[THM] Phishing Emails 4 by TryHackMe

-

 Welcome again, we're getting close to finishing this one up! 

 





Task 1 

Q: What is the MITRE ID for Software Configuration?
A: M1054

 




Task 2

 
Q: What is the best SPF rule if you wish to ensure the domain sends no mail at all?
A: v=spf1 ~all
 
Q: What is the meaning of the -all tag?
A: fail

 




Task 3 

Q: Which email header shows the status of whether DKIM passed or failed?
A: authentication-results

 




Task 4

Q: Which DMARC policy would you use not to accept an email if the message fails the DMARC check?
A: p=reject
  




Task 5

Q: What is nonrepudiation? (The answer is a full sentence, including the ".")
A: The uniqueness of a signature prevents the owner of the signature from disowning the signature. 

 



Task 6

Q: What Wireshark filter can you use to narrow down the packet output using SMTP status does?
A: smtp.response.code

Giving you the answer on this one but you'll be doing yourself no favor in this industry if you don't pick up some Wireshark sills. The first link presented in this module will help you find the answer. 
 
Q: Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)
A: <domain> service ready



 

Q: One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)
A: 156,553


 

I actually didn't go too far for this. Because of some poking around I knew that the packet number was nearby and hopped a bit down. To it from the filter above. Can you find the answer?
 
Q: Based on the packet from the previous question, what was the message regarding the mailbox?
A: mailbox name not allowed
 
Q: What is the status code that will typically precede a SMTP DATA command?
A: 354
 
I did a little research on this, check out this website: https://mailtrap.io/blog/smtp-commands-and-responses/

 




Task 7

Q: What port is the SMTP traffic using?
A: 25
 
I came across the port on one of the SMTP protocol packets. Look for the Transmission Control Protocol section, destination port. 
 
Q: How many packets are specifically SMTP?
A: 512


Can you find a way to pull Statistics for Protocols? Remember that Wireshark basics are incredibly useful for your career in infosec. 


Q: What is the source IP address for all the SMTP traffic?
A: 10.12.19.101


Q: What is the filename of the third file attachment?
A: attachment.scr
 
Hint: imf.content.type should help you out!
 
Q: How about the last file attachment?

A: .zip




Task 8

Q: Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?
A: Zebrocy

  




Task 9

Q: Per the playbook, what framework was used for the IR process?
A: NIST







Popular posts from this blog

[THM] Phishing Emails 2 by TryHackMe

-
Image
We Meet Again This module is all about getting into the actual phishing email header analysis. The biggest suggestion I have here is to get and stay curious about the oddities coming into your mailbox. Do header analysis on all those weird enhancement emails and pay close attention in the next upcoming module on how to handle potential malicious payloads so you learn the best way to open attachments and links.  But let's dig into this module first.
Read more