search

The Basic

PCAP is always my favorite data source, I love it <3

circle-info

Quickies: https://apackets.com/arrow-up-right using this site to take an overview first is something that is quite useful

hashtag
1. Find the suspicious host

Most of the time when I get the pcap I would always put the pcap into Brim (https://www.brimdata.io/arrow-up-right) and I put an end to these questions:

  • Which endpoint has the most hit?

  • HTTP request to some malicious site (I use virustotal for this, but if this isn't working then I have to do some analysis on which domain looks quite weird and downloads a malicious file)

  • If your captured has multiple VLANs then you will pivot it down

hashtag
After you find the infected host -> you isolated the traffic

That means you export each of the host traffic into a small pcap -> then analyze that by using this query on Wireshark

ip.addr eq <ip_address>

then use File --> Export Specified Packets... to save the displayed traffic in a new pcap

hashtag
Kerberos CNAME String for the username of the machine

If you are lucky the domain has AD or some Kerberos traffic then you can find the username

hashtag
Indicator of suspicious

Calling to this API:

  • api.ipify.org (This will show the computer's public IP)

PreviousNetwork Packet AnalysisNextTshark | Zeek Copy & Paste

Last updated