2024-08-15 - TRAFFIC ANALYSIS EXERCISE: WARMCOOKIE
ASSOCIATED FILES:
- Zip archive of the pcap: 2024-08-15-traffic-analysis-exercise.pcap.zip 10.6 MB (10,557,978 bytes)
- Zip archive of the alerts: 2024-08-15-traffic-analysis-exercise-alerts.zip 444.9 kB (444,890 bytes)
NOTES:
- Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website.
Shown above: Lures for WarmCookie take many forms.
BACKGROUND
A Windows host was infected, and it seems to be from WarmCookie malware.
SCENARIO
LAN segment details:
- LAN segment range: 10.8.15[.]0/24 (10.8.15[.]0 through 10.8.15[.]255)
- Domain: lafontainebleu[.]org
- Active Directory (AD) domain controller: 10.8.15[.]4 - WIN-JEGJIX7Q9RS
- AD environment name: LAFONTAINBLEU
- LAN segment gateway: 10.8.15[.]1
- LAN segment broadcast address: 10.8.15[.]255
TASK
- Write an incident report based on malicious network activity from the pcap and from the alerts.
- The incident report should contains 3 sections:
- Executive Summary: State in simple, direct terms what happened (when, who, what).
- Victim Details: Details of the victim (hostname, IP address, MAC address, Windows user account name).
- Indicators of Compromise (IOCs): IP addresses, domains and URLs associated with the activity. SHA256 hashes if any malware binaries can be extracted from the pcap.
ANSWERS
- Click here for the answers.
Click here to return to the main page.