Overview:
We are looking for signs of abnormal or malicious web traffic found in Frank and Ted's environment.
If you are interested in analyzing the traffic found in the PCAP file, see the exercise: 2020-06-12 - TRAFFIC ANALYSIS EXERCISE - FRANK-N-TED (WHAT'S GOING ON?)
Summary:
After reviewing the traffic, we observed device LAPTOP-5WKHX9YG[.]frank-n-ted[.]com initially visit the domain: 205[.]185[.]125[.]104/pQBtW at 2020-06-12 17:15:19 UTC. Based on results from VirusTotal, the domain's ISP is Network of Data-Centers Selectel (Russian cloud and data services provider). HTTP traffic shows the host downloaded file: june11.dll.
Device then visited snnmnkxdhflwgthqismb[.]com.
We also observed DESKTOP-86J4BX.frank-n-ted[.] query the DC for host: ygrvqkgouzou[.]frank-n-ted[.]com, ldap.tcp.dc._msdcs.localdomain.frank-n-ted(.)com, wpad.frank-n-ted(.)com; DC responded "No such name".
When viewing Kerberos traffic, we can see both users ted.brokowski and frank.brokowski as users of the device: DESKTOP-86J4BX and LAPTOP-5WKHX9YG (in that order).
In the next post, I will compare my answers to the actual answers and then do a tutorial on what traffic I decided to look at.
