Showing blog posts from 2021

rss Google News

Open .ETL Files with NetworkMiner and CapLoader

NetTrace.ETL in CapLoader 1.9.3 and NetworkMiner 2.7.2

Windows event tracing .etl files can now be read by NetworkMiner and CapLoader without having to first convert them to .pcap or .pcapng. The ETL support is included in NetworkMiner 2.7.2 and CapLoader 1.9.3, which were both released this morning.

What is an ETL Trace File?

ETL is short for Event Trace Log, which is ETW session data that has been logged to a file. You can, for example, extract EVTX logs from ETL files. But in this blog post we're gonna focus on network traffic that has been captured to an ETL file with a command like:

netsh trace start capture=yes report=no tracefile=packets.etl
...wait while packets are being captured...
netsh trace stop

Pro-tip: You can specify a capture NIC explicitly with "CaptureInterface=<GUID>"

NetworkMiner and CapLoader can also read packets in Pktmon ETL files, which actually are different from those created with netsh. Capturing packets to an ETL file with Pktmon is very simple:

pktmon start --capture --pkt-size 0 -f packets.etl
...wait while packets are being captured...
pktmon stop

Pro-tip: You can specify capture filters with "pktmon filter add"

You can also capture packets to ETL files with PowerShell:

New-NetEventSession -Name sniffer -LocalFilePath C:\packets.etl
Add-NetEventPacketCaptureProvider -SessionName sniffer -TruncationLength 2000
Start-NetEventSession -Name sniffer
...wait while packets are being captured...
Stop-NetEventSession -Name sniffer
Remove-NetEventSession -Name sniffer

Pro-tip: You capture packets on a remote PC by specifying a CimSession

Advantages

The built-in support for ETL files in NetworkMiner and CapLoader makes it easy to work with ETL files. Not only will you no longer need to go through the extra step of converting the ETL file to PCAP using etl2pcapng or Microsoft Message Analyzer (which was retired in 2019), the analysis will also be faster because both CapLoader and NetworkMiner read ETL files faster compared to etl2pcapng and MMA.

Limitations

The primary limitation with NetworkMiner and CapLoader's ETL support is that it only works in Windows. This means that you will not be able to open ETL files when running NetworkMiner in Linux or macOS.

Another limitation is that both NetworkMiner and CapLoader might fail to parse logged packets if the event trace was created on an OS version with an event manifest that is incompatible with the OS version on which the ETL file is opened.

Under the Hood

Both NetworkMiner and CapLoader leverage Windows specific API calls to read packets from ETL files. An ETL file opened in CapLoader first get converted to PcapNG, then CapLoader parses that PcapNG file. NetworkMiner, on the other hand, parses the packets in the ETL file directly to extract artifacts like files, images and parameters. NetworkMiner's approach is both simpler and quicker, but by converting the ETL file to PcapNG CapLoader can utilize its packet indexing feature to rapidly extract any subset of the captured traffic upon request by the user.

CapLoader's approach is also useful for users who are wondering how to open ETL files in Wireshark, since the packets from an ETL file can be opened in Wireshark by dragging the PcapNG file from the CapLoader GUI onto Wireshark.

Drag-and-drop NetTrace.pcapng from CapLoader to Wireshark
Image: NetTrace.etl converted to PcapNG in CapLoader can be drag-and-dropped onto Wireshark.

Additional Updates in NetworkMiner

The ETL support is not the only new feature in NetworkMiner 2.7.2 though. We have also added support for the ERSPAN protocol. The FTP parser has also been improved to support additional commands, such as AUTH (RFC2228).

We've also added a useful little feature to the context menu of the Parameter's tab, which allows users to send extracted parameters to CyberChef (on gchq.github.io) for decoding.

Submit Parameter value from NetworkMiner to CyberChef
Image: Right-clicking a parameter brings up a context menu with "Submit to CyberChef" option.

Additional Updates in CapLoader

The only major improvement in CapLoader 1.9.3, apart from the built-in ETL-to-PcapNG converter, is that the protocol identification speed and precision has been improved. We've also separated the identification of SSL (version 2.0 to 3.0) and TLS (SSL 3.1 and later) as two separate protocols in this version, whereas they previously both were fingerprinted as "SSL".

