From 60ca2b6c6e8c179743a9597eaddae489a0cac800 Mon Sep 17 00:00:00 2001 From: mokaddem Date: Fri, 5 Mar 2021 12:57:50 +0100 Subject: [PATCH] new: [exercises] Created exercise folder and added email-exercise --- exercises/email-exercise.txt | 31 ++++++++++++++++++ .../movie-exercise}/content.tex | 0 .../movie-exercise}/makefile | 0 .../movie-exercise}/misp.pdf | Bin .../movie-exercise}/pics/movie-details.png | Bin .../movie-exercise}/pics/movie-details2.png | Bin .../movie-exercise}/pics/movie-genre.png | Bin .../movie-exercise}/pics/movie-score.png | Bin .../movie-exercise}/pics/movie-subgenre.png | Bin .../movie-exercise}/slide.tex | 0 10 files changed, 31 insertions(+) create mode 100644 exercises/email-exercise.txt rename {x.13-exercise-movie => exercises/movie-exercise}/content.tex (100%) rename {x.13-exercise-movie => exercises/movie-exercise}/makefile (100%) rename {x.13-exercise-movie => exercises/movie-exercise}/misp.pdf (100%) rename {x.13-exercise-movie => exercises/movie-exercise}/pics/movie-details.png (100%) rename {x.13-exercise-movie => exercises/movie-exercise}/pics/movie-details2.png (100%) rename {x.13-exercise-movie => exercises/movie-exercise}/pics/movie-genre.png (100%) rename {x.13-exercise-movie => exercises/movie-exercise}/pics/movie-score.png (100%) rename {x.13-exercise-movie => exercises/movie-exercise}/pics/movie-subgenre.png (100%) rename {x.13-exercise-movie => exercises/movie-exercise}/slide.tex (100%) diff --git a/exercises/email-exercise.txt b/exercises/email-exercise.txt new file mode 100644 index 0000000..dd403ea --- /dev/null +++ b/exercises/email-exercise.txt @@ -0,0 +1,31 @@ +From csirt@telco.lu + +Dear xy, + +We have had a failed spearphishing attempt targeting our CEO recently with the following details: + +Our CEO received an E-mail on 03/02/2021 15:56 containing a personalised message about a report card for their child. The attacker pretended to be working for the school of the CEO’s daughter, sending the mail from a spoofed address (john.doe@luxembourg.edu). John Doe is a teacher of the student. The email was received from throwaway-email-provider.com (137.221.106.104). + +The e-mail contained a malicious file (find it attached) that would try to download a secondary payload from https://evilprovider.com/this-is-not-malicious.exe (also attached, resolves to 2607:5300:60:cd52:304b:760d:da7:d5). It looks like the sample is trying to exploit CVE-2015-5465. After a brief triage, the secondary payload has a hardcoded C2 at https://another.evil.provider.com:57666 (118.217.182.36) to which it tries to exfiltrate local credentials. This is how far we have gotten so far. Please be mindful that this is an ongoing investigation, we would like to avoid informing the attacker of the detection and kindly ask you to only use the contained information to protect your constituents. + +Best regards, + + +-------------------------------------------------- +# Entities: +- Email +- Spoofed organisation/person +- Initial payload - file +- Secondary file +- CVE +- C2 + + +# Context: +- ATT&CK: Spear-phishing, Exfiltration +- Infrastructure +- adversary:infrastructure-type="panel" +- Country & Sector +- PAP +- FS/LS + diff --git a/x.13-exercise-movie/content.tex b/exercises/movie-exercise/content.tex similarity index 100% rename from x.13-exercise-movie/content.tex rename to exercises/movie-exercise/content.tex diff --git a/x.13-exercise-movie/makefile b/exercises/movie-exercise/makefile similarity index 100% rename from x.13-exercise-movie/makefile rename to exercises/movie-exercise/makefile diff --git a/x.13-exercise-movie/misp.pdf b/exercises/movie-exercise/misp.pdf similarity index 100% rename from x.13-exercise-movie/misp.pdf rename to exercises/movie-exercise/misp.pdf diff --git a/x.13-exercise-movie/pics/movie-details.png b/exercises/movie-exercise/pics/movie-details.png similarity index 100% rename from x.13-exercise-movie/pics/movie-details.png rename to exercises/movie-exercise/pics/movie-details.png diff --git a/x.13-exercise-movie/pics/movie-details2.png b/exercises/movie-exercise/pics/movie-details2.png similarity index 100% rename from x.13-exercise-movie/pics/movie-details2.png rename to exercises/movie-exercise/pics/movie-details2.png diff --git a/x.13-exercise-movie/pics/movie-genre.png b/exercises/movie-exercise/pics/movie-genre.png similarity index 100% rename from x.13-exercise-movie/pics/movie-genre.png rename to exercises/movie-exercise/pics/movie-genre.png diff --git a/x.13-exercise-movie/pics/movie-score.png b/exercises/movie-exercise/pics/movie-score.png similarity index 100% rename from x.13-exercise-movie/pics/movie-score.png rename to exercises/movie-exercise/pics/movie-score.png diff --git a/x.13-exercise-movie/pics/movie-subgenre.png b/exercises/movie-exercise/pics/movie-subgenre.png similarity index 100% rename from x.13-exercise-movie/pics/movie-subgenre.png rename to exercises/movie-exercise/pics/movie-subgenre.png diff --git a/x.13-exercise-movie/slide.tex b/exercises/movie-exercise/slide.tex similarity index 100% rename from x.13-exercise-movie/slide.tex rename to exercises/movie-exercise/slide.tex