Scenario
Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team - all you have is an encoded Powershell script. Can you decode it and identify what malware is responsible for this attack?
Description In this challenge, we receive a log indicating a possible web-based attack.
The objective is to analyze a provided PCAP file and extract meaningful information related to HTTP activity and authentication.
Investigation Process Recovering the PCAP File The PCAP was initially obtained in a Vm from there i obtained the files.
The following commands were used to take the files out of the vm as here was not much network traffic so no large size of the file:
Alert Name: SOC168 – Whoami Command Detected in Request Body
Severity: High
Event ID: 118
Event Time: Feb 28, 2022, 04:12 AM
Category: Web Attack
Play Book 1. Alert Overview A high-severity web attack alert was triggered on WebServer1004 due to the detection of the whoami command within the HTTP request body. This behavior is commonly associated with command injection attempts, where an attacker tries to execute system-level commands through a web application.