2018-08-12 - TRAFFIC ANALYSIS EXERCISE - SPUTNIK HOUSE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2018-08-12-traffic-analysis-exercise.pcap.zip   24.6 MB (24,595,844 bytes)
• Zip archive of the alerts:  2018-08-12-traffic-analysis-exercise-alerts.zip   3.6 kB (3,619 bytes)
• Zip archive of 3 emails to review:  2018-08-12-traffic-analysis-exercise-emails.zip   310 kB (310,425 bytes)

 

SCENARIO

You have alerts indicating a computer on the corporate network for sputnikhouse[.]org at 192.168.1[.]95 was infected.  You have a pcap of traffic from that host during the general timeframe, and you also have a list of the alerts related to the infected.  Finally, you have 3 emails with malware attachments.  An attachment from one of those 3 emails infected this computer.  Characteristics of your network are:

• LAN segment:  192.168.1[.]0/24 (192.168.1[.]0 through 192.168.1[.]255)
• Broadcast address:  192.168.1[.]255
• Domain controller:  192.168.1[.]6 (Sputnikhouse-DC)
• Domain:  sputnikhouse[.]org

 

Shown above:  Best I could do on a theme for this month's exercise.

 

YOUR TASK

Figure out which email attachment infected the computer at 192.168.1[.]95.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.