Traffic Analysis Quiz: Mr Natural - SANS Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/

Handler on Duty: Didier Stevens

Threat Level: green

Traffic Analysis Quiz: Mr Natural
Introduction It's time for another ISC traffic analysis quiz! Like previous quizzes, we have traffic and alerts from an infected Windows computer. This month's quiz consists of: a packet capture (pcap) of infection traffic a image of the alerts shown in Squil a text file listing the alerts with a few more details a PDF document with answers to the questions below. The alerts were created using Security Onion running Suricata using the EmergingThreats Pro ruleset, viewed through Sguil. You can find the pcap, alerts, and answers here. Don't peek at the answers just yet! Environment and quiz questions The environment where this infection takes place: LAN segment range: 10.12.1.0/24 (10.12.1.0 thru 10.12.1.255) Domain: mrnatural.info Domain controller: 10.12.1.2 - MrNatural-DC LAN segment gateway: 10.12.1.1 LAN segment broadcast address: 10.12.1.255 Here are questions to answer based on the pcap and the alerts: What is the IP address of the infected Windows host? What is the MAC address of the infected Windows host? What is the host name of the infected Windows host? What is the Windows user account name used on the the infected Windows host? What is the date and time of this infection? What is the SHA256 hash of the EXE or DLL that was downloaded from 5.44.43.72? Which two IP addresses and associated domains have HTTPS traffic with "Internet Widgets Pty" as part of the certificate data? Based on the alert for CnC (command and control) traffic, what type of malware caused this infection? Requirements This type of analysis requires Wireshark. Wireshark is my tool of choice to review pcaps of infection activity. However, default settings for Wireshark are not optimized for web-based malware traffic. That's why I encourage people to customize Wireshark after installing it. To help, I've written a series of tutorials. The ones most helpful for this quiz are: Wireshark Tutorial: Changing Your Column Display Wireshark Tutorial: Display Filter Expressions Wireshark Tutorial: Identifying Hosts and Users Wireshark Tutorial: Exporting Objects from a Pcap Furthermore, I recommend using a non-Windows environment like BSD, Linux, or macOS to analyze malicious traffic. This pcap contains HTTP traffic sending Windows-based malware. If you're using a Windows host to review the pcap, your antivirus (or Windows Defender) may delete the pcap or malware. Worst case scenario? If you extract the malware from the pcap and accidentally run it, you might infect your Windows computer. So beware, because there's actual malware involved for this exercise. Final words Again, files associated with this quiz (pcap, alerts, and answers) can be found here. If you found this fun, we have previous traffic analysis quizzes: August 2020 September 2020 October 2020 November 2020 --- Brad Duncan brad [at] malware-traffic-analysis.net	Brad 441 Posts ISC Handler Dec 3rd 2020
Thread locked Subscribe	Dec 3rd 2020 1 year ago