Activity 3: Respond to Incident involving Possible SQL Injection with Financial Credit Card Data Affected
Incident Case:
A DLP security appliance has alerted to an attempt to exfiltrate credit card data. Management would like to know if any customer credit card data was actually exfiltrated, and if so where to, amongst other questions.
You are provided a pcap with traffic related to the primary Card Data Environment (CDE) server, and also a memory dump of the primary Card Data Environment (CDE) server. This server runs several applications including a Microsoft SQL Server which is used to house some customer information, but not credit cards, although there are locations on the server which contain credit card data.
Activity Tasks
Answer the following questions. You will need to use tools such as Wireshark, Zeek, and Volatility and possibly some research. You might find it valuable to use some volatility plugins, and you might need to be creative.
Suspected compromised server is 192.168.248.198 1.
Does there appear to be any SQL Injection attempts to this server?
Were any of the SQL Injection attempts successful?
Were there any users created?
Were there any executable files transferred? If so list them
Is there any evidence of any of these files being executed? Is this evidence in memory or in traffic, or both?
Are there any indications of any connections to or from the device which appears to have attempted SQL Injection attacks? If so, what ports were involved (source and destination).
Does the attacker appear to have used powershell at all? a. Where did you find evidence of this if the answer is yes?
What powershell commands did the attacker run and what do those commands do?
What files if any did the attacker interact with using powershell? And if the attacker has interacted with any files, what do those files contain? See if there’s a way to extract files using volatility.
Are you able to conclusively answer whether or not any credit card data was exfiltrated? If yes, explain how, if not, explain why you don’t think it happened.
If you were able to discover any credit card data, explain to the best of your ability how it was exfiltrated if indeed it was exfiltrated.
Please attach screenshots of the screen where possible.