Task 1
At a glance, what protocol seems to be suspect in this attack?
We have about 61000 packets in this PCAP so counting or scrolling through manually would be tedious. I pulled up the Protocol Hierarchy Statistics to see a quick breakdown of the packets.
Here we can see about 20% of packets are DNS
I then looked at the DNS Query-Response Statistics.
Here we can see almost all of the query traffic is coming from 192.168.157.144 (The IP of the Host we are investigating) and 2 packets are coming from 192.168.157.145. The responses are coming from .145 and .2.
This may be helpful later.
***
Task 2
There seems to be a lot of traffic between our host and another, what is the IP address of the suspect host?
We accidentally answered this above, .145
Task 3
What is the first command the attacker sends to the client?
Looking at the dns traffic, we can see a lot of hex in the UDP stream.
After decoding the Hex we can make out some commands.
I tried cleaning this up with some regex but was worried I would miss important info so I undid that.
Here we can see some commands, the first of which appears to be whoami
Task 4
What is the version of the DNS tunneling tool the attacker is using?
I had to do some research here to learn more about DNS tunneling and the popular tools
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild/
https://github.com/iagox86/dnscat2
After that I looked through the commands and saw dnscat2 v0.07
Task 5
The attackers attempts to rename the tool they accidentally left on the clients host. What do they name it to?
This took me way too long until I realized my UDP stream was not giving me all the data I needed.
I added the Stream index as a column and then pulled up each stream one by one
I found the answer in steam 481
At first I thought it was win_install.exe and then I later found win_installer.exe
Win_installer.exe
Task 6
The attacker attempts to enumerate the users cloud storage. How many files do they locate in their cloud storage directory?
In stream 481, we can see enumeration of a onedrive folder, yet there are no results.
Task 7
What is the full location of the PII file that was stolen?
Digging through 481 some more, we see the file user details.csv, as well as what looks like table headers for location, blood group, website, username, etc. This looks like PII to me
C:\Users\test\Documents\client data optimisation\user details.csv
Task 8
Exactly how many customer PII records were stolen?
Looking at the data under the csv we found earlier, we can see a field that looks to be the line number or user number. This is sequential so I scrolled down to the bottom of the pattern and it stops at 720. However, the count starts at 0, giving us a total of 721.
It’s important to note that the only reason we can see this right now is because the attacker printed this data during their session (type “C:\Users\test\Documents\client data optimisation\user details.csv)
Killian Sherer 