2024-11-26 - TRAFFIC ANALYSIS EXERCISE: NEMOTODES

ASSOCIATED FILES:

• Zip archive of the pcap:  2024-11-26-traffic-analysis-exercise.pcap.zip   19.7 MB (19,664,067 bytes)
• Zip archive of the alerts:  2024-11-26-traffic-analysis-exercise-alerts.zip   297.5 kB (297,496 bytes)

NOTES:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

 

BACKGROUND

You work as a analyst at a Security Operation Center (SOC) for a medical research facility specializing in nemotodes. Alerts on traffic in your network indicate someone has been infected. You don't know which is more disgusting, the nemotodes or the malware.

 

Shown above:  A test subject at the nemotode research facility.

 

LAN segment details:

• LAN segment range:  10.11.26[.]0/24 (10.11.26[.]0 through 10.11.26[.]255)
• Domain:  nemotodes[.]health
• Active Directory (AD) domain controller:  10.11.26[.]3 - NEMOTODES-DC
• AD environment name:  NEMOTODES
• LAN segment gateway:  10.11.26[.]1
• LAN segment broadcast address:  10.11.26[.]255

 

TASK

• Write an incident report based on malicious network activity from the pcap and from the alerts.

• The incident report should contains 3 sections:

• Executive Summary: State in simple, direct terms what happened (when, who, what).
• Victim Details: Details of the victim (hostname, IP address, MAC address, Windows user account name).
• Indicators of Compromise (IOCs): IP addresses, domains and URLs associated with the activity.  SHA256 hashes if any malware binaries can be extracted from the pcap.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.