knowledge An Introduction to Exploratory Data Analysis with Network Forensics "Universal law is for lackeys; context is for kings." -Capt. Gabriel Lorca, Star Trek: Discovery Workflows are often not as clearly defined in reality as they are in the organizational charts and docs, if those even exist. As a result, the more dismal side
analysis Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers We assess with high confidence that the Winnti umbrella is associated with the Chinese state...
research Building a Data Lake for Threat Research Not long ago the thought of storing every DNS query, SSL certificate, HTTP transaction, and netflow record on a traditional enterprise network for an unlimited period of time sounded ludicrous. Even harder to imagine is using that data to conduct threat research or hunting
analysis Analysis of Active Satori Botnet Infections The Satori Botnet, a successor of Mirai, has continuously infected vulnerable devices since its launch late last year. There has recently been a flurry of of activity around this botnet: the botnet author was potentially identified, some C2 Infrastructure was taken down, and variants
knowledge An Introduction to SMB for Network Security Analysts This guide is available as a pdf here. Of all the common protocols a new analyst encounters, perhaps none is quite as impenetrable as Server Message Block (SMB). Its enormous size, sparse documentation, and wide variety of uses can make it one of the
knowledge Triaging Large Packet Captures - Methods for Extracting & Analyzing Domains In the recent post Triaging Large Packet Captures - 4 Key TShark Commands to Start Your Investigation, I discussed some areas to begin investigating a large packet capture. Generally, when confronted with a large PCAP with unknown behavior in it, we want to start
knowledge Using Emerging Threats Suricata Ruleset to Scan PCAP Scanning a PCAP file with a large IDS ruleset can be beneficial for putting a name to suspicious or malicious activity. It can also be useful for creating signatures on
analysis Exposing a Phishing Kit Recently, several seemingly suspicious emails were brought to the attention of 401TRG. While phishing campaigns are relatively common, this one had a few interesting features. I decided to investigate this campaign further, and found that the attacker(s) had left most of their php
analysis Large Scale IRCbot Infection Attempts Attempts to gain control of public facing web servers with modified HTTP requests are very common, and can sometimes pose a danger to unpatched systems. With the use of publicly available tooling, these web crawling and attack attempts are extremely easy to perform and
analysis An Update on Winnti (LEAD/APT17) In our recent post "Winnti Evolution - Going Open Source,” Nate Marx and I shared new details on the Winnti APT group and their continued targeting of online gaming organizations. The purpose of this follow-up post is to share some new information about the group and their continued activities.
analysis Turla Watering Hole Campaigns 2016/2017 A common TTP of the Turla APT group has been based around watering hole attacks. In late 2016, we began observing what is now called the “Clicky” watering hole campaign unfold across the globe, in addition to a similar campaign I’ll refer to
research Identifying and Triaging DNS Traffic on Your Network DNS is one of the most important protocols on the modern internet, and any incident responder must be intimately familiar with its inner workings to perform effective triage of almost any event. Most networks, regardless of security, must let at least some DNS traffic
knowledge Triaging Large Packet Captures - 4 Key TShark Commands to Start Your Investigation Triaging large packet captures is a daunting task, even for the most seasoned security analysts. With a mountain of data and few leads, analysts need to find ways to pare down what they've captured and focus on the areas that have the highest chance
analysis Winnti (LEAD/APT17) Evolution - Going Open Source This post was originally published on July 11, 2017, in the offical ProtectWise.com blog. We have since moved it to this 401TRG blog and backdated appropriately. Update #1: We have published a new post contining additional Winnti details. If you would like to
