Phishing Prevention (Phishing Emails 4) Tryhackme Walkthrough
This write-up covers the Phishing Prevention Room on TryHackMe.
Learning Path (s): SOC Level 1
Module: Phishing
Task 02: SPF (Sender Policy Framework)
SPF is a tool used to verify the sender of an email and ensure that a mail server is authorized to send email for a specific domain.
An SPF record is a DNS TXT record that lists the IP addresses allowed to send email on behalf of a domain. A basic SPF record starts with “v=spf1” and includes specifications for which IP addresses and domains are authorized to send email, as well as how non-authorized emails should be handled. Example: v=spf1 ip4:127.0.0.1 include:_spf.google.com -all
Task 03: DKIM (DomainKeys Identified Mail)
DKIM stands for DomainKeys Identified Mail and is used for email authentication. It is an open standard for DMARC alignment and is more complicated than SPF, but can survive forwarding.
The DKIM record contains the version of the record, key type, and public key that will be matched to the private key created during setup.
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxTQIC7vZAHHZ7WVv/5x/qH1RAgMQI+y6Xtsn73rWOgeBQjHKbmIEIlgrebyWWFCXjmzIP0NYJrGehenmPWK5bF/TRDstbM8uVQCUWpoRAHzuhIxPSYW6k/w2+HdCECF2gnGmmw1cT6nHjfCyKGsM0On0HDvxP8I5YQIIlzNigP32n1hVnQP+UuInj0wLIdOBIWkHdnFewzGK2+qjF2wmEjx+vqHDnxdUTay5DfTGaqgA9AKjgXNjLEbKlEWvy0tj7UzQRHd24a5+2x/R4Pc7PF/y6OxAwYBZnEPO0sJwio4uqL9CYZcvaHGCLOIMwQmNTPMKGC9nt3PSjujfHUBX3wIDAQAB
A snippet of an email header for a spam email with a potentially malicious attachment is also provided below.
Task 04: DMARC (Domain-Based Message Authentication, Reporting, and Conformance)
DMARC is an open source standard that uses alignment to connect two other open source standards, SPF and DKIM, to the content of an email.
By implementing a DMARC record, domain owners can troubleshoot their SPF and DKIM configurations.
v=DMARC1; p=quarantine; rua=mailto:postmaster@website.com
A basic DMARC record includes v=DMARC1, p=quarantine, and rua=mailto:postmaster@website.com as shown above.
DMARC can be checked using the Domain Health Checker.
Task 05: S/MIME (Secure/Multipurpose Internet Mail Extensions)
S/MIME is a protocol for sending digitally signed and encrypted messages. It uses digital signatures and encryption through public key cryptography to ensure data integrity and nonrepudiation.
To use S/MIME, a digital certificate containing a public key is needed. The sender can sign the email message with their private key, and the recipient can decrypt it with the sender’s public key. Both parties exchange certificates for future correspondence.
Task 06: SMTP Status Codes
Setting up: 💡Connect to the Start the Tryhackme VM or deploy the machine locally via OpenVPN
In this task, you’ll examine a PCAP file with SMTP traffic. You’ll only focus on SMTP codes in this task.
Here are two resources to assist you with this task:
Task 07: SMTP Traffic Analysis
In this task, you’ll move beyond SMTP codes and analyze trivial SMTP traffic.
The reference below may assist you with this task:
Task 08: SMTP and C&C Communication
MITRE ATT&CK:
- Techinique 1071 > Sub-Technique 3: https://attack.mitre.org/techniques/T1071/003/
Attackers may use email delivery protocols to communicate and avoid detection by blending in with existing traffic. This technique has been used by several groups including APT 28, APT 32, and Turla.
Mitigation can be achieved by using network intrusion detection and prevention systems that identify traffic for specific adversary malware.
Detection opportunity (per MITRE):
Packet analysis can also be used to detect application layer protocols that do not follow expected standards.
Room QA
Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.
Task 1
What is the MITRE ID for Software Configuration?
- MITRE ID is available at this link.
Task 2
What is the SPF rule to use if you wish to ensure an operator rejects emails without potentially discarding a legitimate email?
- Deleting a lot number of emails in the SPF records caused the correct emails to be deleted.
allis usually an operator that discards legitimate emails. This can be avoided by using~allinstead ofallto eliminate the problem. - Rule:
v=spf1 ~all
What is the meaning of the -all tag?
Task 3
Which email header shows the status of whether DKIM passed or failed?
Task 4
Which DMARC policy would you use not to accept an email if the message fails the DMARC check?
- Policy:
p=reject- requests that email receivers reject email that fails the DMARC check.
Task 5
What is nonrepudiation? (The answer is a full sentence, including the “.”)
Task 6
What Wireshark filter can you use to narrow down the packet output using SMTP status codes?
- You can reach the source.
Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)
One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)
- We can see the text “Email blocked using spamhaus.org” in the response.
Based on the packet from the previous question, what was the message regarding the mailbox?
What is the status code that will typically precede an SMTP DATA command?
- With the DATA command, the client requests permission from the server to transfer the email data. The response code 354 grants permission, and the client initiates the delivery of the email contents line by line.
Task 7
What port is the SMTP traffic using?
How many packets are specifically SMTP?
What is the source IP address for all the SMTP traffic?
What is the filename of the third file attachment?
- Follow the link provided by the task and access the Wireshark codes for Internet Message Format (IMF).
How about the last file attachment?
Task 8
Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?
- Click on the article link.
Task 9
Per the playbook, what framework was used for the IR process?
Task 09: Conclusion
A playbook is a defined process that should be followed in a specific situation, in this case, a phishing incident.
Phishing IR Playbook:
Lastly, the PCAP file used in this room was from Malware Traffic Analysis. You can explore more details about this PCAP or other samples.
SMTP PCAP Credit:
ㅤ
