// BTLO  ·  Network Security Monitoring

Piggy - BTL1 PCAP Analysis Lab

BTLO Easy Wireshark
Initial Access Credential Access
proof of completion → challenge page → ← all labs
Piggy Lab - Network Forensics Investigation
✓ COMPLETED BTL1 Learning Path • Foundational PCAP Analysis • Wireshark • OSINT

🎯 Lab Objective

Scenario: Investigate network activity across four PCAP files to identify data exfiltration, malware infrastructure, and attacker techniques.

Skills Practiced:

Tools Used:

📊 Investigation Summary

Platform: Security Blue Team (BTL1 Certification Preparation)
Category: Network Security Monitoring - Foundational Skills
Lab Focus: Multi-PCAP investigation, data exfiltration analysis, threat intelligence
Completion Date: February 13, 2026
Score: 27/27 points
Tags: Wireshark SSH OSINT ATTACK BTL1

🔍 PCAP One: SSH Data Exfiltration

Question 1: Remote SSH IP Address

What remote IP address was used to transfer data over SSH? (Format: X.X.X.X)

Analysis:

Applied SSH filter in Wireshark to identify encrypted data transfer sessions.

Methodology:

  1. Applied filter: tcp.port == 22
  2. Reviewed TCP conversations
  3. Identified remote endpoint for SSH session

SSH Traffic Analysis

Answer: 35.211.33.16

Question 2: Data Transfer Volume

How much data was transferred in total? (Format: XXXX M)

Analysis:

Used Wireshark’s Statistics feature to calculate total SSH data transfer.

Methodology:

  1. Statistics → Conversations → IPv4
  2. Located SSH conversation (35.211.33.16)
  3. Summed bidirectional traffic (Tx + Rx bytes)

Data Transfer Statistics

Calculation:

Tx Bytes: 8211 k
Rx Bytes: 1123 M
Total: ~1131 M

Answer: 1131 M

🌐 PCAP Two: Malware Infrastructure Identification

Question 3: Malware Family Attribution

Review the IPs the infected system has communicated with. Perform OSINT searches to identify the malware family tied to this infrastructure (Format: MalwareName)

Analysis:

Identified remote IPs in PCAP Two and conducted VirusTotal research for historical attribution.

Methodology:

  1. Extracted unique destination IPs from conversations
  2. Performed VirusTotal lookups on each IP
  3. Reviewed “Communicating Files” section for malware samples
  4. Cross-referenced detection names across multiple samples

Key IP Investigated: 31.184.253.165

VirusTotal Findings:

VirusTotal Malware Attribution

Answer: Trickbot

🔎 PCAP Three: Unusual Port Communications

Question 4: ASN Attribution

Review the two IPs that are communicating on an unusual port. What are the two ASN numbers these IPs belong to? (Format: ASN, ASN)

Analysis:

Identified non-standard port communications and performed ASN lookups.

Methodology:

  1. Reviewed port statistics to find unusual ports
  2. Identified IPs communicating on port 8080
  3. Performed WHOIS/VirusTotal lookups for ASN information

IP 1: 194.233.171.171

IP 2: 104.236.57.24

ASN Identification

Answer: 63949, 14061

Question 5: Malware Category Attribution

Perform OSINT checks. What malware category have these IPs been attributed to historically? (Format: MalwareType)

Analysis:

Conducted deeper VirusTotal analysis on identified IPs.

IP: 104.236.57.24 - VirusTotal Results:

Malware Category Attribution

Conclusion: Infrastructure historically associated with cryptomining operations.

Answer: Miner

Question 6: MITRE ATT&CK Technique

What ATT&CK technique is most closely related to this activity? (Format: TXXXX)

Analysis:

Mapped observed cryptomining behavior to MITRE ATT&CK framework.

Observed Behavior:

MITRE ATT&CK Research:

Technique: T1496 - Resource Hijacking

Description:

“Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.”

MITRE ATT&CK T1496

Answer: T1496

📡 PCAP Four: DNS TXT Record Analysis

Question 7: TXT Query Timing (Seconds Since Capture Start)

Go to View > Time Display Format > Seconds Since Beginning of Capture. How long into the capture was the first TXT record query made? (Format: X.xxxxxx)

Analysis:

Configured Wireshark time display and located first DNS TXT query.

Methodology:

  1. View → Time Display Format → Seconds Since Beginning of Capture
  2. Applied filter: dns.qry.type == 16 (TXT records)
  3. Identified first packet in results

First TXT Query:

Time: 2.047649 seconds
Frame: 875
Query: mlckdhokhvhtcmevvcqbggcviwxqim.sandbox.alphasoc.xyz

TXT Query Timeline

Answer: 8.527712

Question 8: TXT Query Timestamp (UTC)

Go to View > Time Display Format > UTC Date and Time of Day. What is the date and timestamp? (Format: YYYY-MM-DD HH:MM:SS)

Analysis:

Changed time display format to UTC and captured absolute timestamp.

Methodology:

  1. View → Time Display Format → UTC Date and Time of Day
  2. Located same TXT query packet (Frame 875)
  3. Noted UTC timestamp

UTC Timestamp

Answer: 2024-05-24 10:08:50

Question 9: MITRE ATT&CK Subtechnique

What is the ATT&CK subtechnique relating to this activity? (Format: TXXXX.xxx)

Analysis:

Identified DNS TXT record usage as a C2 channel and mapped to specific subtechnique.

Observed Behavior:

MITRE ATT&CK Research:

Subtechnique: T1071.004 - Application Layer Protocol: DNS

Description:

“Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic.”

MITRE ATT&CK T1071.004

Answer: T1071.004

✅ Lab Completion

Final Results:

Lab Completion Certificate

📊 MITRE ATT&CK Mapping

Technique ID Technique Name Observed Evidence
T1071.004 Application Layer Protocol: DNS DNS TXT queries for C2 communication
T1496 Resource Hijacking Cryptomining infrastructure and miner attribution
T1041 Exfiltration Over C2 Channel SSH data transfer to remote IP
T1071.001 Application Layer Protocol: Web Protocols HTTP/HTTPS traffic to mining pools

🎓 Key Takeaways

Technical Skills Demonstrated

PCAP Analysis:

Threat Intelligence:

Framework Application:

SOC Analyst Perspective

Detection Opportunities:

Investigation Workflow:

  1. Identify anomalies - Unusual ports, large transfers, suspicious domains
  2. Extract IOCs - IPs, domains, ports, protocols
  3. Enrich with OSINT - VirusTotal, ASN lookups, malware databases
  4. Map to framework - ATT&CK techniques for context
  5. Document findings - Timeline, evidence, conclusions

Lessons Learned:

🔗 Investigation Artifacts

IOCs Identified:

Indicator Type Value Context
IPv4 35.211.33.16 SSH data exfiltration destination
IPv4 31.184.253.165 Pony malware C2 infrastructure
IPv4 194.233.171.171 Mining infrastructure (AS 63949)
IPv4 104.236.57.24 Mining infrastructure (AS 14061 - Miner tagged)
Domain mlckdhokhvhtcmevvcqbggcviwxqim.sandbox.alphasoc.xyz DNS TXT C2 query
Port 22 (SSH) Data exfiltration channel
Port 8080 Unusual port communication
Data Volume 1131 M Total SSH transfer volume
Malware Family Trickbot Stealer/information theft malware

Timeline:

← Back to Blue Team Portfolio More Labs Coming Soon

```

← blue team ops inksec.io red team →