2018-04-11 - TRAFFIC ANALYSIS EXERCISE - DYNACCOUNTIC

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2018-04-11-traffic-analysis-exercise.pcap.zip   883 kB (883,222 bytes)

 

SCENARIO

Someone at Dynaccountic has infected their Windows computer.  Your manager has tasked you to write an incident report.

Your manager thinks of you as a "security accountant."

 

Here's a brief outline of associated network traffic:

• LAN segment:  10.10.10[.]0/24 (10.10.10[.]0 through 10.10.10[.]255)
• Broadcast address:  10.10.10[.]255
• Domain controller:  10.10.10[.]3 (DYNACCOUNTIC-DC)
• Domain:  dynaccountic[.]com

 

YOUR TASK

The incident report should include:

• Date/Time of the infection
• Who was infected (IP address, host name, MAC address, and user account name)
• What malware is involved
• The likely source of this infection
• Indicators associated with this infection (IP addresses, domains, URLs, and file hashes, if any)

 

Remember, a good incident report starts with an executive summary.  In this case, the executive summary should only be 2 to 3 sentences long.  See my proposed format below for this month's exercise.

 

SUMMARY:

• Sentence 1:  On [date] at [time in UTC], a Windows computer used by [user account name] was infected with [name of malware].
• Sentence 2:  This infection probably originated from [describe where the malware likely came from].
• Sentence 3:  [Describe how the issue was resolved.  Here's an example.]  The infected computer was sent to our help desk to be wiped and re-imaged.  The user changed all of [his or her] associated passwords.

DETAILS:

• Infected user's IP address:
• Infected user's MAC addres:
• Infected user's host name:
• Infected user's account name:

INDICATORS:

• List the IP addresses, ports, and domains associated with the malware.
• If any malware can be extracted from the exercise pcap, list the SHA256 file hashes for any associated files.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.