I will teach Network Forensics for Incident Response at the IT security conference x33fcon in Gdynia, Poland on June 11-12. In this hands-on class you will get a chance to perform network based threat hunting and deep dive into packet analysis for two days. The first day will be spent using open source tools, such as Wireshark, NetworkMiner, Suricata, Zeek, tcpflow and ngrep. On the second day we’ll also use NetworkMiner Professional and CapLoader. All training participants will get a 6 month license for CapLoader as well as NetworkMiner Professional.
Image: Motława river by Diego Delso, delso.photo (CC-BY-SA)
About x33fcon
x33fcon is held in Gdynia (Gdańsk), which is located on the Baltic coast in northern Poland. The conference’s focus is on collaboration between attackers and defenders. Their goal is to encourage security professionals to consider both perspectives while working more closely together.
I will teach two live online network forensics classes in March, one on European morning time, and the other on US morning time. The subject for both classes is network forensics in an incident response context.
The training is split into four interactive morning sessions, so that you have the afternoon free to either practice what you learned in class or catch up with your “normal” day job. The number of attendees will be limited in order to provide a good environment for taking questions. A maximum of 15 attendees will be accepted per class. The registration will be closed once we reach this attendee limit.
🇪🇺 March 4-7, 2024: PCAP in the Morning Europe
⏲️ Time: 8:30 AM to 12:30 PM CET
💸 Price: € 930 EUR per student
🇺🇸 March 25-28, 2023: PCAP in the Morning US
⏲️ Time: 9:30 AM to 1:30 PM EDT
💸 Price: $1,000 USD per student
We will be analyzing a unique 30GB PCAP data set captured during June 2020
on an Internet connected network with multiple clients, an AD server, a web server,
an android tablet and some embedded devices.
As you’ve probably guessed, the capture files contain traffic
from multiple intrusions by various attackers, including APT style attackers and botnet operators.
The initial attack vectors are using techniques like exploitation of web vulnerabilities,
spear phishing, a supply chain attack and a man-on-the-side attack!
In this training you'll get first-hand experience looking at C2 and backdoor protocols, such as Cobalt Strike, TrickBot, njRAT and Meterpreter.
See our training page for more info about the “PCAP in the Morning” classes.
To sign up for a class, simply send an email to sales@netresec.com with the class dates,
your name and invoice address.
We will then send you a PayPal payment link that you can use to complete your training registration.
Hope to see you there!
Cheers,
Erik Hjelmvik Creator of NetworkMiner and founder of Netresec
Posted by Erik Hjelmvik on Monday, 11 December 2023 12:55:00 (UTC/GMT)
I will be teaching two live online network forensics classes this spring,
one in March and one in April.
The March class is adapted to American time
and the April one is adapted to European time.
Both classes focus on doing network forensics in an incident response context.
The training is split into four interactive morning sessions,
so that you have the afternoon free to either practice what you learned in class or do your “normal” day job.
The number of attendees will be limited in order to enable attendees to ask questions
or even cover short ad-hoc side tracks.
We plan to accept 10 to 15 attendees per class.
The class registration will be closed once we reach this attendee limit.
🇺🇸 March 20-23, 2023: PCAP in the Morning US
⏲️ Time: 9:30 AM to 1:30 PM EDT
💸 Price: $1,000 USD per student
🇪🇺 April 17-20, 2023: PCAP in the Morning Europe
⏲️ Time: 8:30 AM to 12:30 PM CEST
💸 Price: € 950 EUR per student
We will be analyzing a unique 30GB PCAP data set captured during June 2020
on an Internet connected network with multiple clients, an AD server, a web server,
an android tablet and some embedded devices.
As you’ve probably guessed, the capture files contain traffic
from multiple intrusions by various attackers, including APT style attackers and botnet operators.
The initial attack vectors are using techniques like exploitation of web vulnerabilities,
spear phishing, a supply chain attack and a man-on-the-side attack!
