Network forensics for incident response
May 7th, 2022
A hands-on network forensics training that allows you to deep dive into analyzing captured full content network traffic in PCAP files. The training data is a completely new and unique data set captured during 30 days on an Internet connected network with multiple clients, an AD server, a web server, an android tablet and some embedded devices.
We will analyze traffic from multiple intrusions by various attackers, including APT style attackers and botnet operators. The initial attack vectors are using techniques like exploitation of web vulnerabilities, spear phishing, a supply chain attack and a man-on-the-side attack!
Each attendee will be provided with a free single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day.
Day 1 : Theory and Practice using Open Source Tools
Investigating spear phishing email with malware attachment
Reassembling exfiltrated data
Identifying C2 traffic in decrypted HTTPS traffic
Analyzing decrypted HTTPS traffic from a transparent TLS inspection proxy
Using NetFlow with Argus
Tracking lateral movement with stolen AD credentials
Searching application layer data with Wireshark, tshark, tcpflow and ngrep
Threat Hunting with Security Onion
Leveraging passive DNS to track C2 domains
Decoding proprietary C2 traffic from a RAT
Extracting files from PCAP with NetworkMiner
Sandbox execution of malware and behavioral analysis
Supply chain attacks
Extracting files from SMB and SMB2 traffic
Analyzing exfiltration by an APT style attacker
Investigating a spear phishing attack with credential theft
Day 2 : Advanced Network Forensics using Netresec Tools
Theory: HTTP Cookies
Analyzing Cobalt Strike beacons
Investigation of botnet infection (TrickBot)
Extracting and verifying X.509 certificates from network traffic
Learning about Man-on-the-Side (MOTS) attacks, such as NSA’s QUANTUMINSERT and HackingTeam’s “Network Injection”
Investigating a brute force attack on a web CMS
Analyzing exploitation of a web server
Tracking commands sent to web shells
Tracking lateral movement via Linux servers
Using JA3 to track TLS encrypted malware traffic
Live TLS decryption lab