logo
HomeLearnPracticeChallenge
Pricing
  • For Individuals
  • For Students
  • For Teams
  • Live Chat
  • Help Center
  • Forum
  • Ask a Question
  • Edit Profile
  • My Rewards
  • Subscription
  • Public Profile
  • Logout
  • MonitoringLog ManagementCase ManagementEndpoint SecurityEmail SecurityThreat IntelSandbox
Lets Defend

Resources

  • Blog
  • MITRE ATT&CK Map
  • Dictionary
  • Use Cases

Community

  • Discord
  • Contribute

Roles

  • SOC Analyst
  • Incident Responder
  • Detection Engineer
  • DFIR
  • Cloud Security Engineer
  • Information Security Specialist

Support

  • Contact us
  • Help Center
  • Forum
  • Walkthroughs
  • Tour

Social

All Rights Reserved ©2025 | Privacy Policy | Terms of Service

footer sub image
Lets Defend

Resources

  • Blog
  • MITRE ATT&CK Map
  • Dictionary
  • Use Cases

Community

  • Discord
  • Contribute

Roles

  • SOC Analyst
  • Incident Responder
  • Detection Engineer
  • DFIR
  • Cloud Security Engineer
  • Information Security Specialist

Support

  • Contact us
  • Help Center
  • Forum
  • Walkthroughs
  • Tour

Social

All Rights Reserved ©2025

Privacy Policy | Terms of Service
footer sub image
Score
60%
Playbook Success Rate
40%
Investigation Time
4 Minutes
SOC Alert Details
SEVERITYDATERULE NAMEEVENTIDTYPE
MediumDec, 27, 2023, 11:22 AM ⭐ SOC250 - APT35 HyperScrape Data Exfiltration Tool Detected212Data Leakage

⭐ As of August 2022, APT35 aka Charming Kitten was observed using a new tool called Hyperscrape to extract emails from their victims’ mailboxes

EventID :
212
Event Time :
Dec, 27, 2023, 11:22 AM
Rule :
SOC250 - APT35 HyperScrape Data Exfiltration Tool Detected
Level :
Security Analyst
Hostname :
Arthur
Ip Address :
172.16.17.72
Process Name :
EmailDownloader.exe
Process Path :
C:\Users\LetsDefend\Downloads\EmailDownloader.exe
Parent Process :
C:\Windows\Explorer.EXE
Command Line :
C:\Users\LetsDefend\Downloads\EmailDownloader.exe
File Hash :
cd2ba296828660ecd07a36e8931b851dda0802069ed926b3161745aae9aa6daa
Trigger Reason :
Unusual or suspicious patterns of behavior linked to the hash have been identified, indicating potential malicious intent.
Device Action :
Allowed
Show Hint
Playbook Answers
Question:Containment
User answer:Yes
Question:Determine the Scope
User answer:Yes
Correct Answer:No
Question:IP Reputation Check
User answer:No
Correct Answer:Yes
Question:Attacker IP Analysis
User answer:External
Question:Determine the Type of Reconnaissance
User answer:Gather Victim Network Information
Correct Answer:Gather Victim Identity Information
Playbook Note
Empty! You should explain why you closed alarm this way.
Alert Answers
Question:Is this alert True Positive or False Positive?
User answer:
Alert Note
Empty! You should explain why you closed alarm this way.