See our training page for more info about the “PCAP in the Morning” classes.
To sign up for a class, simply send an email to sales@netresec.com with the class dates,
your name and invoice address.
We will then send you a PayPal payment link that you can use to complete your training registration.
Hope to see you there!
Cheers,
Erik Hjelmvik Creator of NetworkMiner and founder of Netresec
Posted by Erik Hjelmvik on Tuesday, 17 January 2023 10:18:00 (UTC/GMT)
We have now scheduled two new live online classes,
one in September and one in October.
The September class is adapted to European time
and the October one is adapted to American time.
The contents are exactly the same in both classes.
The training is split into four interactive morning sessions (4 hours each),
so that you have the afternoon free to either practice what you learned in class or do your “normal” day job.
The number of attendees will be limited in order to enable attendees to ask questions
or even cover short ad-hoc side tracks.
We plan to accept something like 10 to 15 attendees per class.
The class registration will be closed once we reach this attendee limit.
🇪🇺 September 20-23, 2021. Live Online Training "PCAP in the Morning EU"
⏲️ Time: 8:30 AM to 12:30 PM CET (Central European Time)
💸 Price: € 820 EUR per student (€ 738 EUR if registering before August 20)
🇺🇸 October 25-28, 2021. Live Online Training "PCAP in the Morning US"
⏲️ Time: 9:00 AM to 1:00 PM EDT (US Eastern Daylight Time)
💸 Price: $1,000 USD per student ($900 USD if registering before September 25)
We will be analyzing a unique 30GB PCAP data set captured during June 2020
on an Internet connected network with multiple clients, an AD server, a web server,
an android tablet and some embedded devices.
As you’ve probably guessed, the capture files contain traffic
from multiple intrusions by various attackers, including APT style attackers and botnet operators.
The initial attack vectors are using techniques like exploitation of web vulnerabilities,
spear phishing, a supply chain attack and a man-on-the-side attack!
See our training page for more info about the “PCAP in the Morning” classes.
To sign up for a class, simply send an email to sales@netresec.com with the class dates,
your name and invoice address.
We will then send you a PayPal payment link that you can use to complete your training registration.
Hope to see you there!
Cheers,
Erik Hjelmvik Creator of NetworkMiner and founder of Netresec
Posted by Erik Hjelmvik on Monday, 07 June 2021 09:55:00 (UTC/GMT)
The capture file starts with a DNS lookup for banusdona.top, which resolved to 172.67.188.12, followed by an HTTP GET request for "/222g100/index.php" on that domain.
The following PowerShell oneliner is returned in the HTTP response from banusdona.top:
This oneliner instructs the initial dropper to download a Win32 DLL payload from
http://banusdona[.]top/222g100/main.php and save it as "JwWdx.dat" in the user's temp directory and then run the DLL with:
rundll32.exe %TEMP%\JwWdx.dat,DllRegisterServer
As you can see in the screenshot below, the HTTP response for this second request to banusdona.top has Content-Type "application/octet-stream",
but also a conflicting Content-disposition header of "attachment;filename=data.jpg", which indicates that the file should be saved to disk as "data.jpg".
Nevertheless, the "MZ" header in the transferred data reveals that the downloaded data wasn't an image, but a Windows binary (dll or exe).
Image: CapLoader transcript of IcedID malware download
The downloaded file gets extracted from the pcap file by NetworkMiner as "data.jpg.octet-stream".
Right-clicking "data.jpg.octet-stream" in NetworkMiner and selecting "Calculate MD5..." brings up a new window with additional file details,
such as MD5 and SHA hashes of the reassembled file.
This file is
available on VirusTotal,
where we can see that it's a DLL that several AV vendors identify as "Cerbu" or "IcedID".
VirusTotal's
C2AE sandbox analysis of the DLL
also reveals the domain name "momenturede.fun" in the process' memory.
As you might expect, a connection is made to that domain just a few seconds later.
