Exercise 2: Identifying Suspicious Network Traffic

Objective

Detect anomalous traffic patterns in a captured PCAP file using Wireshark.

Scenario

You are working as a cybersecurity analyst in a company that recently experienced unusual network behavior. The Security Operations Center (SOC) has provided you with a captured network traffic file (suspicious_traffic.pcap) suspected of containing traces of malicious activity. Your task is to thoroughly investigate this file, identify any suspicious domains and IP connections, and document your findings. Your analysis could be critical in preventing a potential security breach!

Lab Instructions

Step 1: Open the Provided PCAP File

• Launch Wireshark on your system.
• Go to File > Open and select the provided file suspicious_traffic.pcap.

Step 2: Analyze DNS Queries

• In the Display Filter bar, type dns and press Enter to view all DNS query traffic.
• Carefully review the domain names queried.
  • Look for domains with random characters (e.g., x1y2z3abcd.com).
  • Check for unusual or unknown domains.
• Tip: Malicious domains often use confusing or obfuscated names.

Step 3: Filter and Inspect TCP Streams

• In the Display Filter bar, type tcp and press Enter to view TCP traffic.
• Right-click on suspicious packets and choose Follow > TCP Stream to examine the conversation.
• Identify any connections to known malicious IPs or irregular traffic behavior.
  • Hint: Look for connections on uncommon ports or repeated failed attempts to connect.

Step 4: Document Your Findings

• Create a report with the following details:
  • List of suspicious domain names detected from DNS queries.
  • Suspicious IP addresses discovered in TCP streams.
  • Evidence suggesting potential malicious behavior (e.g., command-and-control communication, data exfiltration patterns).
  • Screenshots of key packets or streams supporting your findings.

Step 5: Cross-Reference IPs and Domains (Optional)

• Use public threat intelligence tools like VirusTotal or AbuseIPDB to check if the identified domains/IPs are flagged as malicious.

Solution & Explanation

Analyzing DNS Traffic

• Unusual Domains: Domains with random alphanumeric characters may indicate domain generation algorithms (DGA) often used in malware.
• Frequent Queries: Repeated DNS requests to a single domain could signal command-and-control (C2) communication.

Identifying Malicious TCP Connections

• Uncommon Ports: Traffic on non-standard ports (e.g., port 4444, 1337) can be a red flag.
• Suspicious IPs: Connections to blacklisted or foreign IPs outside of normal business operations may suggest data exfiltration or malware activity.

Testing & Verification

• Confirm that DNS queries show unusual domains.
• Validate TCP streams for irregular or persistent communication patterns.
• Cross-check suspicious domains and IPs with online threat databases.

Additional Script (Optional)

To automate detection of suspicious domains in a PCAP file, use the following tshark command:

# Extract all DNS queries from the PCAP file
sudo tshark -r suspicious_traffic.pcap -Y "dns" -T fields -e dns.qry.name | sort | uniq -c | sort -nr

This command lists all unique domain names queried and how many times they appear.

Conclusion

By completing this exercise, you’ve practiced identifying suspicious network traffic using DNS and TCP analysis in Wireshark. Recognizing anomalies in network data is a vital skill in cybersecurity defense, helping to detect and mitigate potential threats before they escalate.