You are a newly hired Security Analyst at NeoCohorts, a mid-size technology company. During routine network monitoring, the SOC detected unusual network behavior on an internal host.
Multiple packet captures were taken across various network segments for further investigation. Detecting suspicious activities in chunked files is a great way to learn how to focus on the details.
Your task is to navigate through the assigned cases on the left, analyze the specific capture files using Wireshark, and extract the forensic artifacts.
Reconnaissance & Scans
Investigate the Nmap and ARP capture files to identify the attacker's scanning parameters and local network spoofing attempts.
A. Nmap Scan (Wireshark-scan/nmap/nmap-scan.pcap)
B. ARP Scan (Wireshark-scan/ARP/arp-scan.pcap)
Identity Protocols & Tunneling
Analyze the DHCP, NetBIOS, and Kerberos captures to map network identities. Then, investigate the ICMP and DNS files to identify data exfiltration tunneling.
C. DHCP, NetBIOS, Kerberos
Use wireshark-scan/dhcp-netbios-kerberos/dhcp-netbios.pcap for questions 1-3, and wireshark-scan/dhcp-netbios-kerberos/kerberos.pcap for questions 4-5.
D. DNS & ICMP Tunneling
Cleartext Protocols (FTP & HTTP)
Examine the unencrypted FTP traffic for unauthorized file uploads. Then, investigate the HTTP traffic for anomalous User-Agents and Log4j exploit attempts.
E. FTP (Wireshark/ftp/ftp.pcap)
F. HTTP (Wireshark-scan/http/user-agent.pcap & http.pcapng)
Encrypted Protocols (HTTPS)
Decrypt the traffic using the provided keys to expose the hidden HTTP2 packets and capture the final flag.
G. HTTPS Decryption (Wireshark-scan/https/https.pcap)