OSINT Investigation

Investigation of IOCs from an Open Source Intelligence publication

Scenario

Your CEO has forwarded you an article from Kaspersky. https://securelist.com/apt-phantomlance/96772/#infrastructure.

The CEO wanted you to review the publication and see if your organization has anything to worry about, and if your organization has been affected by this attack.

Goal

Read the article and then investigate the Command and Control domains and IP address and see what you can find out.

Important Note: During your investigation you have informed your team not to directly visit the website in order to prevent any potential malware from entering the organization.

Objectives

Objective 1: What are the aspects of the attacks?

Objective 2: Is the attack still active?

Objective 3: Does your organization need to worry about this attack?

Objective 4: have you seen any to the IOCs?

In this exercise I will highlight the differences in RiskIQ PassiveTotal account types and integrations.
Free Community Account
Paid Enterprise Account
PassiveTotal Enterprise with the CrowdStrike integration enabled.

Searches

https://securelist.com/apt-phantomlance/96772/#infrastructure
https://community.riskiq.com/search/88.150.138.77/resolutions
https://community.riskiq.com/search/ps.andreagahuvrauvin.com
https://community.riskiq.com/search/paste.christienollmache.xyz/resolutions
https://community.riskiq.com/search/att.illagedrivestralia.xyz

Back to Resources

Forrester Wave: External Threat Intelligence Services, Q1 2021

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event