🟦
LSWSec-Defensive
  • LSWSec - Defensive Security Notes
  • General
    • Tool List
  • Threat Intelligence
    • Introduction
    • Threat Actors and APTs
    • Operational Threat Intelligence
    • Tactical Threat Intelligence
    • Strategic Threat Intelligence
    • Malware and Global Campaigns
  • Phishing
    • Introduction
    • Investigating a Phishing Email
    • Analysing
    • Defensive Action
    • Reactive Measures
    • Report Writing
  • Digital Forensics
    • Introduction
    • Digital Evidence and Handling
    • Memory, Pagefile and Hibernation file
    • Digital Evidence Collection
    • Windows Investigation
    • Linux Investigations
    • Volatility
    • Autopsy
    • Windows Commands
      • Network Discovery
      • DHCP
      • DNS
  • SIEM
    • Introduction
    • Logging
    • Correlation
  • Incident Response
    • Introduction
    • Preperation
    • Detection & Analysis
    • Containment, Eradication and Recovery
    • reporting
    • MITRE Att&ck
  • Event Viewer
    • event Summary
    • Event ID: 4648
    • Event ID: 4776
    • Event ID: 4673
    • Event ID: 4625
Powered by GitBook
On this page
  • Artefacts to collect
  • Web Artefacts
  • File Artefact
  1. Phishing

Investigating a Phishing Email

PreviousIntroductionNextAnalysing

Last updated 1 year ago

Artefacts to collect

  • Sending Email Address (can be used to identify other emails that have been received)

  • Subject Line (can be used to identify or block other phishing emails)

  • Recipient Email Address

  • Sending server IP and Reverse DNS https://mxtoolbox[.]com/ReverseLookup.aspx

  • Reply-to address (often an attacker controlled account)

  • Date and Time

  • Attachment Name

  • SHA256 Hash Value (check against virus total and talos file reputation)

  • Full URLs (copy and not written by hand)

  • Root Domain (can show if a site has been created for malicious purposes or if its a legitimate site that has been compromised).

Email Artefacts

Text Editor Extraction - Sending server IP and Reply-to address

  • Open email file in a text editor

  • CTRL + F

  • Search for IP and look for X-Sender-IP (record this)

  • Look up this IP using whois

  • Record Resolve Host field (if sending address and the host domain does not match up, it means the address has been spoofed)

  • Now record Reply-to address > CTRL + F and search for ‘Reply’

Web Artefacts

Need to collect Full URL

  • Right click and copy hyperlink

Get screenshots from virus total, URLScan.io, ect.

File Artefact

Windows

Powershell > get-filehash .\FILE

The above will get a sha-256 hash

To get md5 or sha1 do this:

Get-filehash -algorithm md5 .\FILE

Linux

sha256sum <file>

sha1sum <file>

md5sum <file>

Get filename and file size as well

Can use phish tool to automate the process

http://whois.domaintools.com/