Conduct an Investigation with Chronicle
Conduct an Investigation with Chronicle
Embedded Files
In this activity, I consider a scenario in which I worked as a security analyst for a company and I received an alert that an employee received a phishing email in their inbox. I reviewed the alert and identified a suspicious domain name contained in the email's body: signin.office365x24.com. I wanted to determine whether any other employees received phishing emails containing this domain and whether they visited the domain. I used the Chronicle SIEM, a cloud-native tool, to investigate this domain. This scenario is a simulation to demonstrate my skills, and all confidential data are masked to protect privacy and safety.
Firstly, I visited the home page of Chronicle SIEM.
Perform a domain name search
Perform a domain name search
I typed signin.office365x24.com in the search bar and clicked Search. Under DOMAINS, signin.office365x24.com was listed as the domain that existed in the ingested data.
Evaluate the search results
Evaluate the search results
The Prevalence section provides a graph that outlines the historical prevalence of the domain.
The WHOIS section provides a summary of information about the domain using WHOIS, a free and publicly available directory that includes information about registered domain names, such as the name and contact information of the domain owner.
The RESOLVED IPS insight card provides additional context about the domain, such as the IP address that maps to signin.office365x24.com, which is 40.100.174.34.
After performing a domain search, I evaluated VirusTotal information about this domain. According to the report, two security vendors flagged this domain as malicious.
The ASSETS tab lists hostnames, IP addresses, MAC addresses, or devices that have accessed the domain.
The TIMELINE tab shows the timeline of events that includes when each asset accessed the domain. Also, it shows the details about the HTTP requests made including GET and POST requests.
The SIBLING DOMAINS insight card provides additional context about the domain. Sibling domains share a common top or parent domain. For example, here the sibling domain is listed as login.office365x24.com, which shares the same top domain office365x24.com with the domain I investigated.
The ET INTELLIGENCE REP LIST insight card includes threat intelligence information, such as other known threats related to the domains using ProofPoint's Emerging Threats (ET) Intelligence Rep List.
Findings of the investigation
Findings of the investigation
The ET INTELLIGENCE REP LIST insight card categorizes the behaviour of signin.office365x24.com as a drop site for logs or stolen credentials. This means that this domain has been reported to send and receive stolen credentials or other data.
POST requests were sent to http://signin.office365x24.com/login.php, and logs showed that login information was submitted to the suspicious domain via POST requests. As a result, I determined that the suspicious domain had been involved in phishing campaigns.
login.office365x24.com is identified as a sibling domain of signin.office365x24.com. The signin.office365x24.com domain resolves to the IP address 40.100.174.34. Also, I identified an additional domain (signin.accounts-gooqle.com) by examining the resolved IP address on Chronicle SIEM.
Six assets accessed the domain on 31 January and 9 July 2023. The assets were ashton-davidson-pc, bruce-monroe-pc, coral-alvarez-pc, emil-palmer-pc, jude-reyes-pc, and roger-spence-pc.
To sum up, I used Chronicle SIEM to investigate a suspicious domain used in a phishing email. Using Chronicle's domain search, I was able to:
Access threat intelligence reports on the domain
Identify the assets that accessed the domain
Evaluate the HTTP events associated with the domain
Identify which assets submitted login information to the domain
Identify additional domains
Resources for more information
Resources for more information
Chronicle SIEM overview: https://cloud.google.com/chronicle/docs/overview
Google Sites
Report abuse