SEC-T - 0x10sion

10-13th of September 2024

Network forensics for incident response

A hands-on network forensics training that allows you to deep dive into analyzing captured full content network traffic in PCAP files. The training data is a completely new and unique data set captured during 30 days on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices.

We will analyze traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!

Each attendee will be provided with a free single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.


Day 1 : Theory and Practice using Open Source Tools


Investigating spear phishing email with malware attachment

Reassembling exfiltrated data

Identifying C2 traffic in decrypted HTTPS traffic

Analyzing decrypted HTTPS traffic from a transparent TLS inspection proxy

Using NetFlow with Argus

Tracking lateral movement with stolen AD credentials

Searching application layer data with Wireshark, tshark, tcpflow and ngrep

Threat Hunting with Security Onion

Leveraging passive DNS to track C2 domains

Decoding proprietary C2 traffic from a RAT

Extracting files from PCAP with NetworkMiner

Sandbox execution of malware and behavioral analysis

Supply chain attacks

Extracting files from SMB and SMB2 traffic

Analyzing exfiltration by an APT style attacker

Investigating a spear phishing attack with credential theft


Day 2 : Advanced Network Forensics using Netresec Tools


Theory: HTTP Cookies

Analyzing Cobalt Strike beacons

Investigation of botnet infection (TrickBot)

Extracting and verifying X.509 certificates from network traffic

Learning about Man-on-the-Side (MOTS) attacks, such as NSA’s QUANTUMINSERT and HackingTeam’s “Network Injection”

Investigating a brute force attack on a web CMS

Analyzing exploitation of a web server

Tracking commands sent to web shells

Tracking lateral movement via Linux servers

Using JA3 to track TLS encrypted malware traffic

Live TLS decryption lab