Scenario One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We've taken a network capture before shutting the server down to take a clone of the disk. Can you take a look at the PCAP and see if anything is up? Analysis Immediately when looking at the pcap, we can see a TCP 3 way handshake taking place between 22.22.22.7 and 22.22.22.5 with the .7 address initiating it. The requests are also coming from the .7 address which tells us that the .5 address is the web server. We also see /upload.aspx. Aspx lets us know the server is likely running asp.net. So it's likely a windows server.

Scenario The Security Operations Center at Defense Superior are monitoring a customer’s email gateway and network traffic (Crimeson LLC). One of the SOC team identified some anomalous traffic from Josh Morrison’s workstation, who works as a Junior Financial Controller. When contacted Josh mentioned he received an email from an internal colleague asking him to download an invoice via a hyperlink and review it. The email read: There was a rate adjustment for one or more invoices you previously sent to one of our customers. The adjusted invoices can be downloaded via this [link] for your review and payment processing. If you have any questions about the adjustments, please contact me. Thank you. Jacob Tomlinson, Senior Financial Controller, Crimeson LLC. The SOC team immediately pulled the email and confirmed it included a link to a malicious executable file. The Security Incident Response Team (SIRT) was activated and you have been assigned to lead the way and help the SOC uncover what happened. You have NetWitness and Wireshark in your toolkit to help find out what happened during this incident. What is the full filename of the initial payload file? The scenario says the invoice was downloaded via a hyperlink. The first thing that came to mind was a GET request to the url attached to the hyperlink. GET requests are used when retrieving executables from URLs. So I opened the pcap in wireshark and filtered for GET requests.

Countdown is a Digital Forensics lab scenario by Blue Teal Labs Online. This is walkthrough of how I completed the lab.