The executive summary states the type of malicious activity and any corrective actions taken. This should give the reader a clear idea of what happened. The executive summary is a paragraph describing the incident. Our recommended incident report format contains the following three sections: For this month’s Unit 42 Wireshark quiz, we recommend a generic format applicable to many situations. Depending on your workplace requirements, incident report formats vary. In this scenario, quiz participants provide an incident report to document the infection. Extract the pcap file from the password-protected ZIP archive. Download the ZIP archive containing the pcap from our GitHub repository. Use infected as the password to unlock the ZIP archive. Download the ZIP archive and extract the pcap as shown below in Figures 1 and 2. To obtain the pcap for this month’s quiz, visit our GitHub repository. This presents a risk of infection if participants use a Windows computer to analyze the pcap. Malware traffic could contain malicious code targeting Microsoft Windows. We recommend using a 3.x or later version of Wireshark, since it has more features, capabilities and bug fixes over previous Wireshark versions.įurthermore, we recommend using a non-Windows environment like BSD, Linux or macOS to analyze malicious traffic. To help, Unit 42 has published a series of tutorials and videos that include customizing Wireshark. Therefore, we encourage participants in this quiz to customize Wireshark after installing it. However, Wireshark’s default settings are not optimized for web-based traffic commonly generated by malware. This quiz requires Wireshark to review pcap files. Domain Controller host name: WORK4US-DC.Details of the local area network (LAN) from the pcap follow. The pcap for this month’s Wireshark quiz is from an AD environment, and it contains real-world traffic from a simulated enterprise setting. This month’s Wireshark quiz uses a pcap of infection activity from an Active Directory (AD) environment. The material provides experience reviewing real-world traffic from a live setting. To get the most benefit, readers should understand basic network traffic concepts and be somewhat familiar with Wireshark. These quizzes are designed for security professionals who investigate suspicious network activity, but anyone can participate. A separate Unit 42 blog post will present the answers: an example of an incident report and detailed explanations for the report content. This blog presents a packet capture (pcap) of malicious activity and asks participants to write an incident report. Welcome to the February 2023 Unit 42 Wireshark quiz.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |