Cybersecurity Practical
Assignment
Week 3
Syeda Abiha Shams
� 1. Threat Hunting Basics
Explain what Threat Hunting is in a SOC (Security Operations Center). Why is it different
from regular monitoring?
Threat Hunting:
Threat hunting is a proactive security activity carried out by analysts in a Security Operations Center
(SOC).
It means actively looking for threats inside the network or systems that have not yet triggered any alerts.
Instead of waiting for an IDS/IPS, SIEM, or antivirus tool to raise an alert, hunters dig through
logs, endpoints, and network traffic to find hidden or emerging threats.
The goal is to detect attackers who evade traditional defenses (like zero-day malware, insider
threats, or advanced persistent threats — APTs).
Difference b/w Threat Hunting and Regular Monitoring
Regular Monitoring Threat Hunting
Reactive – waits for alerts from tools (SIEM, IDS, Proactive – analysts actively search for suspicious activity.
firewalls, AV).
Starts when an alert/alarm is generated. Starts without an alert — based on a hypothesis, intel, or
anomaly.
Known threats, signatures, rule-based detection. Unknown threats, stealthy attacks, behavioral patterns.
Responding to SIEM alerts about brute-force logins. Investigating abnormal PowerShell commands, rare
connections, or data exfiltration patterns even if no alert was
triggered.
2. Log Analysis (Practical Task)
~Open your system logs (Windows: Event Viewer, Linux: /var/log/)
~Identify one suspicious or failed login attempt.
~Write down the date, time, and event details in your report.
No, suspicious or failed login attempt was found.
3.
Packet
1|Page
�3. Capture Analysis (Mini Task)
~Use Wireshark or any online packet capture sample.
~Find at least one TCP connection and explain what you observed (e.g., source IP,
destination IP, protocol).
In the Wireshark capture, I observed a TCP connection between the following hosts:
Source IP (Address A): [Link]
Destination IP (Address B): [Link]
Source Port: 18801
Destination Port: 5222
This connection transferred a total of 25 packets with 3075 bytes sent from the source to the destination
and 1080 bytes sent in return.
The relative start time was approximately 0.669161 seconds into the capture, and the connection lasted
for about 32.84 seconds. The data flow rate averaged 263 bits/s from source to destination and 485 bits/s
in the opposite direction.
The destination port 5222 is commonly used for XMPP (Extensible Messaging and Presence Protocol),
often associated with chat or messaging services. This indicates that the local machine
([Link]) likely initiated a TCP connection to an external server ([Link]) to
communicate over an XMPP-based service.
2|Page
� 4. Phishing Awareness
You receive an email claiming you won a prize with a link.
~List 3 signs that indicate it might be phishing.
~Suggest how to verify the email’s legitimacy.
3 Signs it might be phishing:
1. Suspicious sender address → The email comes from an unknown or misspelled domain (e.g.,
prize@[Link] instead of [Link]).
2. Urgency or too-good-to-be-true offer → It claims you won a big prize without entering any
contest, and pressures you to “click immediately.”
3. Unusual or unsafe links/attachments → The link text looks legitimate, but when hovered over, it
points to a strange or unrelated website.
Verification of legitimacy:
Check the sender’s email domain carefully and compare it with the official company domain.
Hover over the link (without clicking) to see the actual URL. Legit sites should match the
company’s official website.
Contact the company directly through their official website or customer support—not through the
email link.
5. Capture-the-Flag (CTF) Style Challenge
Decode this Base64 string (use any online decoder):
"Q3liZXJzZWN1cml0eSBpcyBQb3dlciE="
Write the decoded message in your submission.
Q3liZXJzZWN1cml0eSBpcyBQb3dlciE= Cybersecurity is power!
3|Page
