![]() First, check unencrypted HTTP traffic for any unusual URLs. ![]() Pcap Analysis: Identifying the MalwareĪfter gathering the victim’s details, determine when the malicious traffic started. The result is a CNameString column as shown above in Figure 3. Finding the victim’s Windows user account name in Kerberos traffic.Īs stated in our tutorial on identifying hosts and users, you can select the CNameString value and apply it as a column in your Wireshark display. Keep expanding values until you find the CNameString that has a value of damon.bauer, as shown in Figure 3. Go to the frame details section and expand the Kerberos line. Select one of the last few frames in the column display. Filter on kerberos.CNameString and scroll to the end of the results in your column display. Kerberos authentication traffic is generated when a user logs in, and it may provide a Windows user account name in the pcap. Finding a Windows host name in NBNS or SMB traffic. We find DESKTOP-E7FHJS4 in the column display and frame details as shown in Figure 2. The name starts with DESKTOP- and is followed by an alphanumeric string of seven additional ASCII characters. The default host name for a Windows 10 or Windows 11 computer is a 15-character string. Network Basic Input/Output System (NetBIOS) Name Service (NBNS) traffic or Server Message Block (SMB) traffic may also provide a victim’s Windows host name. Filtering on web traffic to find the victim’s IP and MAC address. The frame details section provides a corresponding MAC address of 00:21:5d:9e:42:fb as shown in Figure 1. The results in the column display should show the source IP address as. To find it, use the basic web filter provided in our Wireshark tutorials, or type the following in your Wireshark filter bar: The common internal, non-routable IP address from this pcap is. Our analysis assumes you have customized Wireshark according to our tutorials or workshop videos. File description: Malicious 32-bit DLL for Qakbot.File transfer over SMB between the infected Windows host and the domain controller.ARP scanning from the infected Windows host.Various IP addresses over TCP ports 25 and 465 - SMTP traffic to servers on various email domains.The Qakbot infection may have spread to the domain controller. On at 17:04 UTC, a Windows computer used by Damon Bauer was infected with Qakbot (Qbot) malware. The incident report should look similar to the following write-up. SHA256 hashes if any files from the infection can be extracted from the pcap. Indicators of Compromise (IoCs): IP addresses, ports, domains and URLs associated with the infection.Victim Details: Victim’s IP address, MAC address, Windows hostname and Windows user account name.Executive Summary: State in simple, direct terms what happened (when, who and what).The incident report should consist of three sections: This month’s Wireshark quiz asks participants to write an incident report on the activity, as described in the February 2023 standalone quiz post. Use infected as the password to unlock the ZIP archive. ![]() Download the ZIP archive and extract the pcap. To obtain the pcap, visit our GitHub repository. As always, we recommend using Wireshark in a non-Windows environment like BSD, Linux or macOS when analyzing malicious Windows-based traffic. A list of tutorials and videos is available. We also recommend readers customize their Wireshark display to better analyze web traffic. Participants should have some basic knowledge of network traffic fundamentals. This blog utilizes a recent version of Wireshark, and we recommend at least version 3.x. Our investigation for this month’s quiz requires Wireshark. Domain Controller host name: WORK4US-DC.Details of the local area network (LAN) from the pcap follow. The pcap for this month’s Wireshark quiz is from an AD environment, and it contains real-world traffic from a simulated enterprise setting. Pcap Analysis: Follow-up Spambot ActivityĪdditional Resources Scenario, Requirements and Quiz Material Pcap, Qakbot, Qbot, spambot VNC, Wireshark, Wireshark Tutorial If you’d like to view the version without answers, please see the standalone quiz post. To get the most benefit, readers should understand basic network traffic concepts and be familiar with Wireshark. The information is ideal for security professionals who investigate suspicious network activity in an Active Directory (AD) environment, but everyone is welcome to review. This blog presents the answers for our February 2023 Unit 42 Wireshark quiz.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |