Information leakage in pcap

Dear all,

I have a pcap file which supossedly has information about a leakage of information from several users. All I know is that an atacker may have the login and the password of Microsoft 365 accounts. Since I am stucked, could someone tell me how/where can I start to examine it? Any help would be appreciated.

The file, in case you may wanted to get it, can be downloaded from here https://pcap.honeynet.org.my/v1/submission/view.php?id=158

Many thanks in advanced

Is this a CTF or a real pcap?

Is part of a exercise for college. I am starting in the cybersecurity world, I have little experience in forensics and I was only given a brief introduction to Wireshark. I found that the file was already uploaded (MD5 checked), so is in the public domain and does not contain “real” information. Any sugestion, book to read or advice would be appreciate.

@kiral91 said:

Any sugestion, book to read or advice would be appreciate.

First place I’d suggest is check out https://www.malware-traffic-analysis.net/ there is some awesome guidance.

I’d also suggest setting up Wireshark in a manner which helps you (this is a good starting point Malware-Traffic-Analysis.net - Changing the column display in Wireshark)

From there its a matter of filtering it for known activity and using the tools in Wireshark to get an understanding of what happened.

It might also be worth having a look at network miner (NetworkMiner - The NSM and Network Forensics Analysis Tool ⛏) as this can do a good job of summarising information in a PCAP to speed up analysis.

@kiral91 said:

I have a pcap file which supossedly has information about a leakage of information from several users. All I know is that an atacker may have the login and the password of Microsoft 365 accounts. Since I am stucked, could someone tell me how/where can I start

Is this likely to be one of the accounts mgar***@***ent.com:m********3?

@TazWake said:

First place I’d suggest is check out https://www.malware-traffic-analysis.net/ there is some awesome guidance.

I’d also suggest setting up Wireshark in a manner which helps you (this is a good starting point Malware-Traffic-Analysis.net - Changing the column display in Wireshark)

From there its a matter of filtering it for known activity and using the tools in Wireshark to get an understanding of what happened.

It might also be worth having a look at network miner (NetworkMiner - The NSM and Network Forensics Analysis Tool ⛏) as this can do a good job of summarising information in a PCAP to speed up analysis.

Thank you very much, that’s what I was looking for