NETRESEC Network Security Blog - Tag : video

rss Google News

Short URL: https://netresec.com/?b=24A65d3


Browsers tab in NetworkMiner Professional

The Browsers tab is a unique feature only available in NetworkMiner Professional. The PCAP files analyzed in this video are pwned-se_150312_outgoing.pcap and pwned-se_150312_incoming.pcap, which are snippets of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides).

More information about NetworkMiner Professional's Browsers tab can be found in our blog post Analyzing Web Browsing Activity.

See our NetworkMiner Professional tutorial videos for additional tips and hints.

Posted by Erik Hjelmvik on Thursday, 03 October 2024 09:10:00 (UTC/GMT)

Tags: #NetworkMiner Professional#Video#Tutorial

Short URL: https://netresec.com/?b=24Abf1c

Short URL: https://netresec.com/?b=24Ad5ad


Hosts tab in NetworkMiner Professional

The PCAP file analyzed in this video is MD_2015-07-22_112601.pcap, which is a snippet of the training data used in our network forensics classes from 2015 to 2019.

Techniques, tools and databases mentioned in the tutorial:

Check out our Passive OS Fingerprinting blog post for more details on how to identify operating systems using TCP/IP headers and browser user-agents.

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Tuesday, 01 October 2024 08:25:00 (UTC/GMT)

Tags: #NetworkMiner Professional#Video#Tutorial

Short URL: https://netresec.com/?b=24A71a9


Opening capture files with NetworkMiner Professional

This video tutorial demonstrates how to open capture files with NetworkMiner Professional

The analyzed pcap-ng file is github.pcapng from CloudShark. More info about this capture file can be found in our blog post Forensics of Chinese MITM on GitHub.

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Monday, 30 September 2024 12:50:00 (UTC/GMT)

Tags: #NetworkMiner Professional#Video#Tutorial

Short URL: https://netresec.com/?b=249b790


Video Tutorial: Installing NetworkMiner Professional

This video tutorial covers how to install NetworkMiner Professional.

Use the official 7-zip tool to extract the password protected 7zip archive.

Recommended locations for NetworkMiner:

  • Desktop
  • My Documents
  • C:\Users\{user}\AppData\Local\Programs\
  • USB flash drive

See our NetworkMiner Professional tutorial videos for more tips and hints.

Posted by Erik Hjelmvik on Monday, 30 September 2024 08:45:00 (UTC/GMT)

Tags: #NetworkMiner Professional#Video#Tutorial

Short URL: https://netresec.com/?b=24904d2


Kubernetes Cryptojacking

In this video I take a look at a cryptojacking attack against a Kubernetes honeypot. The attackers were surprisingly quick to discover this unsecured Kubernetes deployment and use it to mine Monero for them.

The analyzed capture files can be downloaded from
https://share.netresec.com/s/S5ZG2cDKB9AbqwS?path=%2Fk3s-443

This PCAP dataset was created by Noah Spahn, Nils Hanke, Thorsten Holz, Chris Kruegel, and Giovanni Vigna as part of their research for their Container Orchestration Honeypot: Observing Attacks in the Wild paper.

The capture files named "proxy-", such as the analyzed proxy-220404-162837.pcap, were generated by PolarProxy and contain the decrypted Kubernetes API traffic to the master node. This traffic was actually TLS encrypted, but since PolarProxy was used as a TLS interception proxy we can see the Kubernetes API traffic in decrypted form.

IOC List

  • attacker IP: 102.165.16.27 (PIA VPN)
  • kind: DeamonSet
  • name: api-proxy
  • namespace: kube-system
  • image: dorjik/xmrig
  • mining pool: gulf.moneroocean.stream:1012
  • annotation: kubectl.kubernetes.io/last-applied-configuration
  • Monero wallet address: 41pdpXWNMe6NvuDASWXn6ZMdPk4N6amucCHHstNcw2y8caJNdgN4kNeW3QFfc3amCiJ9x6dh8pLboR6minjYZpgk1szkeGg

Posted by Erik Hjelmvik on Tuesday, 07 May 2024 07:50:00 (UTC/GMT)

Tags: #video#CapLoader#PolarProxy

Short URL: https://netresec.com/?b=245f018


Hunting for Cobalt Strike in PCAP

In this video I analyze a pcap file with network traffic from Cobalt Strike Beacon using CapLoader.

The pcap file and Cobalt Strike malware config can be downloaded from Recorded Future's Triage sandbox.

Cobalt Strike Beacon configs can also be extracted locally with help of Didier Stevens' 1768.py or Fox-IT's dissect.cobaltstrike.

IOC List

  • MD5 99516071d8f3e78e51200948bf377c4c
  • SHA1 59fe505b24bdfa54ee6e4188ed8b88af9a42eb86
  • SHA256 10e68f3e6c73161a1bba85ef9bada0cd79e25382ea8f8635bec4aa51bfe6c707
  • JA3 a0e9f5d64349fb13191bc781f81f42e1
  • JA4 t12d190800_d83cc789557e_7af1ed941c26
  • IP:port 104.21.88.185:2096 (Cloudflare)
  • Domain mail.googlesmail.xyz (Go Daddy)

Network Forensics Training

Are you interested in learning more about how to analyze network traffic from Cobalt Strike and other backdoors, malware and hacker tools? Then take a look at our upcoming network forensics classes!

Posted by Erik Hjelmvik on Thursday, 04 January 2024 10:12:00 (UTC/GMT)

Tags: #Cobalt Strike#CobaltStrike#Triage#JA3#a0e9f5d64349fb13191bc781f81f42e1#ThreatFox#CapLoader#Video#videotutorial

Short URL: https://netresec.com/?b=2410f02

2023 March

QakBot C2 Traffic

2023 February

How to Identify IcedID Network Traffic

CapLoader 1.9.5 Alerts on Malicious Traffic

2022 September

Hunting for C2 Traffic

2022 May

Emotet C2 and Spam Traffic Video

2021 October

How the SolarWinds Hack (almost) went Undetected

2021 September

Start Menu Search Video

2021 July

Walkthrough of DFIR Madness PCAP

2021 May

Detecting Cobalt Strike and Hancitor traffic in PCAP

2020 January

Sharing a PCAP with Decrypted HTTPS

2019 January

Video: TrickBot and ETERNALCHAMPION

2018 July

Detecting the Pony Trojan with RegEx using CapLoader

2018 February

Examining Malware Redirects with NetworkMiner Professional

Analyzing Kelihos SPAM in CapLoader and NetworkMiner

Antivirus Scanning of a PCAP File

Zyklon Malware Network Forensics Video Tutorial

X / twitter

NETRESEC on X / Twitter: @netresec

Mastodon

NETRESEC on Mastodon: @netresec@infosec.exchange