6Oca
intrusion and network traffic
We just detected an intrusion in one of our labs!! Some strange network traffic was seen from one of the Windows servers and it was immediately isolated. Around the same time, there were some alerts for suspicious traffic originating from a Windows workstation in the same lab and we think the workstation might be associated with the intrusion. We have included a packet capture of the network traffic for those two endpoints during this time frame. Also, we have been able to collect some details about those hosts. Please take a look at the data and send us a writeup with your analysis. Affected hosts:
- 172.16.99.10(dc02p1floor.dolus-corp.net): This is a Windows 2016 server configured as a Domain Controller for this location. This server also acts as a DNS server for this subnet.
- 172.16.99.201(lab03-icps.dolus-corp.net): This is a Windows 10 workstation and our system administrator Fred, was using this workstation when we detected the intrusion. He did not report any suspicious behavior on his system, but he did mention that he was accessing his personal email accounts and might have clicked on a few links. Please be cautious while handling the file as we think it might contain live malware. Password for the file incident.zip is - incident. sha1(incident.zip): 489491c99fc506e2bb982070fb96958af85e02bc
