Part A: NetFlow trafficImport the VM Caine in your Virtual Box environment and read the section 2.4 and 2.7 in the file ENISA_Network_Incident_Response.pdf to understand how to analyze NetFlow...

1 answer below »

Hello

Can you do this assignment?




Part A: NetFlow traffic Import the VM Caine in your Virtual Box environment and read the section 2.4 and 2.7 in the file ENISA_Network_Incident_Response.pdf to understand how to analyze NetFlow traffic. The dumped network traffic is in the folder nfdump in your home. 1. Name 4 fields that can be found in a NetFlow packet. 2. The system ws1.example.com (192.168.5.100) was compromised on August 16th, 2016. Move to your home and execute the command below to get an overview (aggregate) by protocol. Capture a screenshot. nfdump -o long -R nfdump -A proto 'ip 192.168.5.100' 3. What the command above would look like to sort by number of packets in reverse order? 4. Capture a screenshot of the communication (not aggregated) from/to ws1.example.com with the highest number of packets. 5. Capture a screenshot of the TCP communications from the compromised system to the local network as destination, aggregated by source/destination IP. 6. Similarly, obtain the 5 most consuming TCP communications in terms of bytes with external IPs. 7. The top IP address from the previous question is very suspicious, because it ranks in amount of information (1.5 Gb in 1.1M packets) and it is located in a foreign country. What country? Prove it. 8. Dump all communications from the compromised endpoint to this suspicious IP, filtering by the date of the compromise. When this endpoint started communicating on this day? Part B: Traffic analysis with Wireshark Open Wireshark in the Caine VM and import the file angrypoutine.pcap found in your home. It contains network traffic related to malware in the network 10.9.10.0/24, in which the domain controller ANGRYPOUTINE-DC (10.9.10.9) is found. Answer all questions below and provide a screenshot of your findings to prove your answer. Tutorials: https://www.malware-traffic-analysis.net/tutorials/index.html 9. What is the IP address leased to the DHCP client? 10. What is its hostname? 11. Use the filter to visualize only packets originated from this endpoint? 12. Now focus on the first communication with an external IP. What the destination IP and port are? 13. Filter all traffic from/to this external IP and capture the first packet after the 3-way handshake. The packet’s payload will contain a domain belonging to Microsoft Azure. Make sure it is shown in your screenshot. 14. The URL above does not seem suspicious. Clear the filter and visualize only HTTP packets. Then, move to the next external IP (after the one you already analyzed). This traffic is indeed suspicious. Why? https://www.malware-traffic-analysis.net/tutorials/index.html 15. The response from the external server (HTTP code 200) contains the resource downloaded by the endpoint. It can be found in the center panel by clicking on “Media Type”. What kind of file seems to have been downloaded? Is this suspicious? Why or why not? 16. All other communications in this filter seem legit. Write down the packet number (first column), then clear the filter and start over with another filter to see all outbound communications by HTTPS from the endpoint. What the filter would be? 17. Scroll down to the first packet after the one you wrote down. Make sure your screenshot includes the packet number and source/destination IP/port. 18. Why you cannot analyze beyond the TCP header? Part C: Analyzing a suspicious message Consider the message and its header below: Return-Path: Delivered-To: [email protected] Received: from dovdir4-asa-02o.email.Kiddikatz ([96.114.154.195]) by dovback4-asa-02o.email.Kiddikatz with LMTP id iI0bBuH+k1/kcgAA1Vbeiw (envelope-from ) for ; Sat, 24 Oct 2020 10:16:01 +0000 Received: from dovpxy-asc-13o.email.Kiddikatz ([96.114.154.195]) by dovdir4-asa-02o.email.Kiddikatz with LMTP id uKDkA+H+k1/wLgAApBwMGg (envelope-from ) for ; Sat, 24 Oct 2020 10:16:01 +0000 Received: from reszmta-po-01v.sys.Kiddikatz ([96.114.154.195]) by dovpxy-asc-13o.email.Kiddikatz with LMTP id 8EcmAeH+k1/DXgAAKsibjw (envelope-from ) for ; Sat, 24 Oct 2020 10:16:01 +0000 Received: from resimta-po-21v.sys.Kiddikatz ([96.114.154.149]) by reszmta-po-03v.sys.Kiddikatz with ESMTP id WGadkLSgbxSFOWGaekA6i1; Sat, 24 Oct 2020 10:16:00 +0000 Received: from yogarafi.de ([144.76.72.196]) by resimta-po-21v.sys.Kiddikatz with ESMTP id WGabkOpIji6AfWGadk3Lzc; Sat, 24 Oct 2020 10:16:00 +0000 X-CAA-SPAM: F00001 X-Meowkatz-VAAS: NOTE: Verification and Authentication Agents ( VAAs). ggruggvucftvghtrhhoucdtuddrgedujedrkedvgddvjecutefuodetggdotefrodftvfcurfhrohhfihhlvgem u cevohhmtggrshhtqdftvghsihenuceurghilhhouhhtmecufedtudenucgoufhushhpvggtthffohhmrghin h culdegledmnegorfhhihhshhhinhhgqdetgeduhedqtdelucdlfedttddmnecujfgurhephffvufffkfggtgfgs ehhqhe ftddttddtnecuhfhrohhmpedftghomhgtrghsthdrnhgvthcuuffgtfgggfftucetfffokffpfdeotghprghnvg hlshgvrh hvvghrsegtphgrnhgvlhdrnhgvtheqnecuggftrfgrthhtvghrnhepjeeijefgjeekgffhudejiefffeettdehhedt kefhud efudfhhfefjeelfeejteejnecuffhomhgrihhnpehgohgurgguugihrdgtohhmpdhgohhoghhlvggrphhishd