Skip to content

Instantly share code, notes, and snippets.

@adulau
Last active January 27, 2023 08:37
Show Gist options
  • Save adulau/9ab6500522edbb17294ce0e4376d0c0e to your computer and use it in GitHub Desktop.
Save adulau/9ab6500522edbb17294ce0e4376d0c0e to your computer and use it in GitHub Desktop.
BTS MISP

BTS - MISP and Threat Intelligence Introduction

From 9:30 to 12:00 CET (a small break is foreseen)

Short url: https://tinyurl.com/BTS-MISP2

Agenda

  • MISP Introduction and history
  • MISP data model
  • Best practices - from evidences to actionable evidences
  • Practical excercises GRU

Training MISP instance

Training instance: https://iglocska.eu/

username: training[1-50]@misp.test (training12@misp.test)
password: MudWizard2023

Demo example: Incident report email (Spearphishing)

From: "Telecommunication CSIRT of Fake-Company" <csirt@fake-company.lu>
To: "Telecommunication CSIRT of Luxembourg" <csirt@telco.lu>
Subject: Attempted spearphishing attempt

Dear xy,

We have had a failed spearphishing attempt targeting our CEO recently with the following details:

Our CEO received an E-mail on 13/09/2022 15:56 containing a personalised message about a report card for their child. The attacker pretended to be working for the school of the CEO’s daughter, sending the mail from a spoofed address (john.doe@luxembourg.edu). John Doe is a teacher of the student. The email was received from throwaway-email-provider.com (137.221.106.104).

The e-mail contained a malicious file (find it attached) that would try to download a secondary payload from https://evilprovider.com/this-is-not-malicious.exe (also attached, resolves to 2607:5300:60:cd52:304b:760d:da7:d5). It looks like the sample is trying to exploit CVE-2015-5465. After a brief triage, the secondary payload has a hardcoded C2 at https://another.evil.provider.com:57666 (118.217.182.36) to which it tries to exfiltrate local credentials. This is how far we have gotten so far. Please be mindful that this is an ongoing investigation, we would like to avoid informing the attacker of the detection and kindly ask you to only use the contained information to protect your constituents.

Best regards,

Resources

Cheatsheets

Training materials

Other ressources


Interesting MISP events/examples

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment