Refer to the case study at https://www.cert.se/2017/09/cert-se-tekniska-rad-med-anledning-av-det-aktuella-dataintrangsfallet-b-8322-16. We can download the PCAP file from https://drive.google.com/open?id=0B7pTM0QU5apSdnF0Znp1Tko0ams. The case highlights the use of open source tools and denotes that the infection took place after the targets received an email along with a macro-enabled document. The attackers asked the victims to enable macros to view the content of the document and hence generated a foothold on the target system. We will examine the pcap from the network's point of view and highlight the information of interest.
Let's fire up the NetworkMiner and get an overview of what happened:
If we sort the packets with bytes, we have 37.28.155.22 as the top IP address. Let...