NETRESEC Network Security Blog - Tag : video
Erik Hjelmvik
,
Friday, 04 October 2024 06:20:00 (UTC/GMT)
The VoIP tab is a unique feature only available in NetworkMiner Professional .
The analyzed PcapNG file comes from a blog post by Johannes Weber titled VoIP Captures .
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Friday, 04 October 2024 06:20:00 (UTC/GMT)
Tags: #NetworkMiner Professional
#Video
#Tutorial
#VoIP
Short URL:
https://netresec.com/?b=24A65d3
Erik Hjelmvik
,
Thursday, 03 October 2024 09:10:00 (UTC/GMT)
The Browsers tab is a unique feature only available in NetworkMiner Professional .
The PCAP files analyzed in this video are pwned-se_150312_outgoing.pcap and pwned-se_150312_incoming.pcap , which are snippets of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides ).
More information about NetworkMiner Professional's Browsers tab can be found in our blog post Analyzing Web Browsing Activity .
See our NetworkMiner Professional tutorial videos for additional tips and hints.
Posted by Erik Hjelmvik on Thursday, 03 October 2024 09:10:00 (UTC/GMT)
Tags: #NetworkMiner Professional
#Video
#Tutorial
Short URL:
https://netresec.com/?b=24Abf1c
Erik Hjelmvik
,
Wednesday, 02 October 2024 07:10:00 (UTC/GMT)
The PCAP file analyzed in this video is pwned-se_150312_outgoing.pcap , which is a snippet of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides ).
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Wednesday, 02 October 2024 07:10:00 (UTC/GMT)
Tags: #NetworkMiner Professional
#Video
#Tutorial
Short URL:
https://netresec.com/?b=24Ad5ad
Erik Hjelmvik
,
Tuesday, 01 October 2024 08:25:00 (UTC/GMT)
The PCAP file analyzed in this video is MD_2015-07-22_112601.pcap ,
which is a snippet of the training data used in our network forensics classes from 2015 to 2019.
Techniques, tools and databases mentioned in the tutorial:
Check out our Passive OS Fingerprinting blog post for more details on how to identify operating systems using TCP/IP headers and browser user-agents.
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Tuesday, 01 October 2024 08:25:00 (UTC/GMT)
Tags: #NetworkMiner Professional
#Video
#Tutorial
Short URL:
https://netresec.com/?b=24A71a9
Erik Hjelmvik
,
Monday, 30 September 2024 12:50:00 (UTC/GMT)
This video tutorial demonstrates how to open capture files with NetworkMiner Professional
The analyzed pcap-ng file is github.pcapng from CloudShark . More info about this capture file can be found in our blog post Forensics of Chinese MITM on GitHub .
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Monday, 30 September 2024 12:50:00 (UTC/GMT)
Tags: #NetworkMiner Professional
#Video
#Tutorial
Short URL:
https://netresec.com/?b=249b790
Erik Hjelmvik
,
Monday, 30 September 2024 08:45:00 (UTC/GMT)
This video tutorial covers how to install NetworkMiner Professional.
Use the official 7-zip tool to extract the password protected 7zip archive.
Recommended locations for NetworkMiner:
Desktop My Documents C:\Users\{user}\AppData\Local\Programs\ USB flash drive
See our NetworkMiner Professional tutorial videos for more tips and hints.
Posted by Erik Hjelmvik on Monday, 30 September 2024 08:45:00 (UTC/GMT)
Tags: #NetworkMiner Professional
#Video
#Tutorial
Short URL:
https://netresec.com/?b=24904d2
Erik Hjelmvik
,
Tuesday, 07 May 2024 07:50:00 (UTC/GMT)
In this video I take a look at a cryptojacking attack against a Kubernetes honeypot.
The attackers were surprisingly quick to discover this unsecured Kubernetes deployment and use it to mine Monero for them.
