Lab: https://blueteamlabs.online/home/investigation/sublime-484215802b
Category: Incident Response
Tools Used: Sublime
Difficulty: Medium
Scenario
In recent months, our organization has observed a significant uptick in suspicious emails targeting employees. These emails often contain seemingly innocuous content, but they may be part of a phishing campaign aimed at compromising sensitive information or gaining unauthorized access to our systems.
As a response to this growing threat, our security team has decided to try out various email security tools. In this scenario, we will leverage the Sublime Email Security Platform to investigate suspicious emails and hunt for anomalous activity using Sublime’s Message Query Language (MQL).
NOTE: To get started open a browser and navigate to localhost:3000. There is likely multiple ways to tackle the MQL, we’ve tried to be as prescriptive in what the answers should look like.
Q&A
Disclaimer: I'm a bit lazy and haven't revisited this lab, so I haven't completed questions 3, 6, 8, 17, and 18. If you know the answers to these questions, please let me know.
Q1) How many distinct message groups are currently flagged and marked as unreviewed in the Sublime Email Security Platform portal? (Format: Number) (2 points)
A: 26
Q2) Within the last 30 days, what is the total number of emails sent to the user “[email protected]”? (Format: Number) (2 points)
A: 18
Q3) Provide the Message Query Language (MQL) query to retrieve inbound emails sent to the user "[email protected]" (Format: some.string and any (some other string == “[email protected]”)) (2 points)
A:
Q4) Out of the emails sent to “[email protected],” how many matched the rule “Attachment: Suspicious VBA macros from first-time sender” in the last 30 days? (Format: Number) (2 points)
A: 4
Q5) Among the emails matching the aforementioned rule, how many contained an attachment with the file extension “docm”? (Format: Number) (3 points)
A: 2
Q6) Provide the MQL query that can be used to proactively hunt for inbound emails with attachments having the “docm” extension (Format: some.string and any (some other string == “string”)) (3 points)
A:
Q7) One of the attachments within the specified emails has “trickbot” in its name. What is the SHA256 hash of this attachment? (Format: SHA256) (3 points)
A: 712fd163cc98f8fb2055573336c606f17c66a22276dce9f6e9f909e3d6d23f16
Q8) Provide the MQL query to identify inbound emails containing an attachment with the term “trickbot” in its file name (Format: some.string and any (string, some.string(.more, “string”))) (3 points)
A:
Q9) What is the sender email of the identified email with the suspicious attachment (“trickbot”)? (Format: [email protected]) (3 points)
Q10) What is the subject of the email containing the suspicious attachment (“trickbot”)? (Format: Subject Line) (3 points)
A: Re: Insurance Purchase 7719259
Q11) Identify the recipient of the email on the Sublime platform that is associated with double base64 encoded zip file in HTML smuggling attachment (Format: [email protected]) (3 points)
Q12) How many detection rules were triggered by the QR double base64 encoded zip file in HTML smuggling attachment email on the Sublime platform? (Format: Number) (3 points)
A: 4
Q13) Who is the sender of the email associated with the double base64 encoded zip file in HTML smuggling attachment on the Sublime platform? (Format: [email protected]) (3 points)
Q14) What is the subject of the email related to the double base64 encoded zip file in HTML smuggling attachment campaign on the Sublime platform? (Format: Subject Line) (3 points)
A: Updated Employee Benefits
Q15) The SOC team reported an email with Message ID “BN6PR08MB24517AFDD21811833E15E01B85389@BN6PR08MB2451.namprd08.prod.outlook.com”. What is the malware family associated with this email? (Format: MalwareName) (3 points)
A: Qakbot
Q16) Retrieve the URL embedded in the email with the specified Message ID reported by the SOC team (Format: https://sub.domain.tld/something) (3 points)
A: https://html-smuggling.file-auto-download-test-sandbox.workers.dev/encrypted-zip-with-iso
Q17) Provide the number of emails within the Sublime platform that exhibit SPF “softfail” in their authentication records and the to, and from address in alphabetical order (Format: number, EmailAddress, EmailAddress) (3 points)
A:
Q18) Provide the MQL query (Format: some.string and any (some other string == “string”)) (3 points)
A: