PACKET DETECTIVE
In September 2020, your SOC detected suspicious activity from a user device, flagged by unusual SMB protocol usage. Initial analysis indicates a possible compromise of a privileged account and remote access tool usage by an attacker.
Your task is to examine network traffic in the provided PCAP files to identify key indicators of compromise (IOCs) and gain insights into the attacker’s methods, persistence tactics, and goals. Construct a timeline to better understand the progression of the attack by addressing the following questions.
Category: Network Forensic || Level: EASY || Tools: Wireshark
Pada tantangan ini, diberikan 3 file pcapng untuk melakukan analisis.
4 Pertanyaan pertama, akan membahas mengenai file Traffic-1.
Q1: The attacker’s activity showed extensive SMB protocol usage, indicating a potential pattern of significant data transfer or file access. What is the total number of bytes of the SMB protocol?
Untuk menjawab pertanyaan ini, dimulai dengan membuka protocol Hierarachy pada Tab Statistics untuk melihat total bytes pada protocol SMB. Terlihat bahwa total bytes adalah 4406
Q2: Authentication through SMB was a critical step in gaining access to the targeted system. Identifying the username used for this authentication will help determine if a privileged account was compromised. Which username was utilized for authentication via SMB?
Pada frame ke 5, terlihat bahwa username yang digunakan untuk autentikasi adalah user Administrator
Q3: During the attack, the adversary accessed certain files. Identifying which files were accessed can reveal the attacker's intent. What is the name of the file that was opened by the attacker?
Pada frame ke 9, terlihat bahwa file yang diakses oleh penyerang adalah eventlog. Setelah itu menggunakan Export Object SMB, dapat dikonfirmasi bahwa nama file tersebut benar.
Q4: Clearing event logs is a common tactic to hide malicious actions and evade detection. Pinpointing the timestamp of this action is essential for building a timeline of the attacker’s behavior. What is the timestamp of the attempt to clear the event log? (24-hour UTC format)
Untuk menyelesaikan pertanyaan ini, Time harus menjadi format UTC agar mudah dimengerti dengan cara ke Tab View -> Time Display Format -> Pilih UTC Date & Time of Day. Lihat pada protocol DCERPC (Distributed Computing Environment / Remote Procedure Calls) pada frame 11, pada waktu 2020-09-23 16:50:16.
Analisis file Traffic-2
The attacker used "named pipes" for communication, suggesting they may have utilized Remote Procedure Calls (RPC) for lateral movement across the network. RPC allows one program to request services from another remotely, which could grant the attacker unauthorized access or control. What is the name of the service that communicated using this named pipe?
Untuk menjawab ini, saya menggunakan CTRL+F untuk melakukan pencarian String "PIPI" pada setiap bagian Packet Details. Maka terlihat bahwa service yang digunakan adalah atsvc
Measuring the duration of suspicious communication can reveal how long the attacker maintained unauthorized access, providing insights into the scope and persistence of the attack. What was the duration of communication between the identified addresses 172.16.66.1 and 172.16.66.36?
Pengecekan durasi antara 2 IP tersebut dapat ditemukan pada menu conversation yang memiliki durasi 11.7247
Analisis file Traffic-3
The attacker used a non-standard username to set up requests, indicating an attempt to maintain covert access. Identifying this username is essential for understanding how persistence was established. Which username was used to set up these potentially suspicious requests?
Pada Frame ke 5, terlihat bahwa username yang terlihat mencurigakan adalah backkdoor
The attacker leveraged a specific executable file to execute processes remotely on the compromised system. Recognizing this file name can assist in pinpointing the tools used in the attack. What is the name of the executable file utilized to execute processes remotely?
Hasil ini dapat ditemukan pada follow TCP Stream dan terlihat bahwa program yang dapat dieksekusi dari jarak jauh adalah PSEXESVC.exe.
