Lab 7: Network Forensics - CyberOps Week 7

Objectives

1. Review Security Onion alerts for initial compromise

Show Hint

Check the Network Monitor tab. Look for high-severity alerts related to exploit attempts.

2. Identify attacker's entry point IP and method

Show Hint

Examine the "MS17-010 EternalBlue" alert details. Note the source IP.

3. Track lateral movement via SMB connections

Show Hint

Use tshark command: tshark -r capture.pcap -Y "smb2"

4. Identify compromised credentials

Show Hint

Use: tshark -r capture.pcap -Y "kerberos" to find unusual Kerberos activity

5. Detect data staging

Show Hint

Look for large file transfers to internal staging servers using: tshark -r capture.pcap -Y "smb2.create.file_name"

6. Identify exfiltration channel

Show Hint

Check for DNS tunneling: tshark -r capture.pcap -Y "dns" | grep -E ".{50,}"

7. Map full attack path on network diagram

Show Hint

In the Network Monitor tab, click on compromised hosts to mark the attack path visually.

8. Document all IOCs and affected systems

Show Hint

Review the Evidence Timeline tab to compile all findings.

Network Monitor

Analyst Terminal

Evidence Timeline

Security Onion Alert Console

Network Topology

Network Forensics Analyst Terminal Connected to: packet_capture.pcap (2.3 GB capture file) Analysis tools: tshark, tcpdump, wireshark Type 'help' for available commands

analyst@secops:~$

Attack Timeline & Evidence

Indicators of Compromise (IOCs)

Attacker IP: Unknown
Entry Method: Unknown
Compromised Account: Unknown
Staging Server: Unknown
Exfiltration Method: Unknown
Affected Systems: Unknown

LAB 7: NETWORK FORENSICS - LATERAL MOVEMENT DETECTION

Objectives

Security Onion Alert Console

Network Topology

Attack Timeline & Evidence

Indicators of Compromise (IOCs)

LAB COMPLETE!