Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers
We assess with high confidence that the Winnti umbrella is associated with the Chinese state... »
Building a Data Lake for Threat Research
Not long ago the thought of storing every DNS query, SSL certificate, HTTP transaction, and netflow record on a traditional enterprise network for an unlimited period »
Analysis of Active Satori Botnet Infections
The Satori Botnet, a successor of Mirai, has continuously infected vulnerable devices since its launch late last year. There has recently been a flurry of of »
An Introduction to SMB for Network Security Analysts
This guide is available as a pdf here. Of all the common protocols a new analyst encounters, perhaps none is quite as impenetrable as Server Message »
Triaging Large Packet Captures - Methods for Extracting & Analyzing Domains
In the recent post Triaging Large Packet Captures - 4 Key TShark Commands to Start Your Investigation, I discussed some areas to begin investigating a large »
Using Emerging Threats Suricata Ruleset to Scan PCAP
Scanning a PCAP file with a large IDS ruleset can be beneficial for putting a name to suspicious or malicious activity. It can also be useful »
Exposing a Phishing Kit
Recently, several seemingly suspicious emails were brought to the attention of 401TRG. While phishing campaigns are relatively common, this one had a few interesting features. I »
Large Scale IRCbot Infection Attempts
Attempts to gain control of public facing web servers with modified HTTP requests are very common, and can sometimes pose a danger to unpatched systems. With »
1
2