The provided file contains network traffic from several protocols, specifically LDAP traffic from a Windows Active Directory environment and KRB5 traffic.
The LDAP traffic contains several pieces of information, including the username (“Copper”) of the compromised user used to conduct the attack, the Distinguished Name (CN=SRV195,OU=Domain Controllers,DC=rebcorp,DC=htb) of the Domain Controller, the domain managed by the Domain Controller (rebcorp.htb), the number of failed login attempts on the user account named “Ranger” (14), and the LDAP query (objectClass=group) used to find all groups.
Five non-standard groups were found in the LDAP analysis.
The KRB5 traffic contains information about a user (“Radiation”) who is flagged as “disabled,” the field name (wWWHomePage) written in one user’s profile that was targeted by the attacker, a new user created for persistence with the username “B4ck” and group “Enclave,” and a hashed password for the user “Hurricane” with the UF_DONT_REQUIRE_PREAUTH flag set, whose corresponding plaintext password is “april18.