Instead, it shows some tips and tricks for Wireshark filters.
This is not a comprehensive tutorial on how to analyze malicious network traffic. And you should also have a basic understanding of how malware infections occur. Keep in mind you must understand network traffic fundamentals to effectively use Wireshark.
Pcaps for this tutorial are available here. It covers display filter expressions I find useful in reviewing pcaps of malicious network traffic from infected Windows hosts. Today's post provides more tips for analysts to better use Wireshark. To better accomplish this work, I use a customized Wireshark column display as described my previous blog about using Wireshark. This file contained a malicious executable that installs a custom APT1 backdoor that we call WEBC2-TABLE.As a Threat Intelligence Analyst for Palo Alto Networks Unit 42, I often use Wireshark to review packet captures (pcaps) of network traffic generated by malware samples. If anyone had clicked on the link that day (which no one did, thankfully), their computer would have downloaded a malicious ZIP file named “Internal_Discussion_Press_Release_In_Next_Week8.zip”. Rather, an APT1 actor likely signed up for the account specifically for this spear phishing event. However, further scrutiny shows that the email was not sent from a Mandiant email account, but from “ Rocketmail is a free webmail service. Shall we schedule a time to meet next week?Īt first glance, the email appeared to be from Mandiant’s CEO, Kevin Mandia. I wonder how they actually thought that would work.Īs a real-world example, this is an email that APT1 sent to Mandiant employees:įrom: Kevin Mandia Internal Discussion on the Press Great investigating by Mandiant.Įdit: I find it hilarious they actually tried spear phishing Mandiant itself.
0 kommentar(er)
