In this lab, we investigate unusual network activity detected within a university environment, raising concerns about potential malicious behavior. The anomalies, observed in the last six hours, hint at possible command and control (C2) communications, suggesting that an external actor may have compromised the network. As part of the incident response team, your task is to analyze network traffic logs using Splunk to uncover the scope and nature of this suspicious activity.
Throughout this walkthrough, we will leverage Suricata and Zeek logs to track unauthorized access attempts, identify suspicious file downloads, and trace the infrastructure used by the attacker. By correlating HTTP, DNS, and file transfer logs, you will uncover vital indicators of compromise (IOCs), such as malicious IP addresses, domains, and file hashes. This investigation will guide you in pinpointing the origin of the attack, identifying the systems targeted, and evaluating the potential damage caused by the breach.
As you progress through the lab, you'll apply threat-hunting techniques to detect signs of compromise and gather actionable intelligence. This process not only helps mitigate the current threat but also strengthens defenses against future attacks.