Credits

We'd like to thank Dick Svensson and Glenn Larsson for their input on reading ETL files. We also want to thank Markus Schewe for recommending us to add ERSPAN support to NetworkMiner!

Posted by Erik Hjelmvik on Tuesday, 02 November 2021 07:15:00 (UTC/GMT)

Tags: #PowerShell#CapLoader#NetworkMiner#PcapNG#Windows#Wireshark#PCAP#CyberChef

Short URL: https://netresec.com/?b=21B0d0e


How the SolarWinds Hack (almost) went Undetected

My lightning talk from the SEC-T 0x0D conference has now been published on YouTube. This 13 minute talk covers tactics and techniques that the SolarWinds hackers used in order to avoid being detected.

Video: Hiding in Plain Sight, How the SolarWinds Hack went Undetected

Some of these tactics included using DNS based command-and-control (C2) that mimicked Amazon AWS DNS traffic, blending in with SolarWind’s legitimate source code and handpicking only a small number of targets.

One thing I forgot to mention in my SEC-T talk though, was the speed at which the attackers were working to analyze incoming data from the trojanized installs and selecting organizations to target for stage two operations.

SolarWinds Hack Timeline

For example, just during June 2020 the attackers got more than 1300 new organizations that started beaconing in using the DNS-based C2. The beaconed data only included the organizations’ Active Directory domain name and a list of installed security applications. Based on this information the attackers had to decide whether or not they wanted to target the organization. We have previously estimated that less than 1% of the organizations were targeted, while the malicious backdoor was disabled for all the other 99% who had installed the trojanized SolarWinds Orion update.

SolarWinds C2 IP addresses

The attackers typically decided whether or not to target an organization within one week from when they started beaconing. This means that the attackers probably had several hundred organizations in queue for a targeting decision on any given week between April and August 2020. That's a significant workload!

Posted by Erik Hjelmvik on Monday, 18 October 2021 10:30:00 (UTC/GMT)

Tags: #SolarWinds#SEC-T#video#backdoor#SUNBURST#Solorigate#STAGE2#Stage 2#DNS#C2#ASCII-art

Short URL: https://netresec.com/?b=21A27a0


Start Menu Search Video

In this video I demonstrate that text typed into the Windows 10 start menu gets sent to Microsoft and how that traffic can be intercepted, decrypted and parsed.

What Was Sent?

The XML files shown in the video were sent by Cortana's "SmartSearch" app to https://www.bing.com/threshold/xls.aspx in HTTP/2 POST requests. As shown in the video, the POST'ed keystrokes can be found inside requestInfo XML tags that have a "RawQuery" key.

The following tcpdump and grep commands can be used to list the RawQuery data sent to Bing in these HTTP/2 requests:

tcpdump -A -r proxy-210927-134557.pcap | grep -a -o 'key="RawQuery" value="[^"]*"'

Running that command on the PolarProxy PCAP file from the video gives the following output:

key="RawQuery" value="n"
key="RawQuery" value="no"
key="RawQuery" value="not"
key="RawQuery" value="note"
key="RawQuery" value="notep"
key="RawQuery" value="notepa"
key="RawQuery" value="notepad"
key="RawQuery" value="s"
key="RawQuery" value="se"
key="RawQuery" value="sea"
key="RawQuery" value="sear"
key="RawQuery" value="searc"
key="RawQuery" value="search"
key="RawQuery" value="search .."
key="RawQuery" value="search ..e"
key="RawQuery" value="search ..er"
key="RawQuery" value="search ..e"
key="RawQuery" value="search .."
key="RawQuery" value="search"
key="RawQuery" value="search p"
key="RawQuery" value="search per"
key="RawQuery" value="search perm"
key="RawQuery" value="search permi"
key="RawQuery" value="p"
key="RawQuery" value="pr"
key="RawQuery" value="pri"
key="RawQuery" value="priv"
key="RawQuery" value="priva"
key="RawQuery" value="privac"
key="RawQuery" value="privacy"

The same data also gets sent in the query string variable "qry" of GET requests for https://www.bing.com/AS/API/WindowsCortanaPane/V2/Suggestions, as shown in this NetworkMiner screenshot.

