2019-02-23 - TRAFFIC ANALYSIS EXERCISE - STORMTHEORY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the pcap:  2019-02-23-traffic-analysis-exercise.pcap.zip   15.5 MB (15,535,297 bytes)

• 2019-02-23-traffic-analysis-exercise.pcap   (19,746,995 bytes)

• Zip archive of the alerts:  2019-02-23-traffic-analysis-exercise-alerts.zip   539 kB (538,871 bytes)

• 2019-02-23-traffic-analysis-exercise-alerts.jpg   (649,974 bytes)
• 2019-02-23-traffic-analysis-exercise-alerts.txt   (7,906 bytes)

 

Shown above:  A meme for this month's traffic analysis exercise.

 

SCENARIO

LAN segment data:

• LAN segment range:  10.2.23[.]0/24 (10.2.23[.]0 through 10.2.23[.]255)
• Domain:  stormtheory[.]info
• Domain controller:  10.2.23[.]2 - Stormtheory-DC
• LAN segment gateway:  10.2.23[.]1
• LAN segment broadcast address:  10.2.23[.]255

 

YOUR TASK

Answer the following questions:

• What is the IP address of the infected Windows host?
• What is the MAC address of the infected Windows host?
• What is the host name of the infected Windows host?
• What is the Windows user account name for the infected Windows host?
• What are the six URLs that returned Windows executable files to the infected Windows host?
• What are the SHA256 hashes of the six Windows executable files sent to the infected Windows host?
• Based on the IDS alerts, what type of infection (or infections) is this?

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.