3 posts tagged with "Incident-Response"

It's that time again, lets dig into another investigation, this time it looks like we will be digging into memory forensics. 🕵️‍♂️🤓🔎

Okay, lets get back into it! Time for another Sherlock investigation.🕵️‍♂️

Scenario​

The IDS device alerted us to a possible rogue device in the internal Active Directory network. The Intrusion Detection System also indicated signs of LLMNR traffic, which is unusual. It is suspected that an LLMNR poisoning attack occurred. The LLMNR traffic was directed towards Forela-WKstn002, which has the IP address 172.17.79.136. A limited packet capture from the surrounding time is provided to you, our Network Forensics expert. Since this occurred in the Active Directory VLAN, it is suggested that we perform network threat hunting with the Active Directory attack vector in mind, specifically focusing on LLMNR poisoning.

The Files​

Okay so in the zip file for the Sherlock we have a single .pcap file which means we will be flexing our Wireshark/TCPdump skills in this investigation.

Lets get Labbing​

Okay so I just discovered Hack The Box Sherlocks, they are Blue Team focused labs that test your SOC Analyst skills. Useful for sharping and displaying knowledge and skills. There looks to be a lot of them which is great, so I decided to jump right in and take a stab at the first lab, a retired lab called Reaper.