Parameters tab in NetworkMiner
Image: NetworkMiner's Parameters tab with filter "qry" on "Parameter name" column

How to Intercept, Decrypt and Decode HTTPS Traffic

The following section presents the technical details regarding my setup, so that others can reproduce and verify these findings.

My first step was to install PolarProxy on a Linux machine on the local network. PolarProxy is a TLS proxy, which can intercept and decrypt TLS traffic. This TLS proxy is primarily designed to decrypt traffic from malware and hackers, but can also be used to decrypt legitimate traffic when needed.

PolarProxy was configured to listen for incoming TLS connections on TCP port 443 and output PCAP data with the decrypted traffic as if it had been transmitted over TCP 80. The decrypted traffic was accessible as a real-time stream through a PCAP-over-IP service running on port 57012. Here's the full command that was used to start PolarProxy:

sudo ./PolarProxy -p 443,80 --pcapoverip 0.0.0.0:57012 --certhttp 10080

In the video I showed the Windows 10 client's modified hosts file, which included an entry for www.bing.com pointing to the PolarProxy machine. What was not shown in the video though, is that PolarProxy's own CA certificate had been added to the Win10 machine's list of trusted root CA's, as explained in the "Trusting the PolarProxy root CA" section of the PolarProxy installation instructions. With these two changes in place all HTTPS requests for www.bing.com from the Win10 PC got diverted through the PolarProxy TLS inspection service, which then decrypted and re-encrypted the traffic before forwarding it to Bing.

The decrypted Bing requests could be accessed either locally on the Linux machine, or remotely using the PCAP-over-IP service on TCP port 57012. I used NetworkMiner to read the live PCAP stream with decrypted traffic from port 57012 and extract all files being sent and received in real-time.

Is it Possible to Disable the Cortana Search?

When Ars Technica reporters asked Microsoft back in 2015 if there was any way to disable this communication, Microsoft replied with the following statement:

As part of delivering Windows 10 as a service, updates may be delivered to provide ongoing new features to Bing search, such as new visual layouts, styles and search code. No query or search usage data is sent to Microsoft, in accordance with the customer's chosen privacy settings.

There are plenty of how-to guides online with instructions on how the Cortana search feature can be disabled. Most of these guides suggest disabling the AllowCortana setting in group policies or in the registry. We've tried several of the settings suggested in these how-to guides, but none of them seem to prevent Windows from sending keystrokes to Bing.

If you know how to successfully disable Cortana's Bing searches, then please feel free to reach out to us so that we can update this blog post.

UPDATE 210928 - How to Actually Disable Cortana Search

Twitter user @GeorgeProfonde3 reached out to suggest a fix that might prevent the start menu from sending data to Bing. We have now verified this fix and we're happy to announce that it works (at least for us).

  1. Start regedit.exe
  2. Open the following registry key:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
  3. Ensure that the value for CortanaConsent is set to 0
  4. Create a new DWORD registry entry called "BingSearchEnabled" with value 0

You should no longer see any connections to www.bing.com when interacting with the start menu after implementing this fix.

UPDATE 211015 - Another way to Disable Cortana Search

You may need to use a different method to disable the start meny search, depending on your Windows version and build. Kimberly (@StopMalvertisin) suggested the following method, which seems to work on Windows 11:

  1. Start regedit.exe
  2. Create a registry key for:
    HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer
  3. Create a new DWORD registry entry called "DisableSearchBoxSuggestions" with value 1

Disabling Start Menu Search from Group Policy

There are also a few different methods for disabling start menu searches using GPO. However, please note that your success will vary depending on your Windows version and build.

