will75g/soc-day18-network-traffic-analysis-wireshark-lab

This repository is a learning exercise written up as if it were a real incident report from a security operations center. The author calls it Day 18 of a SOC Tier 1 series, and the topic is network traffic analysis using Wireshark, which is a free tool for inspecting captured network packets. The lab walks through a packet capture file as a step-by-step investigation, with screenshots at every stage. The scenario in the writeup is a remote access trojan, known as NetSupport Manager RAT, talking to an outside server. The fictional alert points the analyst at an external IP address, and the analyst then loads the packet capture in Wireshark to confirm what is going on. By filtering on that IP, the writeup shows 550 suspicious packets making HTTP POST requests to a path called /fakeurl.htm over TCP port 443, at regular intervals, which the report calls beaconing. The analyst then uses DHCP packets to figure out which machine inside the network is making those calls. The DHCP records tie the IP address to a hostname, a username, and a MAC address, so the affected device can be physically located and isolated. The report also covers DNS queries from the same host, and uses Wireshark's conversation statistics to summarize how much traffic went where, including some traffic to the domain controller that the report concludes is normal. The rest of the document is structured like a real handover artifact. There is a table of indicators of compromise, a mapping of the activity to MITRE ATT&CK technique IDs such as T1219 for remote access software, a list of SOC analyst findings, and a list of response actions like isolating the host and blocking the malicious IP at the firewall. The closing section is a short analyst insight on why packet capture analysis is a useful skill. The README does not list a license.