Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Security Blue - Phishing Analysis > Automated Collection With PhishTool > Flashcards

Automated Collection With PhishTool Flashcards

1
Q
A

PhishTool provides a forensic analysis console, giving individuals the power to forensically analyze phishing emails, tag malicious artifacts, and generate investigation reports. This incredible platform can do all the heavy-lifting in terms of artifact retrieval and even artifact analysis. This lesson will walk you through how to use the platform to upload phishing emails and generate reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Example 1

A

On the analysis console homepage, you’ll be presented with the view as shown in the below screenshot. This is where we can drag-and-drop a malicious email, or browse of file system and upload it.

In this case, we’re going to click the Browse button and find the email we want to submit for analysis. In this case, we’re going to upload this Amazon credential harvester!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
A

Once the analysis has been completed, you will see a screen that looks similar to the following screenshot. This page holds all of the results from artifact extraction and analysis procedures. Whilst there is a ton of useful information we can retrieve and fun things we can do, for the scope of this lesson, we are only interested in retrieving artifacts from the email (don’t worry, you’ll be using PhishTool later for analysis tasks!). You can click the clipboard icon next to artifact names to copy them.

The artifacts we’re interested in are:

Sending Address
Subject Line
Recipients
Date + Time
Sending Server IP
Reverse DNS
URLs (if applicable)
File Name (not applicable)
File Hash (not applicable)
So let’s gather these from the PhishTool analysis console! In this Basic Header section, we will be able to retrieve artifacts 1, 2, 3, and 4.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
A

Below this, there is a section for Detailed Header that includes the X-Originating-IP and the reverse DNS results, which gives us artifacts 5 and 6.

And finally down at the bottom, we have a section for URLs, where we can retrieve all hyperlinks that were included in the email.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Example 2

A

In this second example we’re going to submit an email that has a potentially malicious attachment, so we can show you how to retrieve file-based artifacts using PhishTool. Below is a screenshot of the phishing email we’re going to analyze.

After submitting the email to PhishTool, under the Basic Header section there is a section titled Attachments. This provides us with the MD5 hash of the file and the file name! We can also click on the VirusTotal link to automatically submit the hash for analysis and retrieve a community reputation score.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Conclusion

A

This lesson has shown that it is able to retrieve email, web, and file-based artifacts all from within the PhishTool Analysis Workbench, making it a faster alternative to manual collection. It is still extremely important to know how to collect indicators manually using a client and text editor, in case you don’t have access to PhishTool, such as when investigating analysts who do not have an internet connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Security Blue - Phishing Analysis (62 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions