========================================
Click the Above Photo to View the Answers — — |
========================================

1. Scenario
2. Learning Objectives
3. Understanding Concept
4. Pre-Requisites
5. Challenge Tasks — Answers
6. Video Poc — https://youtu.be/VcJjyeznFaU

Congratulations, you made it to Day 17! The story, however, is just getting started. There are more things to discover, examine, and analyze!

Until now, you have worked with multiple events, including prompt injection, log analysis, brute force, data recovery, exploitation, data exfiltration, suspicious drives, malware, injection, account takeover, phishing, and machine learning concepts. Yes, there are tons of anomalies, indicators of attack (IoA), and indicators of compromise (IoC). Santa’s Security Operations Centre (SSOC) needs to see the big picture to identify, scope, prioritise, and evaluate these anomalies in order to manage the ongoing situation effectively.

So, how can we zoom out a bit and create a timeline to set the investigation’s initial boundaries and scope? McSkidy decides to focus on network statistics. When there are many network artefacts, it’s a good choice to consider network in & out as well as load statistics to create a hypothesis.

Now it’s time to help the SSOC team by quickly checking network traffic statistics to gain insight into the ongoing madness! Let’s go!

• Gain knowledge of the network traffic data format
• Understand the differences between full packet captures and network flows
• Learn how to process network flow data
• Discover the SiLK tool suite
• Gain hands-on experience in network flow analysis with SiLK

Network Traffic Data

The network data is everywhere. It is all around us. Even now in this very task.

Network communication and traffic are the natural behaviours of today’s interconnected computing world. These behaviours represent a constant data flow of daily activities, including personal interactions and business transactions. The data flow offers invaluable network management, troubleshooting, incident response, and threat-hunting insights

• In other words, it provides only the “summary” of the traffic; the details appear similarly to how call details appear on your phone bill. Once again, there are no packet content details with this format. This is why storing, processing, and analysing this data format is easier than it is with PCAPs.

It looks like this data format will help the team accomplish the task McSkidy assigned to them!

Getting Started With the SiLK Suite

The SiLK suite has two parts: the packing system and the analysis suite. The packing system supports the collection of multiple network flow types (IPFIX, NetFlow v9, and NetFlow v5) and stores them in binary files. The analysis suite contains the tools needed to carry out various operations (list, sort, count, and statistics) on network flow records. The analysis tools also support Linux CLI pipes, allowing you to create sophisticated queries.

1. Start the TryHackMe’s VPN or Start AttackBox
2. Open Split Screen and Click View in Full Screen if Needed
3. Open a Terminal and Navigate to Desktop — cd Desktop

1. Which version of SiLK is installed on the VM?

Use the below command to find the version

rwfileinfo suspicious-flows.silk

Ans: 3.19.1

2. What is the size of the flows in the count records?

Use the below command to find the record count

rwfileinfo suspicious-flows.silk

Ans: 11774

3. What is the start time (sTime) of the sixth record in the file?

Use the below command to find the start time of 6th record

rwcut suspicious-flows.silk — num --recs=6

Ans: 2023/12/05T09:33:07.755

4. What is the destination port of the sixth UDP record?

Use the below command to find the port of 6th record
rwfilter suspicious-flows.silk --proto=17 --pass=stdout | rwcut --fields=protocol,sIP,sPort,dIP,dPort --num-recs=5

Ans: 49950

5. What is the record value (%) of the dport 53?

Use the below command to find the % value of dport 53

rwstats suspicious-flows.silk --fields=dPort --values=records --count=5

Ans: 35.332088

6. What is the number of bytes transmitted by the top talker on the network?

Use the below command to find the number of bytes transmitted on top talker

rwstats suspicious-flows.silk --fields=sIP --values=bytes --count=5 — top

Ans: 735229

7. What is the sTime value of the first DNS record going to port 53?

Use the below command to find the sTime Value of 1st DNS
rwfilter suspicious-flows.silk --saddress=175.175.173.22 --dport=53 --pass=stdout | rwcut --fields=sIP,dIP,stime | head -10

Ans: 2023/12/08T04:28:44.825

8. What is the IP address of the host that the C2 potentially controls? (In defanged format: 123[.]456[.]789[.]0 )

======================================================
Ans: Use your Skills and try to find this flag,

If you are unable to do,

use the below video to find the answer
=======================================================

9. Which IP address is suspected to be the flood attacker? (In defanged format: 123[.]456[.]789[.]0 )

Use the below command to find the suspected IP
rwfilter suspicious-flows.silk --saddress=175.215.235.223 --pass=stdout | rwstats --fields=sIP,flag,dIP --count=10

Ans: 175[.]215[.]236[.]223

10. What is the sent SYN packet’s number of records?

Use the below command to find the SYN Packet’s number
rwstats suspicious-flows.silk — fields=sIp,dIP,dPort — values=records — count=10

Ans: 1658