|
Introduction This is a last-minute forensic quiz for June 2021 based on a packet capture (pcap) with Windows-based infection traffic. Like the previous two months, this month's prize is a Raspberry Pi. Rules for the contest follow:
We will accept submissions through Monday June 28th, 2021. Everyone who submits the correct answers will be entered in a drawing, and the winner will be randomly chosen on Tuesday June 29th. The winner will be announced in an ISC diary on Wednesday June 30th that will also provide analysis of the infection traffic. Material for our June 2021 forensic contest is located at this Github repository. The repository contains a zip archive with a pcap of network traffic from infected Windows hosts. I always recommend people review pcaps of malware in a non-Windows environment, if possible.
NOTE: The pcap has more than one infected computer on the network, and the infections are independent of each other, meaning each infection was not caused by any of the others. This month's quiz should be much more difficult than last month's contest in May 2021. The pcap is approximately 45.2 MB, so Wireshark might be sluggish when viewing it. I suggest participants filter on the MAC addresse for each infected Windows host, then use File --> Export Specified Packets to save network traffic for each host to a different pcap. Requirements Analysis of the infection traffic requires Wireshark or some other pcap analysis tool. Wireshark is my tool of choice to review pcaps of infection traffic. However, default settings for Wireshark are not optimized for web-based malware traffic. That's why I encourage people to customize Wireshark after installing it. To help, I've written a series of tutorials. The ones most helpful for this quiz are:
I always recommend participants review these pcaps in a non-Windows environment like BSD, Linux, or macOS. Why? Because this pcap contains traffic with Windows-based malware. If you're using a Windows host to review such pcaps, your antivirus (or Windows Defender) may delete or alter the pcap. Worst case? If you extract malware from a pcap and accidentally run it, you might infect your Windows computer. Active Directory (AD) Environment The infected Windows host is part of an AD environment, so the pcap contains information about the Windows user account. The user account is formatted as firstname.lastname. The AD environment characteristics are:
Final Words Again, a zip archive with a pcap for this month's contest is available in this Github repository. As stated earlier, we will accpet submissions through Monday June 28th, 2021. Everyone who submits the correct answers will be entered in a drawing, and the winner will be randomly chosen on Tuesday June 29th. The winner will be announced in an ISC diary on Wednesday June 30th that will also provide analysis of the infection traffic. --- Brad Duncan |
Brad 433 Posts ISC Handler Jun 16th 2021 |
| Thread locked Subscribe |
Jun 16th 2021 11 months ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