GPO Method #1

  1. Start gpedit.msc
  2. Open the following branch:
    User configuration\Administrative templates\Windows components\File Explorer
  3. Enable the following group policy:
    "Turn off display of recent search entries in the File Explorer search box"

GPO Method #2

  • Start gpedit.msc
  • Open the following branch:
    User Configuration\Administrative Templates\Start Menu and Taskbar
  • Enable the following group policy: "Do not search communications"

Posted by Erik Hjelmvik on Tuesday, 28 September 2021 08:24:00 (UTC/GMT)

Tags: #PCAP#NetworkMiner#PolarProxy#Microsoft#video#videotutorial#pcapoverip#PCAP-over-IP#HTTP/2#http2

Short URL: https://netresec.com/?b=2199fe7


Carving Packets from Memory

The packets are in the router

Someone who says "We're gonna pull the packet captures out of the router" probably has no clue how to capture network traffic. In the Lindell case, statements like these were results of an elaborate hoax.

Nevertheless, such a statement doesn't have to be nonsense — if it comes from someone who knows how to dump the physical memory from the router. There are actually more packets available in the RAM of a router, or computer for that matter, than you might think.

The Forensic Challenge from DFRWS 2016 contains a memory dump from an SDN switch. If you drag-and-drop SDN.ram.raw from that challenge to CapLoader then you'll be asked if you wanna carve packets from the memory dump.

CapLoader error message - Invalid capture file

This packet carving feature is also available in the free trial version of CapLoader.

Clicking "Yes" in the dialogue brings up a configuration window. The default settings are okay in most cases.

CapLoader's Carve Packets Window

After pressing "Start" CapLoader will start identifying packets in the memory dump from the SDN switch. The packets will be saved to a Pcap-NG file located in the %TEMP% directory, unless you specified a different output location in the config window.

You can download a copy of the Pcap-NG file that I generated with CapLoader 1.9.2 here:
https://media.netresec.com/pcap/SDN.ram.raw.pcapng (661 kB, 2959 packets)

Here's what it looks like when the carved packets have been loaded into NetworkMiner Professional.

NetworkMiner Professional with SDN.ram.raw.pcapng loaded

As you can see, a great deal of information can be extracted about the hosts on this network just by examining the dumped memory from the SDN switch.

What about Bulk Extractor?

Simson Garfinkel's bulk_extractor can also extract packets from memory dumps. It was actually a research paper by Simson that inspired me to implement a packet carver in the first place.

There are a few significant differences between bulk_extractor and CapLoader with regards to packet carving though. One difference is that bulk_extractor identifies network packets by looking for Ethernet frames containing IPv4 packets, while CapLoader looks for IPv4 or IPv6 packets containing TCP or UDP packets. The output from bulk_extractor is usually quite similar to that of CapLoader, and so is the parsing speed. CapLoader was just slightly faster in our tests and carved about 3% more packets compared to bulk_extractor, these additional packets were primarily IPv6 packets and packets that weren't encapsulated by an Ethernet frame.

Where can I download memory dumps?

I posted a question on Twitter, asking the #DFIR community for their favorite publicly available memory dumps prior to writing this blog post, and I received lots of great answers. Thank you all for contributing! I have now compiled the following list of places from where you can download memory dumps:

For a more detailed blog post on CapLoader's packet carving functionality, please see our Carving Network Packets from Memory Dump Files blog post from 2014.

Posted by Erik Hjelmvik on Tuesday, 31 August 2021 15:10:00 (UTC/GMT)

Tags: #Forensics#RAM#PCAP#Pcap-NG#PcapNG#DFIR#carve#carver#packets#dump#CapLoader#memory forensics#DFRWS

Short URL: https://netresec.com/?b=218cf94


Walkthrough of DFIR Madness PCAP

I recently came across a fantastic digital forensics dataset at dfirmadness.com, which was created by James Smith. There is a case called The Stolen Szechuan Sauce on this website that includes forensic artifacts like disk images, memory dumps and a PCAP file (well, pcap-ng actually). In this video I demonstrate how I analyzed the capture file case001.pcap from this case.

Follow Along in the Analysis

Please feel free to follow along in the analysis performed in the video. You should be able to use the free trial version of CapLoader and the free open source version of NetworkMiner to perform most of the tasks I did in the video.

Here are some of the BPF and Column Criteria filters that I used in the video, so that you can copy/paste them into CapLoader.

  • net 10.0.0.0/8
  • Umbrella_Domain =
  • not ip6 and not net 224.0.0.0/4
  • host 194.61.24.102 or host 203.78.103.109 or port 3389

ASCII Network Flow Chart

References and Links

Timeline

All events in this timeline take place on September 19, 2020. Timestamps are in UTC.

