Hawkeye
CyberDefenders
Scenario:
An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.
1(How many packets does the captureĀ have?
Well we can look atĀ :
Or look at Statistics then Capture File PropertiesĀ :
2(At what time was the first packet captured?
Well if we look at Statistics then Capture File Properties, there you can see the first packet that was capturedĀ :
Donāt forget to add UTC at the end
3(What is the duration of theĀ capture?
You can see the elapsedĀ :
4(What is the most active computer at the linkĀ level?
You can look at Statistics, then Conversations, and then look at IPV4Ā :
If we search for the MAC of this IPĀ :
You can look at Statistics, then Conversations, and then look at Ethernet
Here we are confirmedĀ .
5(Manufacturer of the NIC of the most active system at the linkĀ level?
Here we must do a MAC Address Lookup for the Mac that we found a moment agoĀ :
6(Where is the headquarter of the company that manufactured the NIC of the most active computer at the linkĀ level?
You will use Google this timeĀ :
7(The organization works with private addressing and netmask /24. How many computers in the organization are involved in theĀ capture?
You can look at the stats, then the conversations, then look at the IPV4 and you will find the addressing and netmask/24:
8(What is the name of the most active computer at the networkĀ level?
We know that the most active IP is 10.4.10.132 and also the owner of the Mac is 00:08:02:1c:47:ae, soĀ :
Also through DNSĀ :
9(What is the IP of the organizationās DNSĀ server?
If you search through DNSĀ :
10(What domain is the victim asking about in packetĀ 204?
Weāre going to do go to packetĀ :
Inside packet 204Ā :
11(What is the IP of the domain in the previous question?
We can see the answer in packet 206Ā :
12(Indicate the country to which the IP in the previous sectionĀ belongs.
We can use ip look up websiteĀ :
13(What operating system does the victimās computerĀ run?
If we search for any triffic that moves in TCP, and also do a Follow for the TCP Stream, then you will be able to specify what you want in the User Agent:
14(What is the name of the malicious file downloaded by the accountant?
If we go to TAP File, then Export objects, then HTTPĀ ,We will find the malicious fileĀ :
This filter can also be usedĀ :
In Wireshark, the expression http.request.method == āGETā is a filter that can be used to capture only HTTP GET requests. The == operator is used to compare the value of the http.request.method field to the string āGETā. If the value of the field matches the string, then the packet is captured.
Here is a breakdown of the filter:
http: This part of the filter specifies that we are interested in HTTP packets.\ .request: This part of the filter specifies that we are interested in HTTP request packets.\ .method: This part of the filter specifies that we are interested in the HTTP request method.\ ==: This part of the filter is the comparison operator. It means that we are comparing the value of the http.request.method field to the string āGETā.\ āGETā: This part of the filter is the string that we are comparing the value of the http.request.method field to.
15(What is the md5 hash of the downloaded file?
Weāll go to the TAP file, then Export Objects, then HTTP, so weāll save the file to find the md5 hashĀ :
Then we will workĀ :
16(What software runs the webserver that hosts theĀ malware?
If we go to the traffic of the downloaded file and then follow and then HTTP StreamĀ :
17(What is the public IP of the victimās computer?
If we go to http traffic, the src IP will be 10.4.10.132Ā , We will find the public IPĀ , Specifically, GET traffic, then follow > HTTP StreamĀ :
18(In which country is the email server to which the stolen information isĀ sent?
We know that there is traffic between the IP 10.4.10.132 and the external IP 66.171.248.178Ā :
When we used IP LOOKUP, to know more information about the IP address
19(Analyzing the first extraction of information. What software runs the email server to which the stolen data isĀ sent?
You can find more information about the programs running the email server by going to āFollowā > TCP streamĀ ,Flow, as we did in question sevenĀ :
20(To which email account is the stolen information sent?
The answer does not go away in the same TCP streamĀ :
21(What is the password used by the malware to send theĀ email?
If you notice AUTH login, and there is some encrypted informationĀ :
If we use the most famous tool cyberchef.orgĀ :
22(Which malware variant exfiltrated theĀ data?
If you notice, you will find that the message content is BASE64 encoded, so we will do BASE64 encodedĀ :
I will use my friend cyberchef.org againĀ :
23(What are the bankofamerica access credentials? (username:password)
Donāt go away, we are in the right placeĀ :
24(Every how many minutes does the collected data get exfiltrated?
If you select the last two traffic, for example, and then open Follow>>TCP StreamĀ :
Look at the time hereĀ :
tcp.stream eqĀ 37
And hereĀ :
tcp.stream eqĀ 35
If you subtract the two from each other, you will get the result you want. Remember, he wants minutesĀ .
š¬ "Control the code, and you control the world." š From wiping metadata to gaining root access ā every step is documented and my goal is to deeply understand the system, not just hack!
See You Soon
AS Cyber ā)).