In this lab, we investigate a suspected malware infection within a corporate environment, analyzing network traffic to uncover the root cause of the compromise. The scenario revolves around Tom, an employee who inadvertently introduced a security threat while browsing the internet from his Windows laptop within the organization's Security Operations Center (SOC). His activity quickly triggered security alerts, and his machine later crashed, prompting an incident response investigation. Our goal is to examine network traffic, identify malicious activity, and determine the nature of the infection. The investigation primarily involves analyzing a provided PCAP file using Wireshark and NetworkMiner. These tools allow us to dissect network packets, extract critical artifacts, and reconstruct the sequence of events leading to the infection. We will look for indicators of compromise (IOCs), including suspicious HTTP traffic, potential exploit delivery mechanisms, and signs of malware execution. Additionally, we will trace external communications, focusing on malicious domains, exploit kit activity, and redirection techniques used by the attacker.
Through this analysis, we will uncover how Tom's machine was compromised, identify the techniques used by the attacker, and link the activity to known cyber threats. This lab reinforces the importance of network-based threat hunting, traffic analysis, and understanding how attackers leverage exploit kits and malicious scripts to gain access to vulnerable systems. By the end of this investigation, we will have a comprehensive understanding of the infection chain, allowing us to apply practical defensive strategies to prevent similar incidents in real-world environments.