[Lab-ThreatHunt] Team PCAP Analysis 1
docx
keyboard_arrow_up
School
Madison Area Technical College, Madison *
*We aren’t endorsed by this school
Course
804-208
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
9
Uploaded by LavonCN
[Lab-ThreatHunt] Team PCAP Analysis 1
PreLab:
3
Download the required lab files:
3
ToDo:
4
Step 1) Know your Network [Everyone Does This]:
4
Step 2) Analyze Alerts:
4
Question 1) Put your first rule.name here
5
Step 1) Create a Hypothesis:
5
Step 2) Collect some facts about the alert using Hunt:
5
Step 3) Make your list of things that prove/disprove your hypothesis
5
Step 4) Confirm your Hypothesis:
6
Step 5) Write your summary:
6
Question 2) Put Your Second Rule Name Here
7
Step 1) Create a Hypothesis:
7
Step 2) Collect some facts about the alert using Hunt:
7
Step 3) Make your list of things that prove/disprove your hypothesis
7
Step 4) Confirm your Hypothesis:
8
Step 5) Write your summary:
8
Submit your lab in BlackBoard:
9
PreLab:
Make sure to always double check your sha or md5 checksums Download the required lab files:
Note:Credit for the malware sample pcaps goes to ●
https://www.malware-traffic-analysis.net/
1.
Download the file to “
/home/student/LABS/Lab8/
”
○
2018-10-31-traffic-analysis-exercise.pcap.zip
○
2018-10-31-traffic-analysis-exercise.pcap.zip.sha1
2.
Change into your downloads directory
cd /home/student/LABS/Lab8/
3.
Confirm the checksums on each pcap file:
Run “sha1sum” to confirm file integrity of your downloaded files.
sha1sum -c 2018-10-31-traffic-analysis-exercise.pcap.zip.sha1
4.
Extract the zip file:
unzip -P infected 2018-10-31-traffic-analysis-exercise.pcap.zip
5.
Clear all old imports:
sudo clear_all_imports
6.
Import the pcap file into Security Onion
sudo so-import-pcap <file.pcap>
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ToDo:
The first step is to understand the layout of the network you are analyzing. Document the layout of the network based on the visibility you have from your pcap file. Step 1) Know your Network [Everyone Does This]:
Note: You can usually figure out this information quickly by loading the pcap file into NetworkMiner Understand the local network:
Document the following:
●
LAN segment range: 10.100.9.x
●
Network: 10.100.9.0
●
Mask: 255.255.255.0
●
Domain: halloweenjob.com
●
Domain Controller: 10.100.9.4
●
Local DNS Server :10.100.9.4
●
LAN segment gateway: 10.100.9.4
●
LAN segment broadcast address: 10.100.9.255
Step 2) Analyze Alerts:
There are 18 individual rules that are fired for this particular pcap file.
●
event.dataset: alert | groupby rule.name
Each team member will analyze two (or more) of the alerts using the process that we used in the previous lab. Note: If there are additional alerts a single team member can analyze it or you can do it as a group.
Question 1) ET Malware Trickbot Checking response
Step 1) Create a Hypothesis:
From looking at the Alert, what is your first impression of what may have happened. If you have no idea, copy and paste the Alert text into google and figure out what the Alert is supposed to identify
Write a short (sentence or two) Hypothesis of what caused the Alert:
A external source or someone put malware on the windows server.
Step 2) Collect some facts about the alert using Hunt:
Filter: “event.dataset: alert | groupby event.module” Separate FACTS and QUESTIONS: ●
Why: [Question] To see if malware can be put on the windows server.
●
What: [Is this a FACT ?] server was affected from the malware.
●
When: [FACT] 2018 -10 -31 15:36:17
●
Where: [FACT] Destination IP which is 10.100.9.107
●
How: [Question] Unknown
●
Who: [Question] Unknown
Step 3) Make your list of things that prove/disprove your hypothesis
Prove:
●
– That a external force or someone did put malware on the windows server.
