Lab 5 has tasked me with learning more about Wireshark by watching four videos from the various Sharkfest years. I have chosen to watch https://www.youtube.com/watch?v=V-KM4p0x-po. In anticipation of this, I have created an FTP downloader and a Keylogger. I stored the Keylogger.exe one of my personal websites. The FTP rootkit is 5/56 on virus total, and it uses the Windows API. In the beginning of his talk, he mentions an incident where a person recognized that they had a keylogger on the system. Jasper Bongertz said that situations like these, where,”…at least one indicator of compromise has been found already…”, you need to immediately begin an Incident Response. Then you need to check clients, servers, networks, or ISP uplinks to see if anything has been compromised.
Looking for the needle: Looking at the network data to pinpoint the systems that need further investigation is the idea of network forensics. Don’t waste your time going though hundreds of systems by hand, one by one.
Things to investigate: the file systems, log files, firewall rule tables, sensor hits(IDS(50k patters)/IPS(7k-20k Patters; most companies don’t enable the blocking features)/NSM(these are very simple to bypass if you know what you’re doing and is only purchased to fulfill a check box)/AV(helps against known stuff)/Sandboxes(Easily bypassed), and documentation(Port communication rules and baselines; usually outdated or nonexistent).
Looking at the network: No matter how amazing the malware is, the final goal is to extract information. The primary goal is to determine “the right spot” of where the packets need to go through. Even so, it can be very difficult if they are using anti detection methods. In these cases, you must rely on a passive LAN TAP. If your firewall uses a NAT, put the tap right on the inside of the firewall.
Internet uplinks: focus on tapping the primary uplinks. Capture the following: Syn, Syn-Ack, Fin, Res-Ack,, and DNS packets. You don’t need the content, just use it to see if the connect was established or not, because you want to know if an attack worked or not. If it did, the malware will send a SYN packet out to the Command and Control (C2) server. If you see that three-way handshake, then you know a connection was established. DNS is the most important thing ever. Make sure to look for bridges to the outside that were not supposed to exist. People get careless and sometimes forget to document an uplink, so make sure you go through and match each one to the documents and update those documents after. Be aware that anything could become an uplink if it has internet access, more so by people who are not authorized to.
Inspecting DNS Traffic: PassiveDNS(https://github.com/gamelinux/passivedns) is the way to go. MySQL process with a packet sniffer writing data into it. You’re responsible to create SQL queries to get data from it. Some recognizable patters of C2 is automated http requests that always result in a 404, answers containing loopback addresses(when C2 moderators go to lunch they configure all malware to point to themselves for communications, then when they finish they will switch it back), high amount of errors like “no such name”, and Domain Generation Algorithms(Malware Distributors sign up for websites and use them for a day or two, then drop them and move on to another website. The algorithm creates a randomly generated name for each future domain).
Create a baseline by recording everything using SPAM ports/TAP, and pinpoint assets that require file system forensics. Capture Traffic run Snort against the pcap file Grab resulting alert file with extracted frame pcaps Verify in captured original pcaps in order to gather the context
We can verify a pcap file by the heading 0xD4C3B2A1 and if pcapng 0x0A0D0D0A
He shows how to use Snort and TraceWrangler together to save time by automating everything.