Infuse - Malicious Infrastructure Learning Path

# Detecting, Investigating and Tracking Malicious Infrastructure Welcome to my mind :i_love_you_hand_sign: This documentation captures my journey through the ***Detecting, Investigating, and Tracking Malicious Infrastructure*** path, detailing my experiences and insights across its nine subtopics, showcasing practical skills and knowledge gained in combating cyber threats. ## Subtopic 1: Triage - Deciding when to investigate I gained proficiency in distinguishing legitimate emails from untargeted spam, phishing emails, and targeted attacks using heuristic indicators. :::info :bulb: **Skill Check** I achieved a perfect score of `10/10` on the ==Shira== phishing quiz, demonstrating my accurate recognition of phishing across various app categories. ![Screen Capture 168 - Shira - shira.app](https://hackmd.io/_uploads/By1jEpzPC.jpg) ::: ## Subtopic 2: Interpersonal Skills for Malicious Infrastructure/Phishing Response I developed the ability to support individuals who might have interacted with malicious emails, focusing on empathy and harm reduction based on their threat model. :::info :bulb: **Skill Check** A phishing message is a fake email that tries to trick you into giving away personal information or installing harmful software. The attackers want to steal things like passwords or bank details, or take control of your computer. If you clicked on the email, you might have given them access to your information or infected your computer. The attackers could be anyone from lone hackers to organized crime groups, and many of these attacks are sent to lots of people, not just you. To stay safe, you should change any affected passwords, watch for unusual activity, and report the email to your IT department. ::: ## Subtopic 3: Operational Security - Safe Handling of links and infrastructure I learned how to safely handle malicious emails and URLs, protect my IP address during investigations, take immediate steps if an account is compromised, and effectively defang URLs. :::info :bulb: **Skill Check** My mentor generated a Canarytoken using my email address for notifications. I received an email with my mentor’s IP address and user agent details. This demonstrated how attackers could obtain similar information when connecting to their servers. ![image](https://hackmd.io/_uploads/HJKvH6zvA.png) ::: ## Subtopic 4: Passive Investigation- Analyze URLs, hostnames, and IP addresses :::info :bulb: **Skill Check** Using ==Tryhackme.com==, and it's ==Passive Reconnaissance== room. ### Task #2: Passive Versus Active Recon ![image](https://hackmd.io/_uploads/H15W2BOH0.png) ### Task #3: Whois ![image](https://hackmd.io/_uploads/H1S0PB_BR.png) ### Task #4: nslookup and dig Using the cmd: `dig thmlabs.com TXT` ![image](https://hackmd.io/_uploads/S17baSurA.png) ### Task #5: DNSDumpster ![image](https://hackmd.io/_uploads/B1TfvSdBR.png) ### Task #6: Shodan.io Apache Servers: ![image](https://hackmd.io/_uploads/H1NuhrOrR.png) Nginx services: ![image](https://hackmd.io/_uploads/SJp2hruSA.png) * I carry out the practice exercises on a different domain suggested by my mentor, reviewing the process and findings together. We focus on finding subdomains, discussing geoIP lookup accuracy, and improving my approach. * I choose `mvmhosur[.]com` to investagate to ::: ## Subtopic 5: Passive Investigation- Analyze email headers :::info :bulb: **Skill Check** ### Email Header Analysis **1. What are the From and Return-Path email addresses. Do they match? What are they?** > Gagnant Navigo `USEROTH03---E062@mvmhosur.com` > Return-Path: `USEROTH03---E062@mvmhosur.com` > > Same address **2. What is the name of the sending computer or server?** > The sending server is `BM1PR01MB2786.INDPRD01.PROD.OUTLOOK.COM` **3. Where is the sending computer geo-located?** > The sending computer `BM1PR01MB2786.INDPRD01.PROD.OUTLOOK.COM` with IP address : 15[.]20[.]33[.]021 is located in `NaN` >:warning: I couldn't verify the server's location; it was either disabled or offline. **5. How likely is it that this message is spam?