Evaluate Network Security with Hunter-1

 You are the security analyst for a small corporate network. Recently, several of your computers were infected by a Trickbot virus. It appears they got the virus from a spreadsheet. Various versions of spreadsheets had different requests for the virus files from different servers. You are using Security Onion Hunter to analyze the attack.

In this lab, your task is to:

• Log in to Security Onion and access Hunt.
  • Security Onion server: 192.168.0.101
  • Email address: bob@corpnet.xyz
  • Password: password
• From Hunt:
  • Examine the ET INFO Dotted Quad Host DLL Request alert event.
  • Answer Questions 1 and 2.
  • Examine the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 alert event.
  • Answer Questions 3 and 4.

Potentially malicious network traffic can sometimes trigger multiple events.

EXPLANATION

Complete this lab as follows:

1. Access Security Onion.
   1. From the Favorites bar, select Google Chrome.
   2. In the address field, enter 192.168.0.101 and press Enter to access Security Onion.
   3. Log in to Security Onion using the following:
      • Email address: bob@corpnet.xyz
      • Password: password
   4. Select LOGIN.
2. Access Hunt.
   1. Select the hamburger menu and then click Hunt.
   2. Maximize the window for better viewing.
3. Examine the ET INFO Dotted Quad Host DLL Request alert event.
   1. Under Events, expand the ET INFO Dotted Quad Host DLL Request event.
   2. Examine the various fields, especially network.data.decoded.
   3. In the top right, select Answer Questions.
   4. Answer Questions 1 and 2.
4. Examine the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 alert event.
5. From Hunt Events, expand the ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 event.
6. Examine the various fields, especially event.module and network.data.decoded.
7. Answer Questions 3 and 4.
8. Select Score Lab