Monday, April 20, 2020

Detecting Malicious Activity in Network Traffic

 During my usual scour of any.run for interesting samples, I came across a .bat batch file which included both Koadic and Cobalt Strike infections. Not being sure how common it is to see both frameworks used almost simultaneously, I wanted to take a further look with a focus on the network traffic.

I have not been able to find similar campaigns or come across other samples to suggest this attack is being seen elsewhere. The focus of this post will be on conducting a quick "hunt" through the traffic in the PCAP of the infection. Zeek will be heavily utilized, with Wireshark making an appearance a few times.

JPCert's Log Analysis Training

6 Aug 2020 About a week or so ago, JPCert released their Log Analysis training slides and corresponding CSV files for each hands-on exercise...