2018-05-11 - TRAFFIC ANALYSIS EXERCISE - NIGHT DEW

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2018-05-11-traffic-analysis-exercise.pcap.zip   3.0 MB (3,020,849 bytes)

 

SCENARIO

"Night Dew" is a nickname for moonshine illegally created by someone's great-grandfather back in the early 1800s.  As decades passed, the old man's descendents kept his moonshine recipe alive.  By the late 1900s, they became a legitimate business named Night Dew Spirits.

In recent years, Night Dew Spirits expanded to several locations across the United States.  Night Dew's expansion includes a network architecture under the name nightdew[.]org.  You work in the Security Operations Center (SOC) monitoring alerts on the company's network traffic.

On Friday 2018-05-11 (UTC time), you receive unspecified alerts on a possible infected Windows host.  Your co-worker retrieves network traffic related to these alerts.  You must review the traffic and draft an incident report.

 

Shown above:  How most people feel after drinking Night Dew.

 

Characteristics of the network traffic:

• LAN segment:  10.0.14[.]0/24 (10.0.14[.]0 through 10.0.14[.]255)
• Broadcast address:  10.0.14[.]255
• Domain controller:  10.0.14[.]3 (NIGHTDEW-DC)
• Domain:  nightdew[.]org

 

REPORT GUIDELINES

EXECUTIVE SUMMARY:

• Date/Time of the activity
• Who was infected
• What malware was involved

DETAILS:

• Infected user's IP address:
• Infected user's MAC addres:
• Infected user's host name:
• Infected user's account name:

INDICATORS:

• List the IP addresses, ports, and domains associated with this activity.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.