Welcome to the Blue Team Cyber Investigation Tricks and Tools repository! This collection of resources is designed to aid cybersecurity professionals in defending and securing their networks. Whether you're a seasoned analyst or just getting started, you'll find valuable tools, techniques, and best practices here to enhance your blue team efforts.
- DOCGuard: - Zero Miss for Office Malware Threats. ⭐
- ANY.RUN: An interactive online malware sandbox for dynamic analysis of suspicious files.
- Cuckoo Sandbox: An open-source automated malware analysis system. ⭐
- Hybrid Analysis: A free malware analysis service powered by Falcon Sandbox.
- Joe Sandbox: Advanced analysis of files, URLs, emails, and other types of data.
- VirusTotal: Aggregates many antivirus products and online scan engines to check files and URLs for viruses.
- EmailRep: A service to query and understand the reputation and associations of an email address.
- Hunter.io: Verifies email addresses and provides related information like domain search and email format.
- Have I Been Pwned: Check if an email has been compromised in a data breach.
- IPVoid: Checks IP address reputations with multiple security services.
- DomainTools: Provides detailed domain information including DNS records, Whois, and more.
- URLVoid: Checks the reputation of websites using multiple blacklist engines and online reputation services.
- MXToolbox: Provides DNS lookups, blacklist checking, and other useful tools for investigating domains and IPs.
- MetaDefender: Scans files, URLs, and IPs with multiple antivirus engines and provides vulnerability assessments.
- AbuseIPDB: A database of IP addresses reported for abusive activities, with tools for checking and reporting IPs.
- VirusTotal: In addition to file scanning, VirusTotal also allows for IP, domain, and URL analysis to detect malicious activity.
- ThreatMiner: A threat intelligence platform that provides context on domains, IPs, and indicators of compromise (IOCs).
- Shodan: The search engine for Internet-connected devices, useful for finding exposed systems and identifying vulnerabilities.
- Koodous: Koodous Mobile is a mobile security application that offers reliable protection against threats on your device.
- Censys: Another search engine for finding devices and websites exposed to the internet, including services running on them.
- GreyNoise: Helps distinguish between harmless background noise and targeted attacks by analyzing internet-wide scan traffic.
Investigating suspicious email addresses involves several steps, from verifying the email's legitimacy to checking its history and associations. Here's how you can proceed:
- Email Verification: Use tools like Hunter.io to verify if the email is valid and check for known formats.
- Reputation Check: Use EmailRep to check the reputation of the email address and see if it's associated with any malicious activities.
- Data Breach Check: Use Have I Been Pwned to see if the email address has been part of a known data breach.
- Domain Analysis: If the email comes from a specific domain, use MXToolbox or DomainTools to investigate the domain's reputation and history.
These tools and techniques will help you analyze and investigate suspicious elements in your cybersecurity work.
- Do Not Click: Avoid clicking any links, downloading attachments, or replying to the email.
- Do Not Enable: If the email prompts you to enable macros or content, do not enable them.
- Check Email Address: Verify the sender's email address by hovering over it. Look for misspellings or unusual domains.
- Use Email Verification Tools: Use tools like Hunter.io or EmailRep to check the legitimacy and reputation of the email address.
- Inspect Headers: Analyze the email headers to identify any anomalies in the sender's information.
- Look for Red Flags: Check for signs of phishing, such as poor grammar, urgent language, or requests for personal information.
- Compare to Legitimate Emails: If the email claims to be from a known organization, compare it to previous legitimate emails from that organization.
- Use Online Sandboxes: Upload the attachment to online sandboxes like ANY.RUN, Hybrid Analysis, or VirusTotal to analyze the file's behavior.
- Scan with Antivirus: Run the file through your local antivirus software to detect any known malware.
- Check URL Reputation: Use tools like URLVoid or VirusTotal to check the reputation of any URLs in the email.
- Inspect URLs Carefully: Hover over any links to inspect the full URL. Be cautious of shortened URLs or those with unusual domains.
- Internal Reporting: Follow your organization's procedure for reporting phishing emails. This could involve forwarding the email to your IT or security team.
- External Reporting: Report the phishing attempt to relevant authorities or services like PhishTank.
- Move to Spam/Junk: If confirmed as phishing, move the email to your spam or junk folder.
- Block the Sender: Block the sender's email address to prevent future phishing attempts from the same source.
- Record Details: Document all details of the phishing attempt, including the sender's address, email content, attached files, and any analysis results.
- Share Findings: Share your findings with your team or community to help others recognize similar threats.
- Check for Signs of Compromise: After handling the phishing attempt, monitor your systems for any unusual activity that may indicate a compromise.
- Update Security Measures: If necessary, update your security measures, such as email filters, to prevent similar attacks in the future.
- Awareness Training: Educate others in your organization about phishing threats and how to recognize and respond to them.
- Simulate Phishing Attacks: Conduct phishing simulations to test and improve your organization's readiness to handle such threats.
PhishTool seeks to elevate the perception of phishing as a severe form of attack and provide a responsive means of email security. Through email analysis, security analysts can uncover email IOCs, prevent breaches and provide forensic reports that could be used in phishing containment and training engagements.
PhishTool has two accessible versions: Community and Enterprise. We shall mainly focus on the Community version and the core features in this task. Sign up for an account via this link to use the tool.
