Task 1: Introduction
Question 1: After visiting the link in the task, what is the MITRE ID for the “Software Configuration” mitigation technique?
Follow the link to https://attack.mitre.org/techniques/T1598/#mitigations. Look for Software Configuration and the ID is there.
Answer: M1054
Task 2: SPF (Sender Policy Framework
Question 1: Referencing the dmarcian SPF syntax table, what prefix character can be added to the “all” mechanism to ensure a “softfail” result?
Follow the link to the page and then click on the here in: “More in-depth information on the differences between “~” and “–” can be found here“
This gives you the…
Anwser: ~
Question 2: What is the meaning of the -all tag?
This answer is on that second webpage as well. Scroll down a little and to see the difference between ~all and -all.
- “softfail” in the case of “~”
- “fail” in the case of “-“
Answer: fail
Task 3: DKIM (DomainKeys Identified Mail
Question 1: Which email header shows the status of whether DKIM passed or failed?
We can find the answer in the last screenshot in the reading. right above the dkim=pass that is highlighted. We see…
Answer: Authentication-Results
Task 4: DMARC (Domain-Based Message Authentication, Reporting, and Conformance)
Question 1: Which DMARC policy would you use not to accept an email if the message fails the DMARC check?
Follow this link from the reading to find the answer.
Consider an example DMARC TXT RR for the domain “sender.dmarcdomain.com” that reads:
"v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@dmarcdomain.com"In this example, the sender requests that the receiver outright reject all non-aligned messages and send a report, in a specified aggregate format, about the rejections to a specified address. If the sender was testing its configuration, it could replace “reject” with “quarantine” which would tell the receiver they shouldn’t necessarily reject the message, but consider quarantining it.
Answer: p=reject
Task 5: S/MIME (Secure/Multipurpose Internet Mail Extensions
Question 1: What is nonrepudiation? (The answer is a full sentence, including the “.”)
For this one you need to again, navigate to another webpage: https://learn.microsoft.com/en-us/exchange/security-and-compliance/smime-exo/smime-exo
On the second bullet point you can see the definition of nonrepudiation…
Answer: The uniqueness of a signature prevents the owner of the signature from disowning the signature.
Task 6: SMTP Status Codes
Question 1: What Wireshark filter can you use to narrow down the packet output using SMTP status codes?
Use the SMTP link to find the answer to this one. We are looking for a response code…
Answer: smtp.response.code
Question 2: Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)
filter in wireshark using the above answer plus the status code 220
smtp.response.code == 220
Answer: <domain> service ready
Question 3: One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)
Easiest way to do this it to do a string search for spamhaus.org. In wireshark to do a stirng search go to Edit > Find Packet
Then change the drop down to string and type in your search string.
Answer: 156,553
Question 4: Based on the packet from the previous question, what was the message regarding the mailbox?
I tried “requested action not taken” but it s actually the second bit of the message…
Answer: requested action not taken
Question 5: What is the status code that will typically precede a SMTP DATA command?
Check out: https://www.mailersend.com/blog/smtp-codes
Answer: 354
Task 7: SMTP Traffic Analysis
Question 1: What port is the SMTP traffic using?
I just wanted to see what the standard SMTP port was: https://kinsta.com/blog/smtp-port/
For example, port 25, the standard SMTP port for moving messages between mail servers, is often blocked by ISPs and cloud providers (including Google Cloud Platform, which is what Kinsta uses).
Answer: 25
Question 2: How many packets are specifically SMTP?
For this we go to the search field in Wireshark and simply type in smtp. The answer will be “displayed” at the bottom of the screen.
Answer: 512
Question 3: What is the source IP address for all the SMTP traffic?
We can see this by just looking at the destination ips listed in wireshark.
Answer: 10.12.19.101
Question 4: What is the filename of the third file attachment?
We are looking for imf, so put that in the search bar. The third file attachment is in packet 685.
Drill down until you find the file name.
Answer: attachment.scr
Question 5: How about the last file attachment?
Same thing but for the last packet 1309.
Answer: .zip
Task 8: SMTP and C&C Communication
Question 1: Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?
Click on the link in the reading. Scroll down to the bottom of the Procedure Examples and you will see which one uses SMTP for C2.
Answer: Zebrocy
Task 9: Conclusion
Question 1: Per the playbook, what framework was used for the IR process?
Click the link to the site and you will see the framework mentioned is…
Answer: NIST
