In this post, we will work on a TryHackMe challenge that focuses on malicious network traffic analysis. We will use Wireshark to investigate a PCAP network file to ascertain certain information that will help address an incident.
Wireshark
Wireshark is a widely used, open source network analyzer that can capture and display real-time details of network traffic. It is particularly useful for troubleshooting network issues, analyzing network protocols and ensuring network security. Wireshark will help you capture network packets and display them at a granular level. Once these packets are broken down, you can use them for real-time or offline analysis. Hackers also use Wireshark to capture unencrypted traffic to gather as much information about a target as possible.
TryHackME
Challenge Description
Eric Fischer from the Purchasing Department at Bartell Ltd has received an email from a known contact with a Word document attachment. Upon opening the document, he accidentally clicked on “Enable Content.” The SOC Department immediately received an alert from the endpoint agent that Eric’s workstation was making suspicious connections outbound. The SOC department then received the alert from an endpoint agent from the compromised workstation making connections outbound. The PCAP file was retrieved from the network sensor and handed to you for analysis. Our task is to then review the packet capture to uncover clues about the malicious activity.
You can find the TryHackMe room here.
The pcap carnage.pcap can be opened with a simple double click and ready for the traffic to be analyzed.
Let’s begin the traffic analysis
Q. What was the date and time for the first HTTP connection to the malicious IP? (answer format: yyyy-mm-dd hh:mm:ss)
First thing we do is make an adjustment to the time column. Although our time is displayed it’s not in the correct format This can be changed by simply selecting the View tab, then navigating to Time Display Format and selecting the correct format asked by THM. Our tab is now formatted correctly displaying the frame time. Next, we filter for HTTP packets to find the first connection as asked.
A: 2021-09-24 16:44:38
Q. What is the name of the zip file that was downloaded?
With our connection’s date and time now being identified, the same packet can tell us more information about what occurred by following the TCP stream. Since HTTP data uses TCP as its transport protocol, we can view the requests and responses being made.
To follow a TCP stream, simply right click a packet, select the Follow tab → Follow TCP Stream
We can see a zip file. We can see it’s requesting for documents.zip The host downloaded the zip file from the incident directory on the web domain. Following the TCP stream displays the GET request to /incidunt-consequatur/ with the name of the file downloaded.
A: documents.zip
Q. What was the domain hosting the malicious zip file?
Below the GET request displays the name of the domain that’s hosting the malicious file. We see the host providing the documenet.zip file.
A: attirenepal.com
Q. Without downloading the file, what is the name of the file in the zip file?
The name of the malicious file used by the attacker used to enable macros is displayed in the same stream. Looking at the HTTP/1.1 OK status code gives us this information. Follow this stream, the conversation between source and destination, to see the content. Looking further, we can see the contents of the zip file as well as the name.
A: chart-1530076591.xls
Q. What is the name of the webserver of the malicious IP from which the zip file was downloaded?
Take a look at the response, you’ll find a HTTP header server. The value for this is LiteSeed. This will be the server from which the file came from.
A: LiteSpeed
Q. What is the version of the webserver from the previous question?
By looking at this HTTP response code, we get to view the name of the server as well as the version
A: PHP/7.2.34
Q. Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity? Hint : Check HTTPS traffic. Narrow down the timeframe from 16:45:11 to 16:45:30.
Moving forward with our investigation, THM gives us a hint to narrow our search down to pinpoint a set of domains that downloaded malicious files onto the victim’s workstation. We will narrow our search down to just a few packets using a simple filter:
tls.handshake.type==1 and (frame.time >= “2021–09–24 16:45:11”) && (frame.time <= “2021–09–24 16:45:30”)
Where
tls.handshake.type
- HTTPS is a secure alternative to HTTP because it encrypts web traffic. It uses an encryption protocol known as TLS (Transport Level Security). Older versions would use SSL (Secure Socket Layer.
- We use ==1 to specify the beginning of a tls handshake, where the client sends a “hello” to the server.
and
- Is a simple operator that means the start of a new filter expression
frame.time
- Is used to specify a specific time in a pcap file, in this case, THM gives us two time frames to narrow our filter.
&&
- This is similar to the and operator. They can be used interchangeably
The reason >= and <= are used is to specify the time frame as in between. We change these operators depending on the use case for the time frame.
