One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to take a clone of the disk. Can you take a look at the PCAP and see if anything is up?
In this video walk-through, we covered analyzing a compromised webserver with Wireshark as part of HackTheBox Intro To Blue Team Pathway.
Get Cyber Security Field Notes By Joining My YouTube Channel Membership