A nice overview of these connections can be seen in CapLoader's Flow tab.
Image: CapLoader showing initial flows from the IcedID malware execution
The momenturede.fun server returns a 500kB file, which NetworkMiner extracts from the pcap file as "index.gzip".
Right after the IcedID download we see a series of HTTPS connections towards odd domains like
vaccnavalcod.website, mazzappa.fun, ameripermanentno.website and odichaly.space,
all of which resolved to IP 83.97.20.176.
That host is most likely a command-and-control (C2) server used by the IcedID malware.
CapLoader's "Services" tab also reveals that the TLS connections to port 443 on 83.97.20.176 are very periodic,
with a new connection every 5 minutes.
Periodic connection patterns like this is a typical indicator of C2 traffic,
where the malware agent connects back to the C2 server on regular intervals to check for new tasks.
Image: CapLoader's Services tab showing that the IcedID malware agent connects to the C2 server every 5 minutes (00:05:01).
The traffic to 83.97.20.176 is encrypted, so we can't inspect the payload to verify whether or not it is IcedID C2 communications.
What we can do, however, is to extract the HTTPS server's X.509 certificate and the JA3 hash of the client's TLS implementation from the encrypted traffic.
NetworkMiner has extracted the X.509 certificates for vaccnavalcod.website, mazzappa.fun, ameripermanentno.website and odichaly.space to disk as "localhost.cer".
It turns out that all these sites used the same self-signed certificate, which had SHA1 fingerprint 452e969c51882628dac65e38aff0f8e5ebee6e6b.
The X.509 certificate was created using OpenSSL's default values, such as "Internet Widgits Pty Ltd" etc.
Further details about this certificate can be found on
censys.io.
The JA3 hashes used by the IcedID malware agent can be found in NetworkMiner's Hosts tab as well as in the Parameters tab.
Image: NetworkMiner's Parameters tab with keyword filter "JA3 Hash"
The JA3 hashes for the client that connects to the C2 server are
a0e9f5d64349fb13191bc781f81f42e1 and 3b5074b1b5d032e5620f69f9f700ff0e.
Several legitimate Windows applications unfortunately have the same JA3 hashes, so we can't use them to uniquely identify the IcedID agents.
The IcedID C2 traffic continues for over 19 hours, at which point we suddenly see a connection to a new suspicious domain called "lesti.net" on 185.141.26.140.
The first HTTP request to that domain is used to download a 261703 byte file, as can be seen in this Flow Transcript from CapLoader:
NetworkMiner extracts this file as "9r8z.octet-stream".
This turns out to be a Cobalt Strike beacon download, which we can decode with Didier Stevens'
fantastic
1768.py script.
The output from 1768.py reveals that this Cobalt Strike beacon is using the following URIs for C2 communication:
GET URI: http://lesti[.]net/userid=
POST URI: http://lesti[.]net/update.php
We can also see that the Cobalt Strike license-id (a.k.a. watermark) is 1580103814.
This ID can be used to link this Cobalt Strike beacon to other campaigns.
Below is a list of Cobalt Strike C2 servers using license-id 1580103814
discovered by Tek in December 2020:
45.147.229[.]157
selfspin[.]com
savann[.]org
palside[.]com
server3.msadwindows[.]com
mapizzamates[.]com
fixval[.]com
rackspare-technology[.]download
108.177.235[.]148
matesmapizza[.]com
Update 4 May 2021
Sergiu Sechel published a blog post
yesterday, which included a list of Cobalt Strike C2 servers.
We fed this list to Tek's scan_list.py script in order to see if license-id 1580103814 is still active.
It turned out it was. We found the following 27 domains and IP's running Cobalt Strike C2 servers on TCP 443 using that license-id.
Security researcher Michael Koczwara is tracking Cobalt Strike license 1580103814 as APT actor LuckyMouse (a.k.a. Emissary Panda or APT 27).
