Mihikalet's start:
Downloading the Capture File and Understanding the Assignment
- Download the .pcap file from PCAP
- Familiarize yourself with the assignment instructions.
LAN segment data:
LAN segment range: 172.16.1[.]0/24 (172.16.1[.]0 through 172.16.1[.]255)
Domain: dualrunning[.]net
Domain controller: 172.16.1[.]2 - Dualrunning-DC
LAN segment gateway: 172.16.1[.]1
LAN segment broadcast address: 172.16.1[.]255
OUR TASK:
Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).
Analyzing Network Traffic with Basic Filters:
Basic Filter: (http.request || tls.handshake.type eq 1) && !(ssdp)
Upon inspection, a GET request to 185.21.216.153 on port 8088 was detected, It's an Excel file, and the URL from which this file was requested is linked to the Dridex malware.
185.21.216.153 port 8088 - insiderushings.com:8088 - GET /wp-content/Receipt 9650354.xls?evagk=2MyeEdhGPszYX
and just below we can see URL for initial Dridex DLL
185.21.216.153 port 8088 - buyer-remindment.com:8088 - GET/templates/file6.bin
Dridex infection traffic consists of two parts:
Initial infection activity.
Post-infection C2 traffic.
You can Identify the C2 traffic, by identifying this pattern. This C2 traffic communicates directly with an IP address, so there are no server name or host name associated with it. It also has unusual certificate issuer data.
And we Found the following traffic directly to IP addresses instead of domain names. This is most likely Dridex HTTPS C2 traffic::
• 202.29.60.34 port 443 - HTTPS traffic
• 72.11.131.199 port 443 - HTTPS traffic
• 207.244.250.103 port 443 - HTTPS traffic
• 45.145.55.170 port 453 - HTTPS traffic
• 84.232.252.62 port 443 - HTTPS traffic
Apply this Filter to review certificate issuer for those suspected IP addresses.
Filter: tls.handshake.type eq 11
Select the packet and go to the frame details section and expand the information.
TLS > TLSv1: Certificate > handshake protocol:certificate > certificates(__ bytes) > Certificates[truncated] > SignedCertificate > Issuer > rdnSequence
We also detected suspicious activity from the malicious source IP 81.17.23.125 to our compromised host 172.16.1.239. Despite the Host line in the HTTP request headers indicating 81.17.23.125:2318, there was no corresponding traffic over TCP port 2318 in the pcap.
To investigate further, use the Wireshark filter ip.addr eq 81.17.23.125 && tcp.flags eq 0x0002 to find TCP SYN segments for the start of all TCP streams to 81.17.23.125. Follow TCP streams from each TCP SYN segment to analyze the directory listing for the infected user's Documents directory.
For a deeper understanding of Dridex malware and its infection traffic, consider reading Brad Duncan's insightful article on Unit 42: Wireshark Tutorial: Dridex Infection Traffic.
Final report:
Executive Summary
On 2021-07-14 at approximately 20:31 UTC, a Windows host used by Samantha Reed was infected with Dridex malware.
Details
MAC address: 00:13:d4:10:05:25
IP address: 172.16.1.239
Host name: DEKSTOP-F3P7XLU
Windows user account: samantha.reed
Indicators of Compromise (IOCs)
Dridex C2 traffic:
202.29.60.34 port 443 - HTTPS traffic
72.11.131.199 port 443 - HTTPS traffic
207.244.250.103 port 443 - HTTPS traffic
45.145.55.170 port 453 - HTTPS traffic
84.232.252.62 port 443 - HTTPS traffic
81.17.23.125 port 443 - HTTPS traffic
