27.2.12 Lab Interpret HTTP and DNS Data to Isolate Threat Actor - PanamaP/KEST3CO05DU GitHub Wiki

Scroll through the results and answer the following questions: What is the source IP address?

209.165.200.227

What is the destination IP address?

209.165.200.235

What is the destination port number?

80

c. Expand the details of the first result by clicking the arrow that is next to the log entry timestamp. Note the information that is available. Questions: What is the timestamp of the first result?

June 12th 2020, 21:30:09.445

What is the event type?

bro_http

What is included in the message field? These are details about the HTTP GET request that was made by the client to the server. Focus especially on the uri field in the message text.

username, ccv, expiration, credit cards, password

What is the significance of this information?

Það er verið að reyna fá kreditkorta upplýsingar

What do you see later in the transcript as regards usernames?

það sendir tilbaka upplýsingar um notendur

Give some examples of a username, password, and signature that was exfiltrated.

usr = 444411112222333 pass = 745 sign = 2012-03-01

Record the IP addresses of DNS client and server.

client - 192.168.0.11, server - 209.165.200.235

Were the subdomains from the DNS queries subdomains? If not, what is the text?

CONFIDENTIAL DOCUMENT DO NOT SHARE This document contains information about the last security breach.