SANS ISC: Traffic Analysis Quiz: Mr Natural

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Introduction

It's time for another ISC traffic analysis quiz!  Like previous quizzes, we have traffic and alerts from an infected Windows computer.  This month's quiz consists of:

• a packet capture (pcap) of infection traffic
• a image of the alerts shown in Squil
• a text file listing the alerts with a few more details
• a PDF document with answers to the questions below.

The alerts were created using Security Onion running Suricata using the EmergingThreats Pro ruleset, viewed through Sguil.

You can find the pcap, alerts, and answers here.  Don't peek at the answers just yet!

Environment and quiz questions

The environment where this infection takes place:

• LAN segment range: 10.12.1.0/24 (10.12.1.0 thru 10.12.1.255)
• Domain: mrnatural.info
• Domain controller: 10.12.1.2 - MrNatural-DC
• LAN segment gateway: 10.12.1.1
• LAN segment broadcast address: 10.12.1.255

Here are questions to answer based on the pcap and the alerts:

• What is the IP address of the infected Windows host?
• What is the MAC address of the infected Windows host?
• What is the host name of the infected Windows host?
• What is the Windows user account name used on the the infected Windows host?
• What is the date and time of this infection?
• What is the SHA256 hash of the EXE or DLL that was downloaded from 5.44.43.72?
• Which two IP addresses and associated domains have HTTPS traffic with "Internet Widgets Pty" as part of the certificate data?
• Based on the alert for CnC (command and control) traffic, what type of malware caused this infection?

Requirements

This type of analysis requires Wireshark.  Wireshark is my tool of choice to review pcaps of infection activity.  However, default settings for Wireshark are not optimized for web-based malware traffic.  That's why I encourage people to customize Wireshark after installing it.  To help, I've written a series of tutorials.  The ones most helpful for this quiz are:

• Wireshark Tutorial: Changing Your Column Display
• Wireshark Tutorial: Display Filter Expressions
• Wireshark Tutorial: Identifying Hosts and Users
• Wireshark Tutorial: Exporting Objects from a Pcap

Furthermore, I  recommend using a non-Windows environment like BSD, Linux, or macOS to analyze malicious traffic.  This pcap contains HTTP traffic sending Windows-based malware.  If you're using a Windows host to review the pcap, your antivirus (or Windows Defender) may delete the pcap or malware.  Worst case scenario?  If you extract the malware from the pcap and accidentally run it, you might infect your Windows computer.

So beware, because there's actual malware involved for this exercise.

Final words

Again, files associated with this quiz (pcap, alerts, and answers) can be found here.

If you found this fun, we have previous traffic analysis quizzes:

• August 2020
• September 2020
• October 2020
• November 2020  

---
Brad Duncan
brad [at] malware-traffic-analysis.net