Traffic Analysis Exercise: Download from fake software site
BACKGROUND
You work as an analyst at a Security Operation Center (SOC). Someone contacts your team to report a coworker has downloaded a suspicious file after searching for Google Authenticator. The caller provides some information similar to social media posts at:
https://www.linkedin.com/posts/unit42_2025-01-22-wednesday-a-malicious-ad-led-activity-7288213662329192450-ky3V/ https://x.com/Unit42_Intel/status/1882448037030584611 Based on the caller’s initial information, you confirm there was an infection. You retrieve a packet capture (pcap) of the associated traffic. Reviewing the traffic, you find several indicators matching details from a Github page referenced in the above social media posts. After confirming an infection happened, you begin writing an incident report.
LAN SEGMENT DETAILS FROM THE PCAP
LAN segment range: 10.1.17[.]0/24 (10.1.17[.]0 through 10.1.17[.]255)
Domain: bluemoontuesday[.]com
Active Directory (AD) domain controller: 10.1.17[.]2 - WIN-GSH54QLW48D
AD environment name: BLUEMOONTUESDAY
LAN segment gateway: 10.1.17[.]1
LAN segment broadcast address: 10.1.17[.]255
Questions
1. What is the IP address of the infected Windows client?
R= 10.1.17.215
From what was reported (phishing through “google authenticator” impersonation site, we can see the IP 10.1.17.215
connecting to the suspected site
Filter used:
(http.request or tls.handshake.type eq 1) and !(ssdp)
2. What is the mac address of the infected Windows client?
R= 00:d0:b7:26:4a:74
Looking into the ethernet frame, we can get its mac
3. What is the host name of the infected Windows client?
R= DESKTOP-L8C5GSJ
The NETBIOS
protocol, allows us to know the hostname of the device
4. What is the user account name from the infected Windows client?
R= shutchenson
Looking into the Protocol Hierarchy
Statistics, I determined that the Kerberos
protocol will give us a username.
The identity is located in the CNameString
field.
5. What is the likely domain name for the fake Google Authenticator page?
R= google-authenticator.burleson-appliance.net
From the threat intel given in the Background section, the malicious sites were under the domain burleson-appliance.net
. As shown in Q1,
there’s a site called google-authenticator.burleson-appliance.net
, which matches what was previously seen.