** * The email lacks SPF, DKIM, and DMARC authentication * It includes a mismatched sender and return-path address * It originates from a university server but claims to be from the White House >:warning: Given these factors, the email is **highly** likely to be flagged as spam or suspicious. ::: ## Subtopic 6: Active Investigation - Analyze malicious emails :::info :bulb: **Skill Check** I received an email on my `.fr` email address purportedly from Apple, claiming that my iCloud storage is full and prompting me to take immediate action. This is concerning because the email was sent from a non-Apple email address, raising suspicions of a phishing attempt. Analyzing the email header provides insights into its authenticity and whether it poses a security risk. ![image](https://hackmd.io/_uploads/BJahbRMvC.png) >**1/** Based on the email headers, the address of the sender **From** appears to be `noreply[at]nl[.]francetv[.]fr`. >Additionally, examining headers like "Sender" helps verify authenticity, with the "Sender" showing `contact[at]ecomnews[.]fr`. ![image](https://hackmd.io/_uploads/S1SQGAMwA.png) >**2/** Confirming the authenticity of the sender is complex due to conflicting authentication results in the headers. The SPF check indicates no designated sender, and DMARC has failed. This suggests a potential spoofing attempt. ![image](https://hackmd.io/_uploads/ryuvfRMPC.png) >**3/** The email was delivered using Microsoft SMTP servers with TLS encryption, originating from `adipiscisgvcz[.]retailmenot[.]com` and `IP: 130[.]162[.]169[.]44`, passing through Outlook's infrastructure. ![image](https://hackmd.io/_uploads/ryLJQ0Gv0.png) > **4/** The email includes a 1x1 tracking pixel embedded in its HTML content. > The email states it uses UTF-8, but display issues like `dÃ©sinscrire` suggest a mismatch or mishandling of character encoding. > **5/** Opening and interacting with the email could potentially leak personal information such as the recipient's email address, IP address, and device information if the email contains embedded links or prompts for interaction. > **6/** The email claims to be from Apple, informing the recipient that their iCloud storage is full. It urges them to take action, possibly by clicking a link or replying, to resolve the storage issue. Importantly, the email was sent from a non-Apple email address, indicating it may be a phishing attempt. ::: ## Subtopic 7: Active Investigation - Analyze malicious webpages I learned to analyze attacker-owned websites effectively by utilizing web browser inspect features and additional tools like intercepting proxies or JavaScript debuggers. This process involves examining source codes to uncover URLs, redirects, linked domains, and other identifiers that may reveal further infrastructure associated with these websites. This skill enables a deeper understanding of potential threats and enhances the ability to mitigate risks associated with malicious online activities. :::info :bulb: **Skill Check** **1/** Using ==Tryhackme.com==, and it's ==Active Reconnaissance== room. ![image](https://hackmd.io/_uploads/HkG4L0zPR.png) **2/** From PhishTank, I chose `conta-cgd[.]com` a domain suspected of malicious activity and conducted a thorough analysis using a combination of passive and active methods. ![image](https://hackmd.io/_uploads/ByBWORQPR.png) -- *Screenshot taken in a secure sandbox environment.* * The infrastructure that’s serving the website: `188[.]114[.]96[.]3` / `Cloudflare` * NaN * When was this domain registered? : 2nd July 2024 (Yesterday) * Web Framework: `Microsoft ASP.NET` * Others listed the site as malicious : `SEM Fresh Blacklist` and `SURBL Blacklist` (PH: Phishing site) ::: ## Subtopic 8: Documenting Findings :::info :bulb: **Skill Check** I do a check-up with my mentor about my documentation to ensure that my investigative write-ups are clear and comprehensive. ## Additional informations * The email claims to be from `nl[.]francetv[.]fr` but was sent from `adipiscisgvcz[.]retailmenot[.]com` / `130[.]162[.]169[.]44`. * The email contains links and a tracking pixel hosted on a specific domain `homedecorhaven[.]site`. >This details is suspicious and warrants investigation. The domain `homedecorhaven[.]site` is hosted on DigitalOcean infrastructure at IP address `164[.]92[.]174[.]254`, located in Frankfurt, Germany. The domain was registered by Spaceship on March 28, 2024. ::: ## Subtopic 9: Response - Infrastructure takedown I am learning how abuse reporting and databases work. I can identify malicious URL and domain databases, request and contribute data, and use reporting mechanisms at large infrastructure providers. :::info :bulb: **Skill Check** I do with my mentor a comprehensive journey to take down malicious infrastructure. We prepare and verify all necessary evidence, including IP addresses, hashes, and domains. I learn how safe browsing, abuse databases, and blocklist providers work and practice submitting evidence. We identify abuse contacts for web hosting providers and registrars. Finally, we discuss the risks of takedowns and conduct a role-play to effectively communicate these risks to the target of the attack. ::: # Table of Content [toc]