  • 02:19:26 194.61.24.102 performs RDP brute force password attack against DC01.
  • 02:21:47 RDP password brute force successful.
  • 02:22:08 194.61.24.102 connects to DC01's RDP service as Administrator. Duration: 9 sec.
  • 02:22:36 194.61.24.102 connects to DC01's RDP service as Administrator again. Duration: 30 min.
  • 02:24:06 DC01 downloads coreupdater.exe from 194.61.24.102 using IE11.
  • 02:25:18 DC01 establishes Metrepreter reverse_tcp connection to 203.78.103.109. Duration: 4 min.
  • 02:29:49 DC01 re-establishes Metrepreter reverse_tcp connection to 203.78.103.109. Duration: 23 min.
  • 02:35:55 DC01 connects to DESKTOP's RDP service Administrator (username in Kerberos traffic). Duration 16 min.
  • 02:39:58 DESKTOP download coreupdater.exe from 194.61.24.102 using MS Edge.
  • 02:40:49 DESKTOP establishes Metrepreter reverse_tcp connection to 203.78.103.109. Duration: 2h 58 min.
  • 02:56:03 194.61.24.102 connects to DC01's RDP service as Administrator one last time. Duration: 1 min 38 sec.
  • 02:56:38 DC01 re-establishes Metrepreter reverse_tcp connection to 203.78.103.109. Duration: 2h 42 min.

IOC's

  • IP : 194.61.24.102 (Attacker)
  • IP : 203.78.103.109 (C2 server)
  • MD5 : eed41b4500e473f97c50c7385ef5e374 (coreupdater.exe)
  • JA3 Hash : 84fef6113e562e7cc7e3f8b1f62c469b (RDP scan/brute force)
  • JA3 Hash : 6dc99de941a8f76cad308d9089e793d7 (RDP scan/brute force)
  • JA3 Hash : e26ff759048e07b164d8faf6c2a19f53 (RDP scan/brute force)
  • JA3 Hash : 3bdfb64d53404bacd8a47056c6a756be (RDP scan/brute force)

Wanna learn more network forensic analysis techniques? Then check out our upcoming network forensics classes in September and October.

Posted by Erik Hjelmvik on Friday, 09 July 2021 13:20:00 (UTC/GMT)

Tags: #PCAP#NetworkMiner#CapLoader#video#videotutorial

Short URL: https://netresec.com/?b=217dfc7


NetworkMiner 2.7 Released

NetworkMiner 2.7 Logo

We are happy to announce the release of NetworkMiner 2.7 today! The new version extracts documents from print traffic and pulls out even more files and parameters from HTTP as well as SMB2 traffic. We have also updated our JA3 implementation to fingerprint the server side in TLS sessions using JA3S hashes and added a few tweaks to the user interface to better identify the extension of extracted files.

Extraction of Printed Data

NetworkMiner 2.7 can extract documents from LPR/LPD print traffic on TCP 515 (RFC1179). The extracted print data is saved to disk as .prn files, which can be analyzed with tools like PCL Paraphernalia. The professional version of NetworkMiner also comes with a carver that attempts to extract PostScript and PDF files from print traffic.

Improved File Extraction from PCAP

One of the premier features of NetworkMiner is its ability to extract transferred files from network traffic. We have fine tuned NetworkMiner’s file extraction code for SMB2 as well as HTTP POST in this release, in order to retrieve as much information as possible from these protocols. We’ve also added more granular logging of SMB2 requests and responses to the Parameters tab.

More DNS Types Supported

NetworkMiner 2.7 now parses DNS TXT and SRV resource records, which are displayed in NetworkMiner’s DNS tab. The TXT records can be used for almost anything, but the SRV records are used to map service types to the hostnames that provide that service. SRV lookups are often used in order to locate the domain controller on a network by querying for “_ldap._tcp.dc._msdcs.<DOMAIN>”.

DNS SRV and TXT records in NetworkMiner

DNS SRV of lookups are performed by malware and attackers as well as for legitimate reasons, even though attackers sometimes make mistakes that can be used for detection or threat hunting.

