PacketDetective

As a SOC analyst, explore a collection of Wireshark pcap files that delve into various attack tactics, including evasion and lateral movement. Analyze network traffic captured within these pcaps ..

Dive into Blue Team CTF Challenges - CyberDefenderscyberdefenders.org

Q1 File => Traffic-1 What is the amount of bandwidth being used by the SMB protocol in bytes?

from the Downloaded file, open traffic-1

Go to Statistics > Protocol Hierarchy and look at SMB bytes

Answer: 4406

Q2 File => Traffic-1 Which username was utilized for authentication via SMB?

from Edit menu > Find packet and search for user name

Answer: Administrator

Q3 File => Traffic-1 What is the name of the file that was opened?

we have 2 options :

from File menu > Export Object > SMB

another option is by filtering with eventlog then follow tcp steam

Answer: eventlog

Q4 File => Traffic-1 What is the timestamp in UTC of the attempt to clear the event log? (UTC date and time)

from the previous screen filter, look at packet 19

if you need to change the time stamp format go to View menu > time stamp format.

Answer: 2020-09-23 16:50:16

Q5 File => Traffic-2 An attacker used a named pipe for communication to blend in and evade detection. What is the name of the service that utilized this pipe for communication?

Now open Traffic-2, find the packet containing the string "PIPE"

Answer: atsvc

Q6 File => Traffic-2 What was the duration of communication between 172.16.66.1 and 172.16.66.36?

From the Statistics Menu > Conversation, go to IPv4 and tap look for the duration.

Answer: 11.7247

Q7 File => Traffic-3 Which username is used to set up requests that may be considered suspicious?

finally let us go to traffic-3 , the file contains only 2 ip : 172.16.66.1 & 172.16.66.36

and the request is from 172.16.66.1 so let us find the username for this IP

find the packet containing the string username and investigate the packet

there is a NTLMSSP_AUTH from the user under the name is backdoor

Answer: Backdoor

Q8 File => Traffic-3 What is the name of the executable file utilized to execute processes remotely?

from File menu > Export Object > SMB the only executable file is ..

Answer: PSEXESVC.EXE

Hope this writeup helped you, for questions feel free to message me.

Thank you

PreviousElastic-Case NextPhishing

Last updated 2 years ago

hashtagQ1 File => Traffic-1 What is the amount of bandwidth being used by the SMB protocol in bytes?

hashtagQ2 File => Traffic-1 Which username was utilized for authentication via SMB?

hashtagQ3 File => Traffic-1 What is the name of the file that was opened?

hashtagQ4 File => Traffic-1 What is the timestamp in UTC of the attempt to clear the event log? (UTC date and time)

hashtagQ5 File => Traffic-2 An attacker used a named pipe for communication to blend in and evade detection. What is the name of the service that utilized this pipe for communication?

hashtagQ6 File => Traffic-2 What was the duration of communication between 172.16.66.1 and 172.16.66.36?

hashtagQ7 File => Traffic-3 Which username is used to set up requests that may be considered suspicious?

hashtagQ8 File => Traffic-3 What is the name of the executable file utilized to execute processes remotely?