PacketDetective Lab
Q1) The attacker’s activity showed extensive SMB protocol usage, indicating a potential pattern of significant data transfer or file access. Calculating the total bytes used by SMB can help estimate the extent of file activity. What is the total number of bytes used by the SMB protocol?
From Statistics > Protocol Hierarchy
Q2) Authentication through SMB was a critical step in gaining access to the targeted system. Identifying the username used for this authentication will help determine if a privileged account was compromised. Which username was utilized for authentication via SMB?
Q3) During the attack, the adversary accessed certain files. Identifying which files were accessed can reveal the attacker's intent. What is the name of the file that was opened by the attacker?
The command 0xA2 represents Trans2 requests that include NT Create AndX, often used for file access.
OR
From File > Export Objects > SMB
Q4) Clearing event logs is a common tactic to hide malicious actions and evade detection. Pinpointing the timestamp of this action is essential for building a timeline of the attacker’s behavior. What is the timestamp of the attempt to clear the event log? (24-hour UTC format)
In Windows systems, the ClearEventLogW function is invoked through an RPC operation with opnum 0. Try filtering for dcerpc.opnum == 0 in Wireshark to locate any log-clearing attempts.
Apply the filter dcerpc.opnum == 0 in Wireshark to identify the RPC call that clears event logs. Once located, examine the timestamp of this packet. To display it in UTC, go to View > Time Display Format > UTC Date and Time of Day or use the shortcut Ctrl+Alt+7.
Q5) The attacker used "named pipes" for communication, suggesting they may have utilized Remote Procedure Calls (RPC) for lateral movement across the network. RPC allows one program to request services from another remotely, which could grant the attacker unauthorized access or control. What is the name of the service that communicated using this named pipe?
In Windows, named pipes facilitate communication between applications, services, and system components. Each pipe has a unique path in the format \\.\PIPE\name, where name indicates the specific function or service it provides access to. This unique naming allows each pipe to serve a specific purpose, such as remote service management or file access.
To locate named pipes in network traffic, apply the filter frame contains 5c:00:50:00:49:00:50:00:45 in Wireshark, which isolates packets related to \PIPE.
In Wireshark, use Ctrl+F to search for PIPE in the packet content. This search will help you locate packets involving named pipes. Check the details in these packets to identify specific service names, such as svcctl for Service Control Manager or samr for Security Account Manager, which can reveal the service the attacker used.
Q6) Measuring the duration of suspicious communication can reveal how long the attacker maintained unauthorized access, providing insights into the scope and persistence of the attack. What was the duration of communication between the identified addresses 172.16.66.1 and 172.16.66.36?
Go to Statistics > Conversations
Q7) The attacker used a non-standard username to set up requests, indicating an attempt to maintain covert access. Identifying this username is essential for understanding how persistence was established. Which username was used to set up these potentially suspicious requests?
Q8) The attacker leveraged a specific executable file to execute processes remotely on the compromised system. Recognizing this file name can assist in pinpointing the tools used in the attack. What is the name of the executable file utilized to execute processes remotely?
Last updated