2026-02-28 - TRAFFIC ANALYSIS EXERCISE: EASY AS 123

NOTE:

• Zip files are password-protected.  Of note, this site has a new password scheme.  For the password, see the "about" page of this website.

ASSOCIATED FILE:

• Zip archive of the pcap:  2026-02-28-traffic-analysis-exercise.pcap.zip   5.2 MB (5,167,384 bytes)

BACKGROUND

As dynamic go-getter at a Security Operations Center (SOC), you check the Security Information and Event Management (SIEM) system and find several signature hits for NetSupport Manager RAT from 45.131.214[.]85 over TCP port 443. The activity started on 2026-02-28 at 19:55 UTC.

Using this information, you quickly retrieve a packet capture (pcap) of the traffic from the internal IP address that triggered these alerts. It's all on you now! You're expected to write up an incident report, so someone can track down the infected computer and put a stop to this nonsense!

The characteristics of your environment are:

• LAN segment range:  10.2.28[.]0/24   (10.2.28[.]0 through 10.2.28[.]255)
• Domain:  easyas123[.]tech
• AD environment name:  EASYAS123
• Active Directory (AD) domain controller:  10.2.28[.]2 - EASYAS123-DC
• LAN segment gateway:  10.2.28[.]1
• LAN segment broadcast address:  10.2.28[.]255

Armed with pcap, you intend to find that infected host.

Shown above: You, presumably talking to the infected Windows host.

YOUR TASK

For this exercise, answer the following questions for your incident report:

• What is the IP address of the infected Windows client?
• What is the MAC address of the infected Windows client?
• What is the host name of the infected Windows client?
• What is the user account name from the infected Windows client?
• What is the full name of the user from the user account?

ANSWERS

• Click here for the answers.

Click here to return to the main page.