These are a series of labs that cover different types of analysis that can be done on network data when threat hunting. You can do these in any order and you can jump around individual labs to try out the tools or methods that interest you. That being said, here is our suggested order:
You can use the Basic Tool Usage guide as a reference for common tasks if a tool is unfamiliar to you.
Each of these labs works off the same packet capture. You have several options for downloading this pcap. Each option below has its snaplen set to a different value in order to reduce the file size. However, this means that large packets will have their payload truncated and your results when going through the labs may vary slightly from what is printed. The overall analysis should still remain unchanged.
| Download | MD5 checksum |
|---|---|
| sample-1500.pcap (1.6 GB) | 7c1b3b4bd50ea353e96e492e3e359e08 |
| sample-500.pcap (832 MB) | 492f011aa4f6547ca2b52f1e7b2269a0 |
| sample-200.pcap (523 MB) | 6a2a522169a3dc0148c55b987c7f5e66 |
Please note that processing large pcaps in many of these labs will take a couple of minutes to finish.
If you enjoy these labs and are interested in learning more about network threat hunting:
Thank you for participating!