2018-05-11 - TRAFFIC ANALYSIS EXERCISE - NIGHT DEW
- Zip archive of the pcap: 2018-05-11-traffic-analysis-exercise.pcap.zip 3.0 MB (3,020,849 bytes)
- All zip archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
"Night Dew" is a nickname for moonshine illegally created by someone's great-grandfather back in the early 1800s. As decades passed, the old man's descendents kept his moonshine recipe alive. By the late 1900s, they became a legitimate business named Night Dew Spirits.
In recent years, Night Dew Spirits expanded to several locations across the United States. Night Dew's expansion includes a network architecture under the name nightdew.org. You work in the Security Operations Center (SOC) monitoring alerts on the company's network traffic.
On Friday 2018-05-11 (UTC time), you receive unspecified alerts on a possible infected Windows host. Your co-worker retrieves network traffic related to these alerts. You must review the traffic and draft an incident report.
Shown above: How most people feel after drinking Night Dew.
Characteristics of the network traffic:
- LAN segment: 10.0.14.0/24 (10.0.14.0 through 10.0.14.255)
- Broadcast address: 10.0.14.255
- Domain controller: 10.0.14.3 (NIGHTDEW-DC)
- Domain: nightdew.org
- Date/Time of the activity
- Who was infected
- What malware was involved
- Infected user's IP address:
- Infected user's MAC addres:
- Infected user's host name:
- Infected user's account name:
- List the IP addresses, ports, and domains associated with this activity.
- Click here for the answers.
Click here to return to the main page.