The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system. Can you investigate and determine if this activity is malicious or not? You have been provided a PCAP, investigate using any tools you wish.
**https://blueteamlabs.online/home/challenge/network-analysis-web-shell-d4d3a2821b**
A good place to start in network analysis is to understand what hosts are communicating within the packet capture. Navigating to Statistics->Conversation->TCP
It can be seen in the image that the IP address ‘10.251.96.4’ has been sending two TCP packets to every port of the IP address ‘10.251.96.5’. This is a characteristic of a port scan technique.
sort on Port B both ways to see the first and last ports scanned
we can see a ton of SYN packets sent to each port