Apply the filter and take a look at each frame. We can see the 3 domains by looking at the few packets from the filter applied. You can also view the domains in VirusTotal to weed out the malicious domains.
A: finejewels.com.au, thietbiagt.com, new.americold.com
Q. Which certificate authority issued the SSL certificate to the first domain from the previous question?
We can follow the TCP stream conversation o the first domain with the filter we applied to view the certificate.
A: GoDaddy
Q. What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers. (answer format: enter the IP addresses in sequential order). Hint : Check the Conversations menu option
C2 Servers- Server attacking your machine. A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.
Cobalt Strike C2 servers are adversary software designed specifically for red teams. Cobalt Strike is an adversary simulation software designed to test IT infrastructure for resilience against advanced cyberattacks. The technology emulates realistic threats in live attacks, enabling organizations to assess their vulnerabilities and better protect themselves. However, Cobalt Strike can also introduce risk: due to its various attack capabilities, threat actors can exploit the technology to launch cyberattacks and infiltrate organizations’ networks.
Using the MITRE FRAMEWORK, a framework that shows how adversaries can attack machines. It is a curated knowledge base that tracks cyber adversary tactics and techniques used by threat actors. it highlights techniques and methodologies that attackers use to attack a machine and shows how to detect or stop them. So here we see it uses http and https. We can use that to narrow our search.
We will review the IP addresses that the victim machine communicated with via HTTP (80 & 8000)and HTTPS (443). There were a number of addresses , but majority of traffic came from 185.106.96.158, 185.125.204.174. We can head over to VirusTotal to check if they are indeed malicious.
We see that 185.106.96.158 is also malicious and a cobalt strike server. We also checked the second IP, and the results were the same. Both are cobalt servers
A: 185.106.96.158, 185.125.204.174
Q. What is the Host header for the first Cobalt Strike IP address from the previous question?
A: ocsp.verisign.com
Q: What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).
Q: What is the domain name of the second Cobalt Strike server IP? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).
survmeter.live & securitybusinpuff.com
Q. What is the domain name of the post-infection traffic?
After a computer is comprised, it starts to send traffic to the C2 server, it would use the post http request method. We will then filter our traffic and look for post requests.
http.request.method== “POST”
POST sends data to a server to create/update a resource.
A: maldivehost.net
Q: What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?
Looking at the same stream conversation will display the name of the host
A: zLIisQRWZI9
Q: What was the length for the first packet sent out to the C2 server?
We can look at the length tab from the filter we applied to see the packet length.
A: 281
Q. What was the Server header for the malicious domain from the previous question?
Looking a bit further down from the same TCP stream we analyzed, we can see the name of the server.
A: Apache/2.4.49 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4
Q: The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)
Usually, when there’s a call-out to an API, you would find the term ‘api’ in the request. Since our question is asking to look at DNS queries that use an API to check for the IP addresses on the victim workstation, we can filter our packet to DNS alongside our packet to contain the word “api”. Our filter should look like this:
dns && frame contains “api”
With our filter ready, the filter will segment through the entire pcap file looking for a frame that contains the word api in any DNS queries.
A: 2021-09-24 17:00:04
Q. What was the domain in the DNS query from the previous question?
A: api.ipify.org
Q: Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?
So typically mail traffic would be 1 of 3 protocols SMTP, POP3. or IMAP. So we can filter by SMTP. We see a lot smtp traffic, so we can filter by an email header. So we will use mail from header, we use
smtp contains “Mail From” or even frame contains “MAIL FROM”
A: farshin@mailfa.com
Q. How many packets were observed for the SMTP traffic?
Head to statistics, protocol hierarchy, if we go to SMTP entry, we can see how many packets Wireshark parsed as SMTP packets.
A: 1439
Summary
Okay, that was a lot. Let’s summarise what we discovered from our findings.
So the end-user, Eric Fischer, extracted a downloaded zip file and opened a malicious Excel file containing macros. He enabled its content and consequently, outbound connections were made to these foreign suspicious domains to retrieve further malicious files. We found the IP addresses of the Command & Control servers used to send commands back and forth with the victim host machine. Data was also exfiltrated from the victim machine.
In conclusion, we used Wireshark to investigate the packet capture and uncover the malicious activities. Through careful analysis, we successfully traced the relevant artifacts and assembled a comprehensive investigation.