Michael's Cobalt Stike C2 dataset, which currently contains 25 unique C2 IPs and domains for license-id 1580103814, is available as a
Google Docs spreadsheet (see the "LuckyMouse Actor" tab).
Are you interested in learning more about how to analyze captured network traffic from malware and hackers?
Have a look at our network forensic trainings.
Our next class is a live online event called PCAP in the Morning.
Posted by Erik Hjelmvik on Monday, 19 April 2021 09:45:00 (UTC/GMT)
Would you like to spend four mornings in May analyzing capture files together with me?
I have now scheduled a live online network forensics training called “PCAP in the Morning”
that will run on May 3-6 (Monday to Thursday) between 8:30 AM and 12:30 PM EDT (US Eastern Daylight Time).
We will be analyzing a unique 30GB PCAP data set captured during June 2020
on an Internet connected network with multiple clients, an AD server, a web server,
an android tablet and some embedded devices.
As you’ve probably guessed, the capture files contain traffic from multiple intrusions
by various attackers, including APT style attackers and botnet operators.
The initial attack vectors are using techniques like exploitation of web vulnerabilities,
spear phishing, a supply chain attack and a man-on-the-side attack!
See our
training page
for more info about the “PCAP in the Morning” training.
To sign up for my “PCAP in the Morning” class, simply send an email to sales@netresec.com with your name and invoice address. We will then send you a PayPal payment link that you can use to complete your training registration. The training costs $950 USD per participant, for which you will also get a six month single user license for NetworkMiner Professional and CapLoader.
Hope to see you there!
Cheers,
Erik Hjelmvik Creator of NetworkMiner and founder of Netresec
Update June 7, 2021
We have now scheduled two new training events adapted for students in different time zones.
September 20-23, 2021. Live Online Training "PCAP in the Morning EU" (🇪🇺)
October 25-28, 2021. Live Online Training "PCAP in the Morning US" (🇺🇸)
More information about the network forensics classes can be found on our training page.
Posted by Erik Hjelmvik on Friday, 19 March 2021 14:03:00 (UTC/GMT)
This video tutorial is a walkthrough of how you can analyze the PCAP file
UISGCON-traffic-analysis-task-pcap-2-of-2.pcap
(created by Brad Duncan).
The capture file contains a malicious Word Document (macro downloader), Emotet (banking trojan),
TrickBot/Trickster (banking trojan) and an EternalChampion (CVE-2017-0146)
exploit used to perform lateral movement.
Wanna improve your network forensics skills? Take a look at our
trainings,
the next scheduled class is on March 18-19 at the
TROOPERS conference in Germany.
Posted by Erik Hjelmvik on Wednesday, 23 January 2019 14:00:00 (UTC/GMT)
The free and open source network forensics tool NetworkMiner now comes with improved extraction of files
and metadata from several protocols as well as a few GUI updates.
But the biggest improvements for version 2.3 are in the commercial tool NetworkMiner Professional,
which now supports VoIP call audio extraction and playback as well as OSINT lookups of file hashes,
IP addresses, domain names and URLs.
I’m happy to announce that NetworkMiner 2.3 now does an even better job than before at extracting files
and metadata from several protocols. Improvements have been made in the parsers for the following protocols:
HTTP, IEC-104, IPv4, Modbus, SIP, SMB, SMB2, SMTP and SSL/TLS.
We have also added support for the SNMP protocol in NetworkMiner 2.3,
so that SNMP community strings can be extracted and displayed on the Parameters and Credentials tabs.
Another change is that timestamps are now displayed using the UTC time zone instead of using the local time zone.
We have also fixed a few GUI quirks in order to further improve the usability of the tool.
NetworkMiner Professional
The commercial version of NetworkMiner, i.e. NetworkMiner Professional,
comes with several additional improvements which are presented below.
VoIP Call Playback
NetworkMiner Professional has received a new tab called “VoIP”,
which enables audio playback of VoIP calls that are using SIP and RTP with G.711 μ-law or A-law encoding
(u-Law is primarily used in North America and Japan while A-law is used in Europe and most other parts of the world).
