Introduction It's time for another ISC traffic analysis quiz! Like previous quizzes, we have traffic and alerts from an infected Windows computer. This month's quiz consists of:
The alerts were created using Security Onion running Suricata using the EmergingThreats Pro ruleset, viewed through Sguil. You can find the pcap, alerts, and answers here. Don't peek at the answers just yet! Environment and quiz questions The environment where this infection takes place:
Here are questions to answer based on the pcap and the alerts:
Requirements This type of analysis requires Wireshark. Wireshark is my tool of choice to review pcaps of infection activity. However, default settings for Wireshark are not optimized for web-based malware traffic. That's why I encourage people to customize Wireshark after installing it. To help, I've written a series of tutorials. The ones most helpful for this quiz are:
Furthermore, I recommend using a non-Windows environment like BSD, Linux, or macOS to analyze malicious traffic. This pcap contains HTTP traffic sending Windows-based malware. If you're using a Windows host to review the pcap, your antivirus (or Windows Defender) may delete the pcap or malware. Worst case scenario? If you extract the malware from the pcap and accidentally run it, you might infect your Windows computer. So beware, because there's actual malware involved for this exercise. Final words Again, files associated with this quiz (pcap, alerts, and answers) can be found here. If you found this fun, we have previous traffic analysis quizzes: --- |
Brad 433 Posts ISC Handler Dec 3rd 2020 |
Thread locked Subscribe |
Dec 3rd 2020 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!