PacketDetective
As a SOC analyst, explore a collection of Wireshark pcap files that delve into various attack tactics, including evasion and lateral movement. Analyze network traffic captured within these pcaps ..
Q1 File => Traffic-1 What is the amount of bandwidth being used by the SMB protocol in bytes?
from the Downloaded file, open traffic-1
Go to Statistics > Protocol Hierarchy and look at SMB bytes
Answer: 4406
Q2 File => Traffic-1 Which username was utilized for authentication via SMB?
from Edit menu > Find packet and search for user name
Answer: Administrator
Q3 File => Traffic-1 What is the name of the file that was opened?
we have 2 options :
from File menu > Export Object > SMB
another option is by filtering with eventlog then follow tcp steam
Answer: eventlog
Q4 File => Traffic-1 What is the timestamp in UTC of the attempt to clear the event log? (UTC date and time)
from the previous screen filter, look at packet 19
if you need to change the time stamp format go to View menu > time stamp format.
Answer: 2020-09-23 16:50:16
Q5 File => Traffic-2 An attacker used a named pipe for communication to blend in and evade detection. What is the name of the service that utilized this pipe for communication?
Now open Traffic-2, find the packet containing the string "PIPE"
Answer: atsvc
Q6 File => Traffic-2 What was the duration of communication between 172.16.66.1 and 172.16.66.36?
From the Statistics Menu > Conversation, go to IPv4 and tap look for the duration.
Answer: 11.7247
Q7 File => Traffic-3 Which username is used to set up requests that may be considered suspicious?
finally let us go to traffic-3 , the file contains only 2 ip : 172.16.66.1 & 172.16.66.36
and the request is from 172.16.66.1 so let us find the username for this IP
find the packet containing the string username and investigate the packet
there is a NTLMSSP_AUTH from the user under the name is backdoor
Answer: Backdoor
Q8 File => Traffic-3 What is the name of the executable file utilized to execute processes remotely?
from File menu > Export Object > SMB the only executable file is ..
Answer: PSEXESVC.EXE
Hope this writeup helped you, for questions feel free to message me.
Thank you
Last updated