Link for Data
https://www.malware-traffic-analysis.net/2018/07/15/index.html
Scenario
You have received alerts on bittorrent traffic from 10.0.0.201 on your organization's network. Torrent traffic is often associated with file sharing of copyright-protected content; however, many cases of torrent traffic are perfectly legal (like this traffic analysis exercise). Characteristics of your network are:
LAN segment: 10.0.0.0/24 (10.0.0.0 through 10.0.0.255) Broadcast address: 10.0.0.255 Domain controller: 10.0.0.2 (DogOfTheYear-DC) Domain: dogoftheyear.net
Questions
What is the MAC address of the computer at 10.0.0.201?
Source: Msi_18:66:c8 (00:16:17:18:66:c8)
What is the host name of the computer at 10.0.0.201?
Solution: The host name is
BLANCO-DESKTOPip.addr==10.0.0.201 && nbns
What is the Windows user account name for the computer at 10.0.0.201?
Potential filter idea:
nbnsPotential filter idea:
smbPotential filter idea:
kerberos contains blancoSolution:
elmber blancoFound with filter:
kerberos.CNameStringis the Microsoft Windows version (XP, 7, 8, or 10) of the computer at 10.0.0.201?
Solution: Widows 10
Source: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
Find with filter: `http && ip.src==10.0.0.201torrent file did the user at 10.0.0.201 download?
Potential filter idea:
http && ip.dst==10.0.0.201Betty_Boop_Rhythm_on_the_Reservation.avi.torrenthttp contains .torrentis the name of the torrent client used on 10.0.0.201?
Potential idea:
bittorrent && ip.src==10.0.0.201bittorrent.info_hash(http contains scrape or http contains announce) and http.requestfile is being seeded (shared) by the torrent client on 10.0.0.201?
Solution:
ubuntu-18.04-desktop-amd64e4be9e4db876e3e3179778b03e906297be5c8dbehttp.request.uri contains announce or http.request.uri contains scrape