The analyzed capture files can be downloaded fromhttps://share.netresec.com/s/S5ZG2cDKB9AbqwS?path=%2Fk3s-443
This PCAP dataset was created by Noah Spahn, Nils Hanke, Thorsten Holz, Chris Kruegel, and Giovanni Vigna as part of their research for their Container Orchestration Honeypot: Observing Attacks in the Wild paper.
The capture files named "proxy-", such as the analyzed proxy-220404-162837.pcap, were generated by PolarProxy and contain the decrypted Kubernetes API traffic to the master node.
This traffic was actually TLS encrypted, but since PolarProxy was used as a TLS interception proxy we can see the Kubernetes API traffic in decrypted form.
IOC List
attacker IP: 102.165.16.27 (PIA VPN)
kind: DeamonSet
name: api-proxy
namespace: kube-system
image: dorjik/xmrig
mining pool: gulf.moneroocean.stream:1012
annotation: kubectl.kubernetes.io/last-applied-configuration
Monero wallet address: 41pdpXWNMe6NvuDASWXn6ZMdPk4N6amucCHHstNcw2y8caJNdgN4kNeW3QFfc3amCiJ9x6dh8pLboR6minjYZpgk1szkeGg
Posted by Erik Hjelmvik on Tuesday, 07 May 2024 07:50:00 (UTC/GMT)
Tags: #video
#CapLoader
#PolarProxy
Short URL:
https://netresec.com/?b=245f018
Erik Hjelmvik
,
Thursday, 04 January 2024 10:12:00 (UTC/GMT)
In this video I analyze a pcap file with network traffic from Cobalt Strike Beacon using CapLoader .
The pcap file and Cobalt Strike malware config can be downloaded from Recorded Future's Triage sandbox .
Cobalt Strike Beacon configs can also be extracted locally with help of Didier Stevens' 1768.py or Fox-IT's dissect.cobaltstrike .
IOC List
MD5 99516071d8f3e78e51200948bf377c4c
SHA1 59fe505b24bdfa54ee6e4188ed8b88af9a42eb86
SHA256 10e68f3e6c73161a1bba85ef9bada0cd79e25382ea8f8635bec4aa51bfe6c707
JA3 a0e9f5d64349fb13191bc781f81f42e1
JA4 t12d190800_d83cc789557e_7af1ed941c26
IP:port 104.21.88.185:2096 (Cloudflare)
Domain mail.googlesmail.xyz (Go Daddy)
Network Forensics Training
Are you interested in learning more about how to analyze network traffic from Cobalt Strike and other backdoors, malware and hacker tools? Then take a look at our upcoming network forensics classes !
Posted by Erik Hjelmvik on Thursday, 04 January 2024 10:12:00 (UTC/GMT)
Tags: #Cobalt Strike
#CobaltStrike
#Triage
#JA3
#a0e9f5d64349fb13191bc781f81f42e1
#ThreatFox
#CapLoader
#Video
#videotutorial
Short URL:
https://netresec.com/?b=2410f02
2023 March
QakBot C2 Traffic
2023 February
How to Identify IcedID Network Traffic
CapLoader 1.9.5 Alerts on Malicious Traffic
2022 September
Hunting for C2 Traffic
2022 May
Emotet C2 and Spam Traffic Video
2021 October
How the SolarWinds Hack (almost) went Undetected
2021 September
Start Menu Search Video
2021 July
Walkthrough of DFIR Madness PCAP
2021 May
Detecting Cobalt Strike and Hancitor traffic in PCAP
2020 January
Sharing a PCAP with Decrypted HTTPS
2019 January
Video: TrickBot and ETERNALCHAMPION
2018 July
Detecting the Pony Trojan with RegEx using CapLoader
2018 February
Examining Malware Redirects with NetworkMiner Professional
Analyzing Kelihos SPAM in CapLoader and NetworkMiner
Antivirus Scanning of a PCAP File
Zyklon Malware Network Forensics Video Tutorial