2015-08-07 - TRAFFIC ANALYSIS EXERCISE - SOMEONE WAS FOOLED BY A MALICIOUS EMAIL
- ZIP of the PCAP: 2015-08-07-traffic-analysis-exercise.pcap.zip (15.4 MB)
- ZIP file of HTTPS logs: 2015-08-07-traffic-analysis-exercise-https-logs.zip (837.7 kb)
- ZIP file of HTTPS objects: 2015-08-07-traffic-analysis-exercise-https-artifacts.zip (10.6 MB)
- ZIP file of malicious emails: 2015-08-07-traffic-analysis-exercise-malicious-emails.zip (8.9 kb)
NOTE: All ZIP archives on this site are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
You're an analyst at a Brazilian manufacturing corporation named World of Widgets. On Wednesday 2015-08-05, you see the following alerts while working at the corporation's Security Operations Center (SOC):
You track these alerts to a Windows computer at IP address 192.168.137.113. Authentication logs indicate the computer is used by someone named Degrando Rustlyn.
Your team contacts Degrando, who remembers opening a questionable email around the time his computer became infected. Degrando deleted the message, and he can't remember which email it was or how he got any suspicious files to his desktop.
You retrieve a pcap of traffic for the timeframe of the alerts. You also retrieve HTTPS traffic logs for that IP address. Another analyst searches the company's mail servers and retrieves four malicious emails that might be related.
You now have: 1) a pcap of the traffic, 2) HTTPS traffic logs, 3) a collection of artifacts from that HTTPS traffic, and 4) malicious emails Degrando received during that timeframe.
Your task? Figure out how the computer became infected and document your findings. Your report should include:
- The infected computer's host name.
- The infected computer's MAC address.
- The infected computer's operating system.
- The date, time, subject line, and sender of the malicious email that caused the infection.
- Information on any malware associated with the infection.
- Domains and IP addresses of any related traffic.
- A timeline of events leading to the infection.
NOTE: A well-written incident report starts with an executive summary. The executive summary desribes what happened in a concise narrative (prefferably one or two sentences, three at most). Details are included in the report after the executive summary, hopefully in an organized manner that's easy for the reader to follow.
- Click here for the answers.