Resume
Resume

Phishing Analysis - The Greenholt Phish - TryHackMe

TRY HACK ME

Brandon Nerios

3 min read

This lab is called "The Greenholt Phish" and was provided by TryHackMe. In this lab we will take the EML file provided to gather the phishing email artifacts to determine if this email was legitimate or not.

Scenario: "A Sales Executive at Greenholt PLC received an email that he didn't expect to receive from a customer. He claims that the customer never uses generic greetings such as "Good day" and didn't expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation. Investigate the email sample to determine if it is legitimate."

For the first 5 questions we will open the EML file provided in a text editor. Once inside the file we can locate the artifacts we need to answer the questions.

  • What is the email's timestamp?

  • Who is the email from?

  • What is his email address?

  • What is his email address?

  • What email address will receive a reply to this email?

  • What is the Originating IP?

  • Who is the owner of the Originating IP?

For question 6 we will take the answer from question 5 and use https://whois.domaintools.com/ to look up the owner.

  • What is the SPF record for the Return-Path domain?

In the text editor look for the SPF. From the screenshot below we can see that the email was not a permitted sender of the domain. Which points to the email not being legit.

To find the correct SPF record we will use the "dig" command in linux to look at the txt record of the domain. In here we will find the answer.

  • What is the DMARC record for the Return-Path domain?

Using https://dmarc.live/ we will search the domain found in the email to pull the DMARC Record

  • What is the name of the attachment?

When quarantining the file we can see the file name.

  • What is the SHA256 hash of the file attachment?

Once the file has been quarantined, we will then use the sha256sum command in linux to extract the hash of the file.

  • What is the attachments file size? (Don't forget to add "KB" to your answer, NUM KB)

Once we have the hash of the file, we can use virus total to answer questions 11 and 12

  • What is the actual file extension of the attachment?