Wireshark Network analysis : SOC Basics by TCM Security

Instructions:

The SOC at BulbaTech Innovations received an alert of abnormal traffic patterns and a high number of repeated queries originating from one of their external-facing endpoints (172.16.1.16).

Using your newfound Wireshark skills, perform network traffic analysis on the wireshark_challenge.pcap packet capture to produce findings for the report questions below.

Challenge File:

02_Network_Security/02_Wireshark/Challenges/wireshark_challenge.pcap

How many total packets are in the wireshark_challenge.pcap packet capture?

Ans: 39106

What was the first domain name queried and resolved in the capture?

Ans: webmasterdev.com

This displays all DNS traffic (both queries and responses).
The first resolved domain was found by checking the first DNS query packet.

What is the associated IP address of the domain name?

Ans: 184.168.98.68

Statistics → Resolved Addresses → Search “webmasterdev.com”

How many HTTP packets are contained in the capture file?

Ans: 8

Using protocol filter =http — Shown at the bottom right corner of Wireshark as “Displayed: 8”.

we can observe suspicious URL trying to access by the host 172.16.1.191 — select the packet , right click, “Follow HTTP Stream”

Suspicious: IP address as host, using Powershell , to download the file named 6ctf5JL

Using hxxp[://]162[.]252[.]172[.]54/9GQ5A8/6ctf5JL which is Executable file(.exe) (signs: MZ, this program cannot be run in DOS mode”)

The “MZ” magic bytes indicate a Windows executable file (.exe), not an image.

What is the relative path the victim accessed on the web server to request a file for download?

Ans: /9GQ5A8/6ctf5JL

Based on the response header, what file type or format does the web server claim the downloaded file to be?

Ans: image/gif

which is Content-type

However, what is the actual file signature or magic bytes contained in the file?

Ans: MZ

Hint: Magic bytes, also referred to as magic numbers or file signatures, are sequences of bytes located at the very beginning of a file. They serve as a unique identifier for the file's format or type.

What command-line utility or program was used by the victim to download the file?

Ans: powershell

Hint: Check the request headers.

What is the sha256 hash of the downloaded file?

Ans: 9b8ffdc8ba2b2caa485cca56a82b2dcbd251f65fb30bc88f0ac3da6704e4d3c6

Export the file via File → Export Objects → HTTP

Submit the uncovered hash to VirusTotal. Based on the popular threat label and tags, what type of malware did the endpoint get infected with?

Ans: Pikabot

Reference to pikabot malware:

https://www.zscaler.com/blogs/security-research/d-evolution-pikabot

https://attack.mitre.org/software/S1145/

https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot

What protocol makes up the majority of UDP packets?

Ans: DNS

filter UDP traffic — Go to “protocol hierarchy” - we can observe DNS has percentage of packets

Look at the domain names that were queried within the capture. In defanged format, what is the base domain name that is continually queried?

Ans: steasteel[.]net

HINT : It might be helpful to open up a DNS packet in the Packet Details Pane first. From there, look for the field that contains the queried domain name and add it as a column.

DNS requests —> Statistics —> Resolved Addresses —> hosts.

Repeated DNS queries were made to multiple subdomains of this base domain.

Read up on MITRE ATT&CK ID T1071.004. What is the attack technique we’re likely seeing in the PCAP file often known as?

Ans: DNS tunneling

select a packet relates to this domain —> follow stream —> UDP stream

infected hosts are sending data encrypted to different hosts via DNS

we’ll correlate all suspicious IPs, domains, and affected hosts across the network. Finally, we’ll block them at the firewall and DNS level to stop further communication.