Phishing Prevention

• What is the MITRE ID for Software Configurations

M1054

• What is the SPF rule to use if you wish to ensure an operator rejects emails without potentially discarding a legitimate email?

v=spf1 ~all

• What is the meaning of the -all tag?

fail

• Which email header shows the status of whether DKIM passed or failed?

Authentication-Results

• Which DMARC policy would you use not to accept an email if the message fails the DMARC check?

p=reject

• What is nonrepudiation? (The answer is a full sentence, including the ".")

The uniqueness of a signature prevents the owner of the signature from disowning the signature.

• What Wireshark filter can you use to narrow down the packet output using SMTP status codes?

smtp.response.code

• Per the network traffic, what was the message for status code 220? (Do not include the status code (220) in the answer)

<domain> Service ready

• One packet shows a response that an email was blocked using spamhaus.org. What were the packet number and status code? (no spaces in your answer)

156,553

• Based on the packet from the previous question, what was the message regarding the mailbox

mailbox name not allowed

• What is the status code that will typically precede a SMTP DATA command?

354

• What port is the SMTP traffic using?

25

• How many packets are specifically SMTP?

512

• What is the source IP address for all the SMTP traffic?

10.12.19.101

• What is the filename of the third file attachment?

attachment.scr

• How about the last file attachment?

 .zip

• Per MITRE ATT&CK, which software is associated with using SMTP and POP3 for C2 communications?

Zebrocy

• Per the playbook, what framework was used for the IR process?

NIST