Network Forensics

Reconstruct a HawkEye Keylogger data exfiltration incident by analyzing network traffic with Wireshark and CyberChef, identifying IoCs and stolen credentials. Introduction Today I’ll be going through the HawkEye lab on CyberDefenders. This is tagged as being a Medium difficulty challenge, so I’m excited to get into this! Going off of the tags for the room it looks like we’ll be needing to use Wireshark, and possibly do some threat intel with VirusTotal. Before we get started we’ll need to download the lab files. Unzip this and open up stealer.pcap with Wireshark. ...

Examine network traffic with Wireshark to investigate web server compromise, identify SQL injection, extract attacker credentials, and detect uploaded malware. Introduction I want to focus on my Wireshark skills a lot more in the coming months. I have a lot of experience with Microsoft’s KQL and using that to dig through network traffic, but that only happens after it comes through a SIEM or EDR tool before. I like to know how to analyze network traffic from the ground up, so you’ll be seeing a lot more Wireshark in the future! ...

Analyze network traffic using Wireshark to identify DanaBot initial access, deobfuscate malicious JavaScript, and extract IOCs like IPs, file hashes, and execution processes.. Introduction Back to CyberDefenders yet again! A lot of my recent posts have been focused more on Threat Intel. Threat Intel is great to have in the back of your mind as being something you may need to do. Attribution is important if you’re a Threat Hunter/Researcher, but if you’re a SOC Analyst then it’s not very likely that you’ll be collating every indicator from an alert - It’s much more likely that you’ll pick up an alert and investigate it, close it, and move on with the next five alerts that have come into your SIEM in the time it took. ...

Analyze network traffic for LLMNR/NBT-NS poisoning attacks using Wireshark to identify the rogue machine, compromised accounts, and affected systems. When I first saw this lad and the description I was a little confused what LLMNR and NBT-NS poisoning attackers were. I’m familiar with poisoning attacks like ARP and DNS, but the LLMNR and NBT-NS protocols didn’t ring a bell for me. A lot of cybersecurity is research and understanding concepts, so I was happy to jump into this lab from CyberDefenders and learn something new. ...