Showing blog posts from 2024

rss Google News
Erik Hjelmvik
Monday, 18 March 2024 10:25:00 (UTC/GMT)

Network Forensics training at x33fcon

x33fcon Network Forensics for Incident Response

I will teach Network Forensics for Incident Response at the IT security conference x33fcon in Gdynia, Poland on June 11-12. In this hands-on class you will get a chance to perform network based threat hunting and deep dive into packet analysis for two days. The first day will be spent using open source tools, such as Wireshark, NetworkMiner, Suricata, Zeek, tcpflow and ngrep. On the second day we’ll also use NetworkMiner Professional and CapLoader. All training participants will get a 6 month license for CapLoader as well as NetworkMiner Professional.

Motlawa river by Diego Delso, delso.photo (CC-BY-SA)
Image: Motława river by Diego Delso, delso.photo (CC-BY-SA)

About x33fcon

x33fcon is held in Gdynia (Gdańsk), which is located on the Baltic coast in northern Poland. The conference’s focus is on collaboration between attackers and defenders. Their goal is to encourage security professionals to consider both perspectives while working more closely together.

More information about this two-day training can be found at x33fcon’s website as well as on Netresec’s training page.

Posted by Erik Hjelmvik on Monday, 18 March 2024 10:25:00 (UTC/GMT)

Tags: #Netresec#Training#Class#Network Forensics

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=2436670

Erik Hjelmvik
Thursday, 04 January 2024 10:12:00 (UTC/GMT)

Hunting for Cobalt Strike in PCAP

In this video I analyze a pcap file with network traffic from Cobalt Strike Beacon using CapLoader.

The pcap file and Cobalt Strike malware config can be downloaded from Recorded Future's Triage sandbox.

Cobalt Strike Beacon configs can also be extracted locally with help of Didier Stevens' 1768.py or Fox-IT's dissect.cobaltstrike.

IOC List

  • MD5 99516071d8f3e78e51200948bf377c4c
  • SHA1 59fe505b24bdfa54ee6e4188ed8b88af9a42eb86
  • SHA256 10e68f3e6c73161a1bba85ef9bada0cd79e25382ea8f8635bec4aa51bfe6c707
  • JA3 a0e9f5d64349fb13191bc781f81f42e1
  • JA4 t12d190800_d83cc789557e_7af1ed941c26
  • IP:port 104.21.88.185:2096 (Cloudflare)
  • Domain mail.googlesmail.xyz (Go Daddy)

Network Forensics Training

Are you interested in learning more about how to analyze network traffic from Cobalt Strike and other backdoors, malware and hacker tools? Then take a look at our upcoming network forensics classes!

Posted by Erik Hjelmvik on Thursday, 04 January 2024 10:12:00 (UTC/GMT)

Tags: #Cobalt Strike#CobaltStrike#Triage#JA3#a0e9f5d64349fb13191bc781f81f42e1#ThreatFox#CapLoader#Video#videotutorial

Share: Facebook   Twitter   Reddit   Hacker News Short URL: https://netresec.com/?b=2410f02

Recent Posts

» Network Forensics training at x33fcon

» Hunting for Cobalt Strike in PCAP

» Network Forensics Training - Spring 2024

» CapLoader 1.9.6 Released

» Forensic Timeline of an IcedID Infection

Blog Archive

» 2024 Blog Posts

» 2023 Blog Posts

» 2022 Blog Posts

» 2021 Blog Posts

» 2020 Blog Posts

» 2019 Blog Posts

» 2018 Blog Posts

» 2017 Blog Posts

» 2016 Blog Posts

» 2015 Blog Posts

» 2014 Blog Posts

» 2013 Blog Posts

» 2012 Blog Posts

» 2011 Blog Posts

List all blog posts

Video blog posts

News Feeds

» Google News

» FeedBurner

» RSS Feed

X / twitter

NETRESEC on X / Twitter: @netresec

Mastodon

NETRESEC on Mastodon: @netresec@infosec.exchange