back to day 24
WEEK_4 · DAY_24 · LAB
Lab 24 — Phishing Investigation
Trace from email → click → payload → C2
LAB PROGRESS0/5 steps · 0%
Lab Objectives
- ›Find an email in proofpoint logs
- ›Trace URL clicks and DNS lookups
- ›Pivot to endpoint execution (Day 23 chain)
- ›Identify all victims and produce a global containment plan
Lab Instructions
- 1Open Splunk → Search.
- 2Run the campaign trace SPL.
- 3Identify the click event for akumar.
- 4Pivot to Sysmon (winword → powershell on FIN-WS-050).
- 5List all recipients of the same campaign — those are your potential victims.
SPL for this Lab
Phishing campaign trace open in Splunk
index=email sourcetype=proofpoint:tap sender="*finance-update.com" | table _time sender recipient subject url verdict | sort _time
// Every email from the bad sender — every potential victim.