27.2.12 Lab Interpret HTTP and DNS Data to Isolate Threat Actor - PanamaP/KEST3CO05DU GitHub Wiki
Scroll through the results and answer the following questions: What is the source IP address?
209.165.200.227
What is the destination IP address?
209.165.200.235
What is the destination port number?
80
c. Expand the details of the first result by clicking the arrow that is next to the log entry timestamp. Note the information that is available. Questions: What is the timestamp of the first result?
June 12th 2020, 21:30:09.445
What is the event type?
bro_http
What is included in the message field? These are details about the HTTP GET request that was made by the client to the server. Focus especially on the uri field in the message text.
username, ccv, expiration, credit cards, password
What is the significance of this information?
Það er verið að reyna fá kreditkorta upplýsingar
What do you see later in the transcript as regards usernames?
það sendir tilbaka upplýsingar um notendur
Give some examples of a username, password, and signature that was exfiltrated.
usr = 444411112222333 pass = 745 sign = 2012-03-01
Record the IP addresses of DNS client and server.
client - 192.168.0.11, server - 209.165.200.235
Were the subdomains from the DNS queries subdomains? If not, what is the text?
CONFIDENTIAL DOCUMENT DO NOT SHARE This document contains information about the last security breach.