Phishing Emails 4

THM Room https://tryhackme.com/room/phishingemails4gkxh

      • What is the MITRE ID for Software Configuration? 

      Answer : M1054

      • What is the best SPF rule if you wish to ensure the domain sends no mail at all? 

      The answer to this question is not the one expected. As per dmarcian, blocking a domain from sending email results in adding -all to the spf without ip registered in the SPF record :


      So i tried the others possibilities to get the "valid" answer.

      Answer : v=spf1 ~all

      • What is the meaning of the -all tag?

      Answer : fail

      • Which email header shows the status of whether DKIM passed or failed? 

      Look in a email header where dkim is set up or on the screenshot from the question.

      Answer : authentication-results

      • Which DMARC policy would you use not to accept an email if the message fails the DMARC check? 

      Answer : p=reject

      • What is nonrepudiation? (The answer is a full sentence, including the ".") 


      Go to the S/MIME link in the task.

      Answer : The uniqueness of a signature prevents the owner of the signature from disowning the signature.

      • What Wireshark filter can you use to narrow down the packet output using SMTP status codes?

      Answer : smtp.response.code

      • Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)


      Answer : <domain> Service ready

      • One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)


      Answer : 156,553

      • Based on the packet from the previous question, what was the message regarding the mailbox?

      Answer : mailbox name not allowed

      •  What is the status code that will typically precede a SMTP DATA command?

      Checking the link provided for SMTP status code :


      Answer : 354


      • What port is the SMTP traffic using?

      Answer : 25

      •  How many packets are specifically SMTP?

       

      Answer :  512

      • What is the source IP address for all the SMTP traffic?

      Answer : 10.12.19.101

      • What is the filename of the third file attachment?


      Answer : attachment.scr

      • How about the last file attachment?

      Answer : .zip

      • Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications? 

       

      Answer : Zebrocy

      TASK 9 : Conclusion
      • Per the playbook, what framework was used for the IR process? 

      Looking at the pdf file for incidence response for phishing case :

       

      Answer : NIST