2021-04-01 21:41 UTC - UPDATE: The domain for the AD environment used in this quiz has been changed to clockwater.net. We will still accept the original domain listed in the answers from any of the submissions. We already have 10 submission as I write this. Thanks to everyone who has participated or will still take part in this quiz!
Today's diary is a forensic quiz for April 2021. This month's quiz will also be a contest. The prize is a Raspberry Pi. Rules for the contest follow:
Material for this forensic quiz is located at this Github repository. This repository contains a zip archive containing a pcap of network traffic from the infected Windows host. The repository also contains another zip archive with malware and artifacts recovered from the infected Windows host. Be very careful with the malware and artifacts zip because it has actual malware from a recently-infected Windows computer. If you don't know what you're doing, do not download the malware and artifacts. I always recommend people do this quiz in a non-Windows environment, if possible.
Analysis of the infection traffic requires Wireshark or some other pcap analysis tool. Wireshark is my tool of choice to review pcaps of infection traffic. However, default settings for Wireshark are not optimized for web-based malware traffic. That's why I encourage people to customize Wireshark after installing it. To help, I've written a series of tutorials. The ones most helpful for this quiz are:
I always recommend participants use a non-Windows environment like BSD, Linux, or macOS. Why? Because most pcaps in these traffic analysis quizzes contain traffic with Windows-based malware. If you're using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap. Worst case? If you extract malware from a pcap and accidentally run it, you might infect your Windows computer.
Analysis of the malware and artifacts should also be done in a non-Windows environment, unless you are a skilled malware analyst. However, reviewing the malware and artifacts in a non-Windows environment like Linux shouldn't pose any problems. Feel free to search for (or submit) malware from this quiz on sites like:
Most of the above sites require some sort of account to log in and search for samples. Some of these sites provide free accounts that only require a valid email address. Alternatively, search Google or other search engines for the SHA256 hashes of malware samples from this quiz. You might get links from the above sites in your search results.
Active Directory (AD) Environment
The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname. The AD environment characteristics are:
Again, the zip archive with a pcap of the traffic for this exercise is available in this Github repository. The winner of today's contest and analysis of the infection will be posted in an upcoming ISC diary two weeks from today on Wednesday April 14th.
I think the Raspberry Pi is an older model like a Raspberry Pi 2 or Raspberry Pi 3, but I will find out and update or add a comment to this diary.
Apr 1st 2021
|Thread locked Subscribe||
Apr 1st 2021
4 months ago