Video: Audio playback and extraction to WAV from the “SIP_CALL_RTP_G711” PCAP file in the
Wireshark Sample Captures.
The audio streams from the VoIP calls are also extracted to disk as .WAV files when codecs
G.729 or
G.711
(u-Law and A-Law) is used. NetworkMiner Professional also attempts to reassemble RTP streams encoded with
G.722 to .au files.
OSINT Lookups of IP Addresses, Domains, URLs and File Hashes
Right-clicking a network host in NetworkMiner Professional’s Hosts tab brings up a context menu with options for performing lookups of IP
and domain names using external sources. We refer to this method as open-source intelligence (OSINT) because the accessed data resides at
publicly available sources.
Clicking on an OSINT provider brings up a webpage with more detailed information about the selected IP address, such as
IBM X-Force,
mnemonic Passive DNS,
Shodan,
UrlQuery or
VT.
However, if you’re lazy like me, then you’ll probably click the “All above!” option instead,
which will bring up all of the sources in separate tabs in your browser.
The full list of OSINT providers available for IP lookups includes
APNIC Whois, BFK Passive DNS,
Censys,
Cymon,
DNSTrails,
ExoneraTor, Google Public DNS, GreenSnow.co, Hurricane Electric, IBM X-Force, Internet Storm Center, mnemonic Passive DNS,
PacketTotal,
Shodan,
ThreatCrowd,
ThreatMiner,
UrlQuery and VirusTotal.
The domain name lookup menu contains a similar set of providers:
BFK Passive DNS, Cymon,
DNSTrails, Google Public DNS, Google Safe Browsing,
Hybrid Analysis, IBM X-Force Exchange, mnemonic Passive DNS,
MXToolBox, MyWOT, Norton Safe Web,
PacketTotal,
ThreatCrowd,
ThreatMiner,
URL Void, UrlQuery, VirusTotal, Website Informer, Webutation and Whoisology.
Right-clicking a URL in the Browsers tab brings up a similar context menu, which additionally includes the following services for URL lookups:
Google Safe Browsing, IBM X-Force,
ThreatMiner,
URLhaus and
UrlQuery.
Finally, right-clicking on one of the files that NetworkMiner has extracted from a PCAP file brings up a menu for doing OSINT lookups based on
the MD5 or SHA256 hash of the file. The sources used for lookups of hashes include IBM X-Force,
PacketTotal,
ThreatCrowd,
TotalHash,
UrlQuery, VirScan.org, Comodo Valkyrie,
AlienVault OTX,
Hybrid Analysis,
ThreatMiner and VirusTotal.
Hybrid Analysis API Integration
Did you know that the malware analysis service Hybrid Analysis provides free API keys to people in the IT security community?
This is a great move by the Hybrid Analysis team, and we’re happy to announce that we have leveraged their API in NetworkMiner Professional
in order to submit files for analysis directly from within the NetworkMiner GUI.
The API integration also enables you to query for an IP on Hybrid Analysis to see which previously submitted samples has communicated
with that particular IP address.
Here are the steps required to enable the Hybrid Analysis API integration:
Start NetworkMiner Pro, open the Tools > Settings menu and input your API key
Credits
I would like to thank
Chris Sistrunk, Mats Karlsson and Michael Nilsson for suggesting several of the protocol and GUI improvements
that have been incorporated into this new release.
I’d also like to thank Doug Green and Ahmad Nawawi for discovering and reporting bugs in the
IP and SSL parser respectively.
Upgrading to Version 2.3
Users who have purchased a license for NetworkMiner Professional 2.x can download a free update to version 2.3 from our
customer portal.
Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official
NetworkMiner page.
⛏ FOR GREAT JUSTICE! ⛏
Posted by Erik Hjelmvik on Tuesday, 03 April 2018 06:27:00 (UTC/GMT)
