TekDefense PCAP Challenge Write-Up

Earlier this week TekDefense posted a cool network challenge. The instructions were basic: investigate an IDS alert by analyzing the provided PCAP, determine what happened, and share the findings.

I’ve done a couple of PCAP exercises from Brad Duncan here and here. Those analyses were related to incidents dealing with exploit kits so I thought this challenge would be a fun opportunity to practice analyzing other kinds of threats.

Overall, I feel confident with the high-level findings. But I struggled to piece together some (probably key) details, even after a lot of research. Also, I didn’t author any Yara or Snort rules. (This was a second part of TekDefense’s challenge; I ended up grabbing a Yara rule from an Akamai report.)

Any feedback or tips are welcome : )

So here here’s my write-up!

Continue reading →

PCAP Analysis Practice

BLUF: I downloaded a PCAP from this exercise provided by @malware_traffic.  I’m a Wireshark and PCAP n00b, but wanted to see how far I could get with an analysis I’m not used to doing. I think I did pretty well (I was pleased I was able to get one of the Level 3 questions), but got hung up on identifying the exact infection chain and series of redirects.

Continue reading →