PCAP file & Windows event logs investigation
Let’s dive straight into these suspicious file investigation challenge and answer their questions.
A suspicious pcap file was provided to investigate a malicious network traffic. For anyone who doesn’t have wireshark can use this free online pcap file analyzer for investigation (although having wireshark is best!) – https://apackets.com.
Below is the wireshark Terminal found inside the Tolkien Ring Cave that I also used for analysing suspicious.pcap file and to answer the questions for this challenge.
Q 1. There are objects in the pcap file that can be exported by the wireshark and/or tshark. What type of objects can be exported from this pcap?
Ans. HTTP – one of the objects(protocols) that can be exported from this pcap is HTTP.
Q 2. What is the file name of the largest file we can export?
Ans. app.php – This was the only largest file found under the HTTP communication
Q 3. What packet number starts the app.php?
Ans. 687 – The server from the IP 192.185.57.242 responded with ‘HTTP/1.1 200 OK’ This is when the app.php was started.
mv ‘pcap challege.pcap’ pcap.pcap
tshark -r ‘pcap.pcap’ | grep -w “(text/html)”
Q 4. What is the IP of the Apache Server?
Ans. 192.185.57.242 – we can see below that this IP is sending out the HTTP 200 OK response to 10.9.24.101.
Q 5. What file is saved to the infected host?
Ans. Ref_Sept24–2020.zip – Looking at one of the http files, I noticed an incomplete script messsage (missing </script> tag). Upon downloading this http file, it was downloaded as a zip file in my folder named ‘Ref_Sept24–2020’.
Q 6. Attackers used bad TLS certificates in this traffic. Which coutries were they registered to? Submit the names of the countries in alphabetical order separated by commas (Ex: Norway, South Korea).
Ans. Ireland, Israel, South Sudan, United states – Here we looked for the bad certificate(s).
tshark -nr ‘pcap challenge.pcap’ -2 -R “ssl.handshake.certificate” -V | less
Q 7. Is the Host Infected?
Ans. Yes
Solve the mystery around the given powershell event logs and answer some questions. This challenge was solved using the Windows event viewer app.
Q. 1 What Month/Day/Year did the attack take place?
Ans. 12/24/2022 – This is when the highest number of activity took place which deemed suspicious.
Q 2. An attacker got a secret from a file. What was the orginal file’s name?
Ans. Recipe.txt – This was the orginal file found when traced back in the event log viewer app.
Q 3. The content of the previous file were retrieved, changed and stored to a variable by the attacker. This was done multiple times. Submit the last full powershell line that performed only these actions.
Ans. $foo = Get-Content .\Recipe| % {$_ -replace ‘honey’, ‘fish oil’}
Q 4. Afte storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit th last full powershell line that performed only this action.
Ans. $foo | Add-Content -Path ‘Recipe’
Q 5. The attacker ran the previous command against one file multiple times. What is the name of the file?
Ans. Recipe.txt
Q 6. Were any files deleted?
Yes – Two files were found to have been deleted. Recipe.txt and receipe_updated.txt
Q 7. Was the original file (from question 2) deleted?
Ans. No – The original file is Recipe (without the extension) and the one we saw was deleted was recipe.txt – Hence, the original file was never deleted.
Q 8. What is the event ID of the logs that shows the actual command lines the attacker typed and ran?
Ans. 4104 – Looking at these two logs, at event ID 40962 we can see the attacker has started the powershell console and at event ID 4104 the attacker executed a remote command.
Q 9. Is the secret ingredient compromised?
Yes. Honey was replaced with fish Oil.
10. What is the secret ingredient?
Honey.
That’s all Folks! Thanks for reading.
