dashboard
WEEK_4 · DAY_24 · 1 HOUR
Phishing Investigation
Trace from email → click → payload → C2
Learning Objectives
- ›Find an email in proofpoint logs
- ›Trace URL clicks and DNS lookups
- ›Pivot to endpoint execution (Day 23 chain)
- ›Identify all victims and produce a global containment plan
Module 1 — Phishing Kill Chain
Delivery (email gateway) → Click (proxy/DNS) → Execution (Sysmon) → C2 (Zeek/firewall) → Impact.
Splunk ES has a Phishing Investigation app/dashboard that pre-builds many of these pivots.
Module 2 — Email Gateway Logs
Proofpoint TAP, Mimecast, Defender for O365 all expose: sender, recipient, subject, urls[], verdict, attachment hashes.
Module 3 — Scoping Globally
If user akumar got phished, search ALL recipients of the same campaign — not just the one who clicked.
SPL Queries
Phishing campaign trace
index=email sourcetype=proofpoint:tap sender="*finance-update.com" | table _time sender recipient subject url verdict | sort _time
// Every email from the bad sender — every potential victim.
Lab 24 — Phishing Investigation
- Open Splunk → Search.
- Run the campaign trace SPL.
- Identify the click event for akumar.
- Pivot to Sysmon (winword → powershell on FIN-WS-050).
- List all recipients of the same campaign — those are your potential victims.
Key Takeaways
- ✓Trace email → click → exec → C2
- ✓Always scope the full campaign
- ✓Patient zero ≠ only victim