TYS 0x01 - communication in the shadows
This post is part of the Test Your Skills series. You can find an introduction here. And an overview of all TYS’s currently available is over here.
What is going on in our network?!
You are a SOC analyst looking into some weird traffic you spotted on TCP/31337.
One of your fellow SOC buddies already exported some of the weird traffic and prepared a pcap for you: get it here.
Can you figure out what is going on? Is it malware c2? Data exfiltration or leakage?
I’ll give you a hint: It’s nothing you know, it’s nothing you can google for, but, looking at the pcap packet by packet should reveal its secrets to you!
Bonus points for the brave analyst who writes a script to automate the analysis and maybe even allow to participate in whats going on.
Have fun hunting, feel free to post your approach / write-up and let me know if you have any questions, feedback or general comments in the respective twitter thread over here:
Verify the files you download with:
md5sum c91ae8142feb9c63a4e69b91a05377a6 cdn/tys/tys_0x01_c2.pcapng sha1sum aaee24c061afc193239da0ea2595ae4000eff2f8 cdn/tys/tys_0x01_c2.pcapng sha256sum f75da53a0d33ce917e2ea4ee5ca356c1ca241a2e274d7a9763d24da576e481b4 cdn/tys/tys_0x01_c2.pcapng