rtghom henucfkphepudeggedrjeeirdejvddrudeliedpudektddrvddugedrvdefledrudegnecuvehluhhsthgvrh fuihiivg eptdenucfrrghrrghmpehhvghlohephihoghgrrhgrfhhirdguvgdpihhnvghtpedugeegrdejiedrjedvrdd uleeipdh mrghilhhfrhhomheptghprghnvghlshgvrhhv X-Meowkatz-VMeta: sc=349.00;st=phishing X-Meowkatz-Message-Heuristics: IPv6:N;TLS=1;SPF=2;DMARC=F Received: by yogarafi.de (Postfix, from userid 1001) id 3A3D514C1A97; Sat, 24 Oct 2020 10:26:31 +0200 (CEST) Received: from cpanel.net (unknown [180.214.239.14]) by yogarafi.de (Postfix) with ESMTPA id 2E88C14C1A7E for ; Sat, 24 Oct 2020 10:26:27 +0200 (CEST) From: “Kiddikatz SERVER ADMIN” To: Roxy@Kiddikatz Subject: Email service expiration and deactivation Notification worning Roxy@Kiddikatz Date: 24 Oct 2020 01:26:28 -0700 Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable You will need the following tools: • Email header analyzer: https://mxtoolbox.com/EmailHeaders.aspx • Blocklist check: https://mxtoolbox.com/blacklists.aspx • IP geolocation: https://www.iplocation.net/ip-lookup 1. List two ways to identify this email as legitimate. 2. List two ways to identify this email as suspicious. 3. Copy the header and paste it in the provided link for further analysis. Capture a screenshot. https://mxtoolbox.com/EmailHeaders.aspx https://mxtoolbox.com/blacklists.aspx 4. What suspicious thing would you observe once you see the details? 5. Are you able to retrieve any blocklist IP address? Check if your server is blocklisted. Capture the screenshots. 6. What is the country of the IP address that you found blocklisted? Forensic analysis www.enisa.europa.eu European Union Agency For Network And Information Security Forensic analysis Local Incident Response Toolset, Document for students 1.0 DECEMBER 2016 http://www.enisa.europa.eu/ Forensic analysis 1.0 | December 2016 02 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact For contacting the authors please use [email protected]. For media enquires about this paper, please use [email protected]. Legal notice Notice must be taken that this publication represents the views and interpretations of ENISA, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2016 Reproduction is authorised provided the source is acknowledged. https://www.enisa.europa.eu/ mailto:[email protected] mailto:[email protected]. Forensic analysis 1.0 | December 2016 03 Table of Contents 1. Forward 4 2. Story that triggers incident handling and investigation processes. 5 3. Environment preparation 6 4. Memory analysis 9 Checking memory dump file 9 Scanning memory with Yara rules 10 Analysis of the process list 13 Network artefacts analysis 14 5. Disk analysis 16 Mounting Windows partition and creating timeline 16 Antivirus scan 25 Filesystem analysis 26 Application logs analysis 30 Decompiling Python executable 38 Prefetch analysis 41 System logs analysis 44 6. Registry analysis 48 Copying and viewing registry 48 Inspecting registry timeline 50 UserAssist 51 List of installed applications 52 7. Building the timeline 55 Forensic analysis 1.0 | December 2016 04 1. Forward This three-day training module will follow the tracks of an incident handler and investigator, teaching best practices and covering both sides of the breach. It is technical in nature and has the aim to provide a guided training for both incident handlers and investigators while providing lifelike conditions. Training material mainly uses open source and free tools. Forensic analysis 1.0 | December 2016 05 2. Story that triggers incident handling and investigation processes. The customer’s organization has found out that some of its sensitive data has been detected in online text sharing application. Due to the legal obligations and for business continuity purposes CSIRT team has been tasked to conduct an incident response and incident investigation to mitigate the threats. Breach contains sensitive data and includes a threat notice that in a short while more data will follow. As the breach leads to specific employee’s computer then CSIRT team, tasked to investigate the incident, follows the leads. Below is presented a simplified overview of the training technical setup. Workstation 1 Workstation/Phone 2 Compromised web-server (command and control server function) Compromised web-server (payload)
Answered 3 days AfterOct 27, 2022

Answer To: Part A: NetFlow trafficImport the VM Caine in your Virtual Box environment and read the section...

Deepak answered on Oct 28 2022
47 Votes
1.
SPF( sender policy framework): pass (IP address): The SPF check for the message passed contains
the IP address of the sender. The client has been granted permission to send or relay email on behalf of the sender's domain.
Also, X-MS-Exchange-Organization-MessageDirectionality is used for antispam.
2.
SPF specifies a standard for adding a record to the Domain Name System (DNS) that identifies the existence of legitimate email servers. Receiving email servers that receive email from an SPF-protected email service must check the TXT records when doing a DNS lookup on the inbound email.
The SPF policy framework is both an...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here