This lab focuses on the forensic investigation of a network intrusion targeting a honeypot system, where an attacker exploits a vulnerability to gain unauthorized access, execute malicious code, and establish remote control. By analyzing the provided PCAP (packet capture) file, we will reconstruct the attack sequence, identify key artifacts, and uncover the tactics used by the attacker. The investigation requires a deep dive into network forensics, exploit analysis, and malware behavior, making use of industry-standard tools such as Wireshark, scdbg and IP intelligence services.
The attack follows a structured flow, beginning with network reconnaissance and progressing through initial access, remote code execution, and persistence mechanisms. Evidence of automated exploitation attempts is present, hinting at the use of a pre-built exploit script or malware framework. A key objective of this analysis is to determine the source of the attack, the methods used to exploit the target, and any indicators of compromise (IOCs) left behind. The presence of DCE/RPC traffic over SMB, along with specific encoded payloads, suggests a well-known historical exploit commonly used in remote Windows attacks. As the investigation progresses, deeper forensic techniques will be applied, such as extracting and analyzing malicious payloads, decoding shellcode behavior, and identifying obfuscation techniques used by the attacker. The discovery of encoded execution traces, function resolution patterns, and memory manipulation techniques will provide insight into how the exploit was delivered and executed. Additionally, tracking the attack’s footprint through external services like VirusTotal will help correlate known malwar