Scenario

Investigate some simple network activity in Wireshark! You can launch Wireshark in a terminal with the command 'wireshark'. The questions are mapped to the four PCAPs on the Desktop.

https://blueteamlabs.online/home/investigation/piggy-aij2bd8h2

PCAP One) What remote IP address was used to transfer data over SSH? (Format: X.X.X.X)

35.211.33.16

Filter with ssh and we see that We only have one external IP communicating with the SSH server

PCAP One) How much data was transferred in total? (Format: XXXX M)

1131M

Statistics → Endpoints

PCAP Two) Review the IPs the infected system has communicated with. Perform OSINT searches to identify the malware family tied to this infrastructure (Format: MalwareName)