Free Preparation Discussions
MENU
Isaca CCOA Exam - Topic 1 Question 9 Discussion
Topic #: 1
SIMULATION
The network team has provided a PCAP file with suspicious activity located in the Investigations folder on the Desktop titled, investigation22.pcap.
What date was the webshell accessed? Enter the format as YYYY-MM-DD.
To determine the date the webshell was accessed from the investigation22.pcap file, follow these detailed steps:
Step 1: Access the PCAP File
Log into the Analyst Desktop.
Navigate to the Investigations folder on the desktop.
Locate the file:
investigation22.pcap
Step 2: Open the PCAP File in Wireshark
Launch Wireshark.
Open the PCAP file:
mathematica
File > Open > Desktop > Investigations > investigation22.pcap
Click Open to load the file.
Step 3: Filter for Webshell Traffic
Since webshells typically use HTTP/S to communicate, apply a filter:
http.request or http.response
Alternatively, if you know the IP of the compromised host (e.g., 10.10.44.200), use:
nginx
http and ip.addr == 10.10.44.200
Press Enter to apply the filter.
Step 4: Identify Webshell Activity
Look for HTTP requests that include:
Common Webshell Filenames: shell.jsp, cmd.php, backdoor.aspx, etc.
Suspicious HTTP Methods: Mainly POST or GET.
Right-click a suspicious packet and choose:
arduino
Follow > HTTP Stream
Inspect the HTTP headers and content to confirm the presence of a webshell.
Step 5: Extract the Access Date
Look at the HTTP request/response header.
Find the Date field or Timestamp of the packet:
Wireshark displays timestamps on the left by default.
Confirm the HTTP stream includes commands or uploads to the webshell.
Example HTTP Stream:
POST /uploads/shell.jsp HTTP/1.1
Host: 10.10.44.200
User-Agent: Mozilla/5.0
Date: Mon, 2024-03-18 14:35:22 GMT
Step 6: Verify the Correct Date
Double-check other HTTP requests or responses related to the webshell.
Make sure the date field is consistent across multiple requests to the same file.
Answe r:
2024-03-18
Step 7: Document the Finding
Date of Access: 2024-03-18
Filename: shell.jsp (as identified earlier)
Compromised Host: 10.10.44.200
Method of Access: HTTP POST
Step 8: Next Steps
Isolate the Affected Host:
Remove the compromised server from the network.
Remove the Webshell:
rm /path/to/webshell/shell.jsp
Analyze Web Server Logs:
Correlate timestamps with access logs to identify the initial compromise.
Implement WAF Rules:
Block suspicious patterns related to file uploads and webshell execution.
Latrice
4 months agoKayleigh
4 months agoLettie
4 months agoSanjuana
4 months agoRory
4 months agoYolande
5 months agoMargret
5 months agoBernardine
5 months agoCorrinne
5 months agoTamra
5 months agoAnnamae
6 months agoNa
6 months agoFrancoise
6 months agoWillis
6 months agoLeota
8 months agoJustine
8 months agoAmina
8 months agoAdolph
8 months agoDelsie
8 months agoBrett
8 months agoJaime
8 months agoBeata
8 months agoZoila
9 months agoKrystal
9 months agoBambi
8 months agoCorinne
8 months agoVenita
9 months agoDortha
9 months ago