Free Preparation Discussions
MENU
Isaca CCOA Exam - Topic 1 Question 1 Discussion
Topic #: 1
SIMULATION
The network team has provided a PCAP file with suspicious activity located in the Investigations folder on the Desktop titled, investigation22.pcap.
What is the filename of the webshell used to control the host 10.10.44.200? Your response must include the file extension.
To identify the filename of the webshell used to control the host 10.10.44.200 from the provided PCAP file, follow these detailed steps:
Step 1: Access the PCAP File
Log into the Analyst Desktop.
Navigate to the Investigations folder located on the desktop.
Locate the file:
investigation22.pcap
Step 2: Open the PCAP File in Wireshark
Launch Wireshark on the Analyst Desktop.
Open the PCAP file:
mathematica
File > Open > Desktop > Investigations > investigation22.pcap
Click Open to load the file.
Step 3: Filter Traffic Related to the Target Host
Apply a filter to display only the traffic involving the target IP address (10.10.44.200):
ini
ip.addr == 10.10.44.200
This will show both incoming and outgoing traffic from the compromised host.
Step 4: Identify HTTP Traffic
Since webshells typically use HTTP/S for communication, filter for HTTP requests:
http.request and ip.addr == 10.10.44.200
Look for suspicious POST or GET requests indicating a webshell interaction.
Common Indicators:
Unusual URLs: Containing scripts like cmd.php, shell.jsp, upload.asp, etc.
POST Data: Indicating command execution.
Response Status: HTTP 200 (Success) after sending commands.
Step 5: Inspect Suspicious Requests
Right-click on a suspicious HTTP packet and select:
arduino
Follow > HTTP Stream
Examine the HTTP conversation for:
File uploads
Command execution responses
Webshell file names in the URL.
Example:
makefile
POST /uploads/shell.jsp HTTP/1.1
Host: 10.10.44.200
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Step 6: Correlate Observations
If you identify a script like shell.jsp, verify it by checking multiple HTTP streams.
Look for:
Commands sent via the script.
Response indicating successful execution or error.
Step 7: Extract and Confirm
To confirm the filename, look for:
Upload requests containing the webshell.
Subsequent requests calling the same filename for command execution.
Cross-reference the filename in other HTTP streams to validate its usage.
Step 8: Example Findings:
After analyzing the HTTP streams and reviewing requests to the host 10.10.44.200, you observe that the webshell file being used is:
shell.jsp
Answe r:
shell.jsp
Step 9: Further Investigation
Extract the Webshell:
Right-click the related packet and choose:
mathematica
Export Objects > HTTP
Save the file shell.jsp for further analysis.
Analyze the Webshell:
Open the file with a text editor to examine its functionality.
Check for hardcoded credentials, IP addresses, or additional payloads.
Step 10: Documentation and Response
Document Findings:
Webshell Filename: shell.jsp
Host Compromised: 10.10.44.200
Indicators: HTTP POST requests, suspicious file upload.
Immediate Actions:
Isolate the host 10.10.44.200.
Remove the webshell from the web server.
Conduct a root cause analysis to determine how it was uploaded.
Page
2 months agoPearly
2 months agoMarge
3 months agoCallie
3 months agoMiles
3 months agoBeata
3 months agoMarla
4 months agoMiss
4 months agoAudry
4 months agoJesusita
4 months agoIluminada
4 months agoLorrie
5 months agoRodolfo
5 months agoBrendan
9 months agoMicheline
9 months agoDorothea
9 months agoClay
8 months agoLizbeth
8 months agoLeah
9 months agoMicheline
9 months agoRonald
9 months agoHannah
8 months agoCory
8 months agoJunita
8 months agoMarg
10 months agoStephen
8 months agoThurman
8 months agoKristal
8 months agoJoseph
10 months agoElfriede
9 months agoEzekiel
9 months agoBreana
9 months ago