2018-04-11 - TRAFFIC ANALYSIS EXERCISE - DYNACCOUNTIC
- Zip archive of the pcap: 2018-04-11-traffic-analysis-exercise.pcap.zip 883 kB (883,354 bytes)
- All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Someone at Dynaccountic has infected their Windows computer. Your manager has tasked you to write an incident report.
Your manager thinks of you as a "security accountant."
Here's a brief outline of associated network traffic:
- LAN segment: 10.10.10.0/24 (10.10.10.0 through 10.10.10.255)
- Broadcast address: 10.10.10.255
- Domain controller: 10.10.10.3 (DYNACCOUNTIC-DC)
- Domain: dynaccountic.com
The incident report should include:
- Date/Time of the infection
- Who was infected (IP address, host name, MAC address, and user account name)
- What malware is involved
- The likely source of this infection
- Indicators associated with this infection (IP addresses, domains, URLs, and file hashes, if any)
Remember, a good incident report starts with an executive summary. In this case, the executive summary should only be 2 to 3 sentences long. See my proposed format below for this month's exercise.
- Sentence 1: On [date] at [time in UTC], a Windows computer used by [user account name] was infected with [name of malware].
- Sentence 2: This infection probably originated from [describe where the malware likely came from].
- Sentence 3: [Describe how the issue was resolved. Here's an example.] The infected computer was sent to our help desk to be wiped and re-imaged. The user changed all of [his or her] associated passwords.
- Infected user's IP address:
- Infected user's MAC addres:
- Infected user's host name:
- Infected user's account name:
- List the IP addresses, ports, and domains associated with the malware.
- If any malware can be extracted from the exercise pcap, list the SHA256 file hashes for any associated files.
- Click here for the answers.
Click here to return to the main page.