file> to get the SHA256 hash. Put this hash into Talos Intelligence.

Task 8: Scenario 2

Analyze Email3.eml on the attacked VM to answer the following questions.

What is the name of the attachment on Email3.eml?

Sales_Receipt 5606.xls

This information can be found at the bottom of the email.

What malware family is associated with the attachment on Email3.eml?

Dridex

Download this file and ran the command sha256sum <file> to get the SHA256 hash. Put this hash into Talos Intelligence.

Task 9: Conclusion

We have covered the tip of the iceberg for open-source threat intelligence tools in this room.

⋅ ⋅

Last updated 4 months ago