Clik here to view.
Sharing a PCAP with Decrypted HTTPS
Modern malware and botnet C2 protocols use TLS encryption in order to blend in with "normal" web traffic, sometimes even using legitimate services likeTwitter orInstagram. I did a live demo at the...
View ArticleClik here to view.
Sniffing Decrypted TLS Traffic with Security Onion
Wouldn't it be awesome to have a NIDS likeSnort,Suricata orZeek inspect HTTP requests leaving your network inside TLS encrypted HTTPS traffic? Yeah, we think so too! We have therefore created this...
View ArticleClik here to view.
RawCap Redux
A new version ofRawCap has been released today. This portable little sniffer now supports writing PCAP data to stdout and named pipes as an alternative to saving the captured packets to disk. We have...
View ArticleClik here to view.
Reverse Proxy and TLS Termination
PolarProxy is primarily a TLS forward proxy, but it can also be used as a TLS termination proxy or reverse TLS proxy to intercept and decrypt incoming TLS traffic, such as HTTPS or IMAPS, before it is...
View ArticleClik here to view.
Discovered Artifacts in Decrypted HTTPS
We released a PCAP file earlier this year, which was recorded as part of a live TLS decryption demo at theCS3Sthlm conference. The demo setup used PolarProxy running on a Raspberry Pi in order to...
View ArticleClik here to view.
NetworkMiner 2.6 Released
We are happy to announce the release ofNetworkMiner 2.6 today! The network forensic tool is now even better at extracting emails, password hashes, FTP transfers and artifacts from HTTP and HTTP/2...
View ArticleClik here to view.
PolarProxy in Docker
Our transparent TLS proxyPolarProxy is gaining lots of popularity due to how effective it is at generating decrypted PCAP files in combination with how easy it is to deploy. In this blog post we will...
View ArticleClik here to view.
Honeypot Network Forensics
NCC Group recently releaseda 500 MB PCAP file containing three months of honeypot web traffic data related to theF5 remote code execution vulnerability CVE-2020-5902. In a blog post the NCC Group say...
View ArticleClik here to view.
PolarProxy in Podman
Podman is a daemonless Linux container engine, which can be used as a more secure alternative to Docker. This blog post demonstrates how to run PolarProxy in a rootless container using Podman. If you...
View ArticleClik here to view.
NetworkMiner 2.6 Released
We are happy to announce the release ofNetworkMiner 2.6 today! The network forensic tool is now even better at extracting emails, password hashes, FTP transfers and artifacts from HTTP and HTTP/2...
View ArticleClik here to view.
PolarProxy in Docker
Our transparent TLS proxyPolarProxy is gaining lots of popularity due to how effective it is at generating decrypted PCAP files in combination with how easy it is to deploy. In this blog post we will...
View ArticleClik here to view.
Honeypot Network Forensics
NCC Group recently releaseda 500 MB PCAP file containing three months of honeypot web traffic data related to theF5 remote code execution vulnerability CVE-2020-5902. In a blog post the NCC Group say...
View ArticleClik here to view.
PolarProxy in Podman
Podman is a daemonless Linux container engine, which can be used as a more secure alternative to Docker. This blog post demonstrates how to run PolarProxy in a rootless container using Podman. If you...
View ArticleClik here to view.
PolarProxy 0.8.16 Released
We are happy to announce a new release of the TLS decryption tool PolarProxy. The new version has been updated to support features like client certificates and aPCAP-over-IP connector.Client...
View ArticleClik here to view.
Capturing Decrypted TLS Traffic with Arkime
The latest version of Arkime (The Sniffer Formerly Known As Moloch) can now be fed with a real-time stream of decrypted HTTPS traffic from PolarProxy. All that is needed to enable this feature is to...
View ArticleClik here to view.
Reassembling Victim Domain Fragments from SUNBURST DNS
We are releasing a free tool called SunburstDomainDecoder today, which is created in order to help CERT organizations identify victims of the trojanized SolarWinds software update, known as SUNBURST...
View ArticleClik here to view.
Extracting Security Products from SUNBURST DNS Beacons
The latest version of ourSunburstDomainDecoder (v1.7) can be used to reveal which endpoint protection applications that are installed on trojanized SolarWinds Orion deployments. The security...
View ArticleClik here to view.
Finding Targeted SUNBURST Victims with pDNS
Our SunburstDomainDecoder tool can now be used to identify SUNBURST victims that have been explicitly targeted by the attackers. The only input needed is passive DNS (pDNS) data for avsvmcloud.com...
View ArticleClik here to view.
Robust Indicators of Compromise for SUNBURST
There has been a great deal of confusion regarding what network based Indicators of Compromise (IOC) SolarWinds Orion customers can use to self assess whether or not they have been targeted after...
View ArticleClik here to view.
Twenty-three SUNBURST Targets Identified
Remember when Igor Kuznetsov and Costin Raiu announced that two of the victims in FireEye's SUNBURST IOC list were***net.***.com and central.***.gov on Kaspersky's Securelist blog in December? Reuters...
View Article