A SOC Analyst at Umbrella Corporation is going through SIEM alerts and sees the alert for connections to a known malicious domain. The traffic is coming from Sara’s computer, an Accountant who receives a large volume of emails from customers daily. Looking at the email gateway logs for Sara’s mailbox there is nothing immediately suspicious, with emails coming from customers. Sara is contacted via her phone and she states a customer sent her an invoice that had a document with a macro, she opened the email and the program crashed. The SOC Team retrieved a PCAP for further analysis.
https://blueteamlabs.online/home/challenge/network-analysis-malware-compromise-e882f32908
at the first packet we see this ip visited this weird domain and when investigating the domain we found its malicious and even downloaded a malware so we know that’s the victim ip
so i asked my self what protocol was used to retrieve and by looking at protocol hierarchy can only find http so now we know its a http with get request