TShark Challenge I: Teamwork
Introduction
This room presents you with a challenge to investigate some traffic data as a part of the SOC team. Let's start working with TShark to analyse the captured traffic. We recommend completing the TShark: The Basics and TShark: CLI Wireshark Features rooms first, which will teach you how to use the tool in depth.
Start the VM by pressing the green Start Machine button attached to this task. The machine will start in split view, so you don't need SSH or RDP. In case the machine does not appear, you can click the blue Show Split View button located at the top of this room.
NOTE: Exercise files contain real examples. DO NOT interact with them outside of the given VM. Direct interaction with samples and their contents (files, domains, and IP addresses) outside the given VM can pose security threats to your machine.
Case: Teamwork!
An alert has been triggered: "The threat research team discovered a suspicious domain that could be a potential threat to the organisation."
The case was assigned to you. Inspect the provided teamwork.pcap located in ~/Desktop/exercise-files and create artefacts for detection tooling.
Your tools: TShark, VirusTotal.
Investigate the contacted domains. Investigate the domains by using VirusTotal. According to VirusTotal, there is a domain marked as malicious/suspicious.
Q & A
1) What is the full URL of the malicious/suspicious domain address?
Answer: hxxp[://]www[.]paypal[.]com4uswebappsresetaccountrecovery[.]timeseaways[.]com/
2) When was the URL of the malicious/suspicious domain address first submitted to VirusTotal?
Answer: 2017-04-17 22:52:53 UTC
3) Which known service was the domain trying to impersonate?
Answer: PayPal
4) What is the IP address of the malicious domain?
Answer: 184[.]154[.]127[.]226
5)What is the email address that was used?
Answer: johnny5alive[at]gmail[.]com
Last updated
