Clik here to view.
Targeting Process for the SolarWinds Backdoor
The SolarWinds Orion backdoor, known as SUNBURST or Solorigate, has been analyzed by numerous experts from Microsoft, FireEye and several anti-virus vendors. However, we've noticed that many of the...
View ArticleClik here to view.
Live Online Training - PCAP in the Morning
Would you like to spend four mornings in May analyzing capture files together with me? I have now scheduled a live online network forensics training called “PCAP in the Morning” that will run on May...
View ArticleClik here to view.
Analysing a malware PCAP with IcedID and Cobalt Strike traffic
This network forensics walkthrough is based on two pcap files released byBrad Duncan onmalware-traffic-analysis.net. The traffic was generated by executing a malicious JS file called...
View ArticleClik here to view.
Running NetworkMiner in Windows Sandbox
NetworkMiner can be run in a highly efficient Windows Sandbox in order to analyze malicious PCAP files in Windows without accidentally infecting your Windows PC. This blog post shows how to set up a...
View ArticleClik here to view.
CapLoader 1.9 Released
A new version of the PCAP filtering tool CapLoader has been released today. The new CapLoader version 1.9 is now even better at identifying protocols and periodic beacons than before. The user...
View ArticleClik here to view.
Detecting Cobalt Strike and Hancitor traffic in PCAP
This video shows how Cobalt Strike and Hancitor C2 traffic can be detected using CapLoader. Your browser does not support the video tag. I bet you’re going: 😱 OMG he’s analyzing Windows malware on a...
View ArticleClik here to view.
Network Forensics Classes for EU and US
We have now scheduled two new live online classes, one in September and one in October. The September class is adapted to European time and the October one is adapted to American time. The contents...
View ArticleClik here to view.
NetworkMiner 2.7 Released
We are happy to announce the release of NetworkMiner 2.7 today! The new version extracts documents from print traffic and pulls out even more files and parameters from HTTP as well as SMB2 traffic. We...
View ArticleClik here to view.
Walkthrough of DFIR Madness PCAP
I recently came across a fantastic digital forensics dataset at dfirmadness.com, which was created by James Smith. There is a case called The Stolen Szechuan Sauce on this website that includes...
View ArticleClik here to view.
Carving Packets from Memory
Someone who says "We're gonna pull the packet captures out of the router" probably has no clue how to capture network traffic. In the Lindell case, statements like these were results of an...
View ArticleClik here to view.
Start Menu Search Video
In this video I demonstrate that text typed into the Windows 10 start menu gets sent to Microsoft and how that traffic can be intercepted, decrypted and parsed. The video cannot be played in your...
View ArticleClik here to view.
How the SolarWinds Hack (almost) went Undetected
My lightning talk from the SEC-T 0x0D conference has now beenpublished on YouTube. This 13 minute talk covers tactics and techniques that the SolarWinds hackers used in order to avoid being detected....
View ArticleClik here to view.
Open .ETL Files with NetworkMiner and CapLoader
Windows event tracing .etl files can now be read by NetworkMiner andCapLoader without having to first convert them to .pcap or .pcapng. The ETL support is included in NetworkMiner 2.7.2 and CapLoader...
View ArticleClik here to view.
PolarProxy 0.9 Released
PolarProxy was previously designed to only run as a transparent TLS proxy. But due to popular demand we’ve now extended PolarProxy to also include a SOCKS proxy and a HTTP CONNECT proxy. PolarProxy...
View ArticleClik here to view.
PolarProxy in Windows Sandbox
In this video I demonstrate howPolarProxy can be run in a Windows Sandbox to intercept and decrypt outgoing TLS communication. This setup can be used to inspect otherwise encrypted traffic from...
View ArticleClik here to view.
NetworkMiner 2.7.3 Released
NetworkMiner now extracts meterpreter payloads from reverse shells and performs offline lookups of JA3 hashes and TLS certificates. Our commercial tool, NetworkMiner Professional, additionally comes...
View ArticleClik here to view.
Industroyer2 IEC-104 Analysis
The Industroyer2 malware was hardwired to attack a specific set of electric utility substations in Ukraine. It seems to have been custom built to open circuit breakers, which would effectively cut the...
View ArticleClik here to view.
Emotet C2 and Spam Traffic Video
This video covers a life cycle of an Emotet infection, including initial infection, command-and-control traffic, and spambot activity sending emails with malicious spreadsheet attachments to infect...
View ArticleClik here to view.
Real-time PCAP-over-IP in Wireshark
Did you know that it is possible to stream captured packets from a remote device or application to Wireshark in real-time using PCAP-over-IP? This blog post explains how you can configure Wireshark to...
View ArticleClik here to view.
CapLoader 1.9.4 Released
A new version of our advanced PCAP filtering tool CapLoader was released today. The new CapLoader 1.9.4 release includes features like JA3 hash extraction from TLS traffic and a fantastic thing called...
View Article