Member-only story
Scenario
As a SOC analyst, explore a collection of Wireshark pcap files that delve into various attack tactics, including evasion and lateral movement. Analyze network traffic captured within these pcaps to uncover valuable insights and detect potential command and control (C&C) activities.
Q1: What is the amount of bandwidth being used by the SMB protocol in bytes?
A: 4406
Q2: Which username was utilized for authentication via SMB?
A: Administrator
Q3: What is the name of the file that was opened?
A: eventlog
Q4: What is the timestamp of the attempt to clear the event log? (24H-UTC)
A: 2020–09–23 16:50:16
Q5: An attacker used a method called a “named pipe” for communication. Named pipes are used in Remote Procedure Calls (RPC), which allow one program to request services from another on the network. What is the name of the service that communicated using this named pipe?
A: atsvc
Q6: What was the duration of communication between 172.16.66.1 and 172.16.66.36?
A: 11.7247
Q7: Which username is used to set up requests that may be considered suspicious?
A: backdoor
Q8: What is the name of the executable file utilized to execute processes remotely?
A: psexesvc.exe
