Tools:

• BrimSecurity
• suricatarunner
• suricata.rules
• NetworkMiner
• WireShark

THE PLAYERS

Tom and Jake are recent hires at your organization's Security Operations Center (SOC).  Due to their different personalities, they've earned the nickname "Goofus and Gallant" after a cartoon from the magazine Highlights for Children.  Tom is Goofus.  Jake is Gallant.

THE STORY

On the Tuesday before Thanksgiving, Tom and Jake are working at the SOC.  Tom brought his Windows laptop to the office, and he plans to browse the web.  Jake is hard at work reviewing alerts.

Jake's holiday plans are set, and he's happy with the frozen turkey he'd purchased from the supermarket.  Tom's more of a "turkey enthusiast."  He wants to hunt and kill a turkey for his Thanksgiving meal.

To pursue his holiday plans, Tom decides to purchase a shotgun.  He fires up his Windows laptop, connects to the SOC's wifi, and starts researching shotguns online.

It's not long before Tom's computer triggers some alerts for suspicious network activity.  After those alerts, his laptop crashes!

THE AFTERMATH

You're the supervisor for both Goofus and Gallant. The Goofus Tom will likely be fired at some point due to his poor work ethic.  Jake is certainly gallant, but he's still a relatively inexperienced analyst. You'll have to figure out what happened to Tom's laptop.

You check Tom's machine and quickly find a suspicious registry entry.  It looks like Goofus infected his laptop.  The SHA256 hash for the file referenced in the registry is: d16ad130daed5d4f3a7368ce73b87a8f84404873cbfc90cc77e967a83c947cd2

Next, you review the network alerts.  Unfortunately, your organization is too cheap for any commercial intrusion detection system (IDS).  Fortunately, lower-cost solutions have been implemented.  You have access to Snort alerts using the Snort registered ruleset.  You also have access to Suricata alerts using the EmergingThreats free ruleset.