TLS Server Fingerprinting with JA3S

We introduced TLS client fingerprinting using JA3 hashes in NetworkMiner 2.5. We have now also added support for JA3S hashes, which is a method for fingerprinting the server side of a TLS connection. The JA3S hashes are extracted from the “Server Hello” TLS packets and shown on NetworkMiner’s Parameters tab as well as in the Host Details of the server. We have also improved how NetworkMiner displays the JA3 hashes in the Host Details view.

JA3S hashes in NetworkMiner

Additional User Interface Improvements

Double clicking on an extracted file in NetworkMiner's Files tab now brings up the File Details window. We’ve extended this window to also include a simple hex viewer and a feature that attempts to identify the file type based on the reassembled file’s header.

NetworkMiner's File Details window with hex viewer

The file type identification feature is also used in order to provide more accurate file extensions to extracted files, such as “.exe” or “.zip”, instead of the “.octet-stream” that you’d often see in previous versions of NetworkMiner. We have added a warning dialogue to NetworkMiner 2.7 that shows up if a user tries to run an executable file directly from the NetworkMiner GUI.

Warning dialogue in NetworkMiner when opening executable file

NetworkMiner Professional

Our commercial tool NetworkMiner Professional has received a few additional updates. It can, for example, carve PDF and PostScript files from extracted LPR print data. We have also added several OSINT services, such as ANY.RUN, MalwareBazaar, URLHaus and ThreatFox, for performing lookups of file hashes. The OSINT context menu is opened by right-clicking an extracted file in NetworkMiner Professional.

GPS data stored in pcap-ng option fields, typically by Kismet, is now extracted as capture file metadata. Right-click a capture file and select "Show Metadata" to show the coordinates from Kismet. We have also re-implemented the support for a PCAP-over-IP listener in NetworkMinerCLI, which is the command line version of NetworkMiner Pro. This feature allows the command line tool to receive PCAP data over a TCP socket instead of reading from a capture file. The PCAP-over-IP listener feature was previously broken in NetworkMinerCLI.

Credits

We’d like to thank Hayo Brouwer (of Ricoh) for requesting the LPR extraction feature and providing capture files for testing, Jeff Rivett for reporting a 64 bit issue with WinPcap/Npcap and Ali Mohd for reporting the broken PCAP-over-IP listener feature.

Upgrading to Version 2.7

Users who have purchased NetworkMiner Professional can download a free update to version 2.7 from our customer portal, or use the “Help > Check for Updates” feature. Those who instead prefer to use the free and open source version can grab the latest version of NetworkMiner from the official NetworkMiner page.

Posted by Erik Hjelmvik on Tuesday, 15 June 2021 11:55:00 (UTC/GMT)

Tags: #NetworkMiner#PCAP#SMB2#JA3#JA3S#ANY.RUN#ThreatFox#OSINT

Short URL: https://netresec.com/?b=21644b7


Network Forensics Classes for EU and US

We have now scheduled two new live online classes, one in September and one in October. The September class is adapted to European time and the October one is adapted to American time. The contents are exactly the same in both classes.

PCAP in the mornining

The training is split into four interactive morning sessions (4 hours each), so that you have the afternoon free to either practice what you learned in class or do your “normal” day job. The number of attendees will be limited in order to enable attendees to ask questions or even cover short ad-hoc side tracks. We plan to accept something like 10 to 15 attendees per class. The class registration will be closed once we reach this attendee limit.

  • 🇪🇺 September 20-23, 2021. Live Online Training "PCAP in the Morning EU"
    ⏲️ Time: 8:30 AM to 12:30 PM CET (Central European Time)
    💸 Price: € 820 EUR per student (€ 738 EUR if registering before August 20)
  • 🇺🇸 October 25-28, 2021. Live Online Training "PCAP in the Morning US"
    ⏲️ Time: 9:00 AM to 1:00 PM EDT (US Eastern Daylight Time)
    💸 Price: $1,000 USD per student ($900 USD if registering before September 25)

We will be analyzing a unique 30GB PCAP data set captured during June 2020 on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices. As you’ve probably guessed, the capture files contain traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!

See our training page for more info about the “PCAP in the Morning” classes.

