Resources:
Files:
Scenario
A fellow analyst believes that an attacker brieflyauthenticated to your company WiFi network and might havecompromised some machines. Your colleague collected network trafficand ran two Splunk queries that might be helpful in yourinvestigation. Attached are resources provided by the analyst foryour evaluation.
Use the evidence files to answer the followingquestions. For each answer, include references to supportingevidence (be detailed!).
Document what steps you took to determine theinformation (ex. which wireshark searches did you run, whichdisplay filters did you use, and which packet numbers contained theinformation.)
Grading
Questions may be graded on both an answer and thesupporting evidence. Some questions are subjective and can havemore than one answer; include reasoning for fullcredit.
Answer each question in this file, wheredirected.
[Example:]
42. (0 points) What are the MAC and IP addresses for thehost 'DESKTOP-UT31QVI'?
Answer:
MAC = '5C:26:0A:5B:C3:7B'
IP = 10.24.0.8
This was found by viewing the 'router_log.png' andreferencing the first entry, whose Device Name matches the givenhostname.
Scenario Questions (85 minutes)
Read every question before answering. Some questions maybe easier to answer out of order. Each section has a suggested timeto answer the questions.
Identify (suggested: 10 minutes)
Use the router logs and the Statistics > IPv4Statistics > Destinations and Ports view in Wireshark to answerthe question. The same information is found indst-and-ports.txt.
1. (3.5 points) Who are the actors on this network, andwhat services might be running?
For each machine, fill out an entry in the table below.You may use fewer rows or add more rows as necessary. The first rowis an example.
Listening/open ports are under 10000 (tenthousand).
ID
IPv4
MAC
Open Ports
Running Services
42
10.42.0.8
5c:26:0a:5b:c3:7b
8080, 25
python website, mailserver
1
10.42.0.33
B6:0E:AD:8A:58:36
53, 22
DNS, SSH
2
10.42.0.41
38:63:9A:6D:5C:00
22
SSH
3
10.42.0.91
B6:3F:B5:43:C1:0F
80
HTTP
4
10.42.0.77
7E:4F:5D:06:17:8B
22
SSH
5
Detect (suggested: 60 minutes)
2. (5 points) Which machines are likely the attacker andvictim? Why?
Answer:
3. (5.5 points) What recon activity does the attackerperform on this network? What port or machine (choose one) is thesingle target of this recon? Reference a range of packetnumbers.
Answer:
4. (5.75 points) What attack was carried out followingthe recon activities? Cite packets that show this attack, as wellas evidence from one of the Splunk query logs that support yourconclusions.
Answer:
5. (5 points) Once the attacker gained access to thevictim's machine, what executable did they first use to runcommands on the host? Cite evidence from'splunk-exec.csv'.
Answer:
6. (5 points) How did the attacker establish persistenceon the machine? Either list the built-in command used or the binarythat the attacker supplied (or both). Cite evidence from'splunk-exec.csv' and/or 'network.pcap'.
Answer:
Respond (suggested: 5 minutes)
7. (1.75 points) What containment strategy (segment,isolate, remove) would you use to respond to this attack?Why?
Answer:
Recover (suggested: 5 minutes)
8. (1.75 points) Why should you fully reinstall Windowson the victim machine?
Answer:
Protect (suggested: 5 minutes)
9. (1.75 points) What is one defensive tool/measure thatcould prevent this attack? Explain how that tool/measure would havestopped this attack and specifically where in the attacker's stepsit would work (cite packet numbers or evidence ifnecessary).
Answer:
Resources: http://drive.google.com/open?id=1u0AnYC-eg0BCa1bQ4VXKl1wrsk5JQYG4 Files: Scenario A fellow analyst believes t
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am