**Challenge**
###### That APT might’ve compromised our networks. We’ve included a PCAP of suspicious activity. What tool is the APT using to steal data? (Wrap the answer in RS{})

For this challenge, a pcap of captured data was given and our challenge was to find what tool was being used by the apt group to exfiltrate data from the servers. My go to tool for pcap foreniscs is wireshark so i launched wireshark and loaded the pcap file.

My first step is usually to use the protocol hierachy to view the statistics of the packet capture. This option displays each protocol and the frequency of packets in the present protocols.

**Solving**

I disregarded the tcp and tls since the TCP had nothing interesting and TLS was encrypted(as usual). DNS was the protocol in my mind since i have read alot on the effectiveness of data exfiltration using DNS.
A good look at the dns traffic confirmed my suspicion when i saw strings like "passwd" , "shadow" and "group" in the dns traffic.It seems the APT group was using dns to exfiltrate the unix passwd and shadow file.

To the challenge now, try to find out what tool is being used to exfiltrate data.
Armed with the protocol, I tried different tools that are used for c2 and use dns to get data from the target. Some of them include dnscat for tunneling, DnsExfiltrator and the most frequent and easy to use dnsteal.

Dnsteal was the likely answer since the length of the dns packets for outbound traffic increased when sending the passwd and shadow file and also it is easy to use when exfiltrating the passwd and shadow file.
This challenge was too guessy but the result of the flag was RS{DNSteal}.