To sign up for a class, simply send an email to sales@netresec.com with the class dates, your name and invoice address. We will then send you a PayPal payment link that you can use to complete your training registration.

Hope to see you there!

Erik H

Cheers,
Erik Hjelmvik
Creator of NetworkMiner and founder of Netresec

Posted by Erik Hjelmvik on Monday, 07 June 2021 09:55:00 (UTC/GMT)

Tags: #Netresec#PCAP#Training#Network Forensics#Class

Short URL: https://netresec.com/?b=216851d


Detecting Cobalt Strike and Hancitor traffic in PCAP

This video shows how Cobalt Strike and Hancitor C2 traffic can be detected using CapLoader.

I bet you’re going:

😱 OMG he’s analyzing Windows malware on a Windows PC!!!

Relax, I know what I’m doing. I have also taken the precaution of analyzing the PCAP file in a Windows Sandbox, which just takes a couple of seconds to deploy and run.

The capture file I’m looking at is called “2021-05-13-Hancitor-traffic-with-Ficker-Stealer-and-Cobalt-Strike.pcap” and can be downloaded from here: https://malware-traffic-analysis.net/2021/05/13/index.html

CapLoader’s Services tab shows us that the connections to TCP 80 and 443 on 103.207.42.11 are very periodic, with a detected period of exactly 1 minute. CapLoader successfully identifies the protocols for these two services as Cobalt Strike over HTTP and Cobalt Strike over SSL, respectively. The third service in this list is also very periodic, that’s the Hancitor trojan beaconing to its C2 server every two minutes.

Services tab in CapLoader

CapLoader uses machine learning to identify the application layer protocol based on the behavior of the traffic, not the port number. This means that there can be false positives, i.e. the protocol classification that CapLoader gives a flow or service might be wrong. It is more common, however, for CapLoader to yield false negatives, which means that it can't identify the protocol. The detection of Cobalt Strike inside of HTTP and SSL traffic was recently introduced in the latest 1.9 release of CapLoader. I expected this feature to detect Cobalt Strike traffic in HTTP, but I was delighted to see that CapLoader often detects even TLS encrypted Cobalt Strike beaconing with really good precision!

As shown in the video, the Cobalt Strike beacon config can easily be extracted from the network traffic using NetworkMiner and Didier Stevens’ 1768 K python script.

The output from Didier’s 7868.py tool looks something like this:

0x0001 payload type 0 windows-beacon_http-reverse_http
0x0002 port 80
0x0003 sleeptime 60000
0x0004 maxgetsize 1048576
0x0005 jitter 0
0x0007 publickey 30819f30[...]
0x0008 server,get-uri '103.207.42.11,/ca'
[...]

As you can see, it uses HTTP for transport with a “sleeptime” of 1 minute (60000 ms) and 0% jitter. This means that a new connection will be made to the Cobalt Strike C2 server every minute. The fact that there was no jitter is what gives this service such a high value in CapLoader’s “Periodicity” column.

Network Forensics Training

Are you interested in learning more about how to analyze network traffic from Cobalt Strike and other backdoors, malware and hacker tools? Then take a look at the live online network forensics classes I will be teaching in September and October!

Posted by Erik Hjelmvik on Monday, 31 May 2021 08:30:00 (UTC/GMT)

Tags: #Netresec#Cobalt Strike#CobaltStrike#periodicity#Protocol Identification#PIPI#CapLoader#1768.py#Windows Sandbox#PCAP#NSM#video#videotutorial

Short URL: https://netresec.com/?b=21536fc

2021 May

CapLoader 1.9 Released

Running NetworkMiner in Windows Sandbox

2021 April

Analysing a malware PCAP with IcedID and Cobalt Strike traffic

2021 March

Live Online Training - PCAP in the Morning

2021 February

Targeting Process for the SolarWinds Backdoor

2021 January

Twenty-three SUNBURST Targets Identified

Robust Indicators of Compromise for SUNBURST

Finding Targeted SUNBURST Victims with pDNS

X / twitter

X / Twitter: @netresec


Bluesky

Bluesky: @netresec.com


Mastodon

Mastodon: @netresec@infosec.exchange