Overview

Walkthrough

1. Introduction

No hints needed!

2. What is the Purpose of Network Traffic Analysis?

  • What is the name of the technique used to smuggle C2 commands via DNS?

=> Answer: DNS Tunneling

3. What Network Traffic Can We Observe?

  • Look at the HTTP example in the task and answer the following question: What is the size of the ZIP attachment included in the HTTP response? Note down the answer in bytes.

=> Answer: 10485760

  • Which attack do attackers use to try to evade an IDS?

=> Answer: fragmentation

  • What field in the TCP header can we use to detect session hijacking?

=> Answer: sequence number

4. Network Traffic Sources and Flows

  • Which category of devices generates the most traffic in a network?

=> Answer: endpoint

  • Before an SMB session can be established, which service needs to be contacted first for authentication?

=> Answer: kerberos

  • What does TLS stand for?

=> Answer: Transport Layer Security

5. How Can We Observe Network Traffic?

  • What is the flag found in the HTTP traffic in scenario 1? The flag has the format THM{}.

=> Answer: THM{FoundTheMalware}

  • What is the flag found in the DNS traffic in scenario 2? The flag has the format THM{}.

=> Answer: THM{C2CommandFound}

6. Conclusion

No hints needed!