2020-11-13 - TRAFFIC ANALYSIS EXERCISE - QUIETHUB

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2020-11-13-traffic-analysis-exercise.pcap.zip   6.8 MB (6,842,297 bytes)

• 2020-11-13-traffic-analysis-exercise.pcap   (9,071,924 bytes)

• Zip archive of the alerts:  2020-11-13-traffic-analysis-exercise-alerts.zip   2.9 MB (2,920,756 bytes)

• 2020-11-13-traffic-analysis-exercise-alerts.jpg   (3,246,604 bytes)
• 2020-11-13-traffic-analysis-exercise-alerts.txt   (8,840 bytes)

• Zip archive of the alerts:  2020-11-13-traffic-analysis-exercise-forensic-investigation.zip   2.7 MB (2,674,400 bytes)

• Note: This contains malware/artifacts from the infected host's C:\ drive.
• Listing the contents here would give away some of the answers.

 

 

SCENARIO

LAN segment data:

• LAN segment range:  192.168.200[.]0/24 (192.168.200[.]0 through 192.168.200[.]255)
• Domain:  quiethub[.]net
• Domain controller:  192.168.200[.]10 - Quiethub-DC
• LAN segment gateway:  192.168.200[.]1
• LAN segment broadcast address:  192.168.200[.]255

 

TASK

• Write an incident report based on the pcap and the alerts.

• The incident report should contains 3 sections:

• Executive Summary: State in simple, direct terms what happened (when, who, what).
• Details: Details of the victim (hostname, IP address, MAC address, Windows user account name).
• Indicators of Compromise (IOCs): SHA256 hashes and details of the malware and/or artifacts, IP addresses, domains and URLs associated with the infection.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.