TekDefense

I Wanted to send a big thanks out to everyone who sent solutions in for the Network challenge. While there were many responses, two (2) stood out amongst the rest. I don't plan on doing prizes for all of these contests, but I was so impressed by these responses, that I wanted to do something special on this ocassion. The winners of this first challenge are:

• First Place: @dfir_it ($150 amazon Gift Card) Solution is below
• Second Place: @CYINT_DUDE ($50 Amazon Gift Card) Solution

The first place solution is so well written, that I figured it was worth posting in it's entirety here (with permission from the author of course). See below for the solution, and keep any eye on dfir.it where the author intends to post more details on how he arrived at the answers you see below.

@dfir_it Winning Contest Submission:

One of my favorite sites is "Malware Traffic Analysis" where the author routinely posts network challenges. In the spirit of contributing to this effort of providing material for analysts to sharpen their skills, I developed a challenge focused around a popular scenario I often come across in research and other analysis efforts. As a heads up, any malware you may come across in the analysis of this PCAP is in fact real malware. Please take care in how you analyze. 

When reviewing this PCAP and writing your response please keep in mind what you would really want in an investigation. The questions I ask at the end of this article are intentionally vague, as I didn't want to give too much away with the questions. What I am hoping to see in responses is that the analysts are able to adequately tell a story of what likely occurred, identify network and host indicators that can help further scope this incident, and write detection rules in the detection languages of their choice to find future instances of this activity. 

PCAP DOWNLOAD

The due date for submissions is September 25, 2016. Enjoy!

Scenario:

Client provides a PCAP involving all traffic they have from a victim Linux server.  A snort signature alerted for files downloaded from an HFS server. The client does not have any other context to provide. Other than the following is the Snort Signature that was alerted on:

alert tcp any any -> any any (msg:"HFS [File Download]";flow:to_client,established; content:"HFS 2.";distance:0; content:"HFS_SID="; classtype:suspicious; sid:999999; rev:1;)

Objective:

1. Determine what likely occurred based on the evidence from the PCAP.
2. Identify any network and/or host artifacts that could be used to scope this incident further.
3. If applicable, write detection signatures (snort/suricata/yara) to increase coverage for this type of activity. 

Submissions:

Feel free to submit your responses directly to NetChallenge[at]tekdefense.com or comment on this blog post with a link to your own article with a response. I'll review responses, and perhaps give out a few prizes to those with great writeups.