There are three clients in this month's exercise pcap.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4658c1e3-9f72-4fa8-814c-9c7978fd6be9/2020-04-24-traffic-analysis-exercise-alerts.jpg

Which two clients are Windows hosts, and what are the associated user account names?

  1. Check endpoints, find local IPs

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/9596ce9a-904c-40e8-b441-a69c66f1b339/Untitled.png

  2. Check NetBIOS

    ip.addr == 10.0.0.149 and nbns → DESKTOP-C10SKPY

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/c01fbf66-dbc0-44cd-b31f-d673fa42dd40/Untitled.png

    ip.addr == 10.0.0.167 and nbns → DESKTOP-GRIONXA

    ip.addr == 10.0.0.202 and nbns → none (good, as only two Windows)

  3. Check Kerberos

    ip.addr == 10.0.0.149 and kerberos.CNameString → alyssa.fitzgerald

    ip.addr == 10.0.0.167 and kerberos.CNameString → elmer.obrien

Summary

10.0.0.149 — DESKTOP-C10SKPY — alyssa.fitzgerald

10.0.0.167 — DESKTOP-GRIONXA — elmer.obrien

Which one of these two Windows clients was infected?

  1. Image

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/7f9d01c4-c973-4b61-ac16-d4ab0edc95f0/Untitled.png

  2. ip.src == 119.31.234.40 and ip.dst == 10.0.0.167 and http → follow TCP stream

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/7447635f-d703-4088-b7eb-6608bd5f478c/Untitled.png

What type of malware was that Windows client infected with?

  1. Search online for 8888.png → URLhaus https://urlhaus.abuse.ch/url/354957/ → Qakbot

If nothing found, download and hash file and search online for hash