2015-01-09 - TRAFFIC ANALYSIS EXERCISE: WINDOWS USER VIEWS A WEBSITE AND GETS EXPLOIT KIT (EK) TRAFFIC

NOTICE:

PCAP AND ANSWERS:

 

NOTES:

 

SCENARIO

A Windows host visits a website that kicks off a chain of events leading to an exploit kit.

 

QUESTIONS

BASIC QUESTIONS:

1) What is the date and time of this activity?
2) What is the IP address and MAC address for the Windows host that hit the exploit kit?
3) What is the domain name and IP address of the compromised web site?
4) What is the domain name and IP address for the exploit kit?
5) What web browser is the Windows host using?

 

EXTRA QUESTIONS:

1) What is the exploit kit?
2) What type of exploits were sent by this exploit kit? (Flash, IE, Java, Silverlight, etc.)
3) Which HTTP request returned a redirect to the exploit kit?
4) In Wireshark, which tcp.stream contains the malware payload?
5) What snort events (EmergingThreats or VRT/Talos) are generated by this traffic?
6) What version of Flash player is the Windows host using?