●
-
●
-
Disprove:
●
– That there was no malware being put on the windows server from a external source or someone.
●
-
●
Step 4) Confirm your Hypothesis:
Try to answer each of the questions from your hypothesis with TRUE or FALSE
Why: [-] To see if malware can be put on the windows server. True
What: [-] server was affected from the malware True
When: [FACT] 2018 -10 -31 15:36:17 True
Where: [FACT] Destination IP which is 10.100.9.107 True
How: [-] unknown True
Who: [-] unknown True
Step 5) Write your summary:
Short (a few sentences) overview of your findings. Did your findings line up with your initial hypothesis?
The initial hypothesis was that someone or a external source put malware on the windows server. After some findings were made the conclusion is that malware was put on the server but it is unknown who did it.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Question 2) ET Policy Dns Update from External Net
Step 1) Create a Hypothesis:
From looking at the Alert, what is your first impression of what may have happened. If you have no idea, copy and paste the Alert text into google and figure out what the Alert is supposed to identify
Write a short (sentence or two) Hypothesis of what caused the Alert:
A Potential Corporate Private Violation happened.
Step 2) Collect some facts about the alert using Hunt:
Filter: “event.dataset: alert | groupby event.module” Separate FACTS and QUESTIONS: ●
Why: [Question] Someone created a false alarm
●
What: [Is this a FACT ?] a email attachment
●
When: [FACT] 2018 -10 -31 15:33:13
●
Where: [FACT] Source IP – 10.100.9.107 Destination IP – 10.100.9.4
●
How: [Question] Someone might made a false alarm ?
●
Who: [Question] Unknown
Step 3) Make your list of things that prove/disprove your hypothesis
Prove:
●
– That a Private Violation happen.
●
-
●
-
Disprove:
●
– That a Private Violation did not happen.
●
-
●
-
Step 4) Confirm your Hypothesis:
Try to answer each of the questions from your hypothesis with TRUE or FALSE
Why: [-]] Someone created a false alarm True
What: [-] email attachment True
When: [FACT] 2018 -10 -31 15:33:13 True
Where: [FACT] Source IP – 10.100.9.107 Destination IP – 10.100.9.4 True
How: [-] Someone might made a false alarm True
Who: [-] Unknown True
Step 5) Write your summary:
Short (a few sentences) overview of your findings. Did your findings line up with your initial hypothesis.
The initial hypothesis was that a Private Violation happened. After some findings that conclusion is that someone could made a false alarm, and the Private Violation could happened with the false alarm and a email attachment.
Submit your lab in BlackBoard:
You are going to use this area to report on what you think happened in this compromise. This is done by the entire team and will be the same for everyone on the team's lab submission. Team Report should include:
●
Date and time of the activity (in GMT or UTC)
●
The account name or username from the infected Windows computer
●
The host name of the infected Windows computer
●
The MAC address of the infected Windows computer
●
SHA256 file hashes for any malware from the pcap
●
What type of infection this is
●
What was the initial infection vector
Summary: The attack began on 10/31/18 at 3:33 PM UTC when a host on the domain received DNS updates that pointed to multiple malicious domains. DNS name of the host is HEADLESS-PC, the IP address is 10.100.9.107, and the MAC address is 00508B2A960A. The username that initiated the infection was ichabod.crane, which is a user on the local domain (HalloweenJob.com). The attack then immediately progressed by connecting to webpages controlled by these domains and downloading four files: one being an executable, and three being text files (most likely to configure the malware to its environment). The executable’s SHA256 hash (396223eeec49493a52dd9d8ba5348a332bf064483a358db79d8bb8d22e6eb62c)
is flagged as malicious by 61 security vendors when submitted to virustotal; detected as TrickBot. The initial infection vector is an unclear, but analysis shows the host reaching out to a domain it probably shouldn’t have. This along with a confirmed TrickBot infection makes it likely that social engineering was the culprit.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help