Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing Exploit Kit Traffic with Wireshark

Published byMark Terry Modified over 6 years ago

Similar presentations

Presentation on theme: "Analyzing Exploit Kit Traffic with Wireshark"— Presentation transcript:

1 Analyzing Exploit Kit Traffic with Wireshark
Analyzing Malicious Traffic with Wireshark Bradley Duncan Threat Intelligence Analyst | Palo Alto Networks Unit 42

2 Exploitkit server WHY THE CHANGE? Compro- mised website
Traditional campaigns using exploit kits were relatively easy to find. Compro- mised website Exploitkit server

3 WHY THE CHANGE?

4 AD GATES Exploitkit server WHY THE CHANGE? Normal website
Now, generally malvertising leads to exploit kits AD Exploitkit server Normal website GATES

5 INTRODUCTION @malware_traffic

6 OVERVIEW Wireshark setup Find traffic based on an IDS alert
Find root cause after post-infection alerts Example of exploit kit traffic

7 PCAPS ONLINE AT: SharkFest-pcap-for-lab-by-Duncan-01.pcap.zip SharkFest-pcap-for-lab-by-Duncan-02.pcap.zip SharkFest-pcap-for-lab-by-Duncan-03.pcap.zip

8 WIRESHARK SETUP

9 WIRESHARK SETUP Default column display not ideal for HTTP traffic

10 WIRESHARK SETUP

11 WIRESHARK SETUP

12 WIRESHARK SETUP

13 WIRESHARK SETUP Time display to UTC

14 WIRESHARK SETUP Hide or remove the colums you don't need.

15 WIRESHARK SETUP Go to Column Preferences

16 WIRESHARK SETUP Go to Column Preferences

17 WIRESHARK SETUP Adding a column

18 WIRESHARK SETUP Adding a column

19 WIRESHARK SETUP Adding a column

20 WIRESHARK SETUP Adding a column

21 WIRESHARK SETUP Adding a column

22 WIRESHARK SETUP Adding a column

23 WIRESHARK SETUP Aligning the columns

24 WIRESHARK SETUP Time Source IP Source port Destination IP
Destination port HTTP host Info

25 UP NEXT... Find traffic based on an IDS alert Wireshark setup
Find root cause after post-infection alerts Example of exploit kit traffic

26 FROM IDS ALERT Initial alerts on the first pcap show a JS or WSF downloader

27 FROM IDS ALERT

28 FROM IDS ALERT

29 FROM IDS ALERT http.request and tcp.port eq 49216

30 FROM IDS ALERT

31 FROM IDS ALERT

32 FROM IDS ALERT

33 FROM IDS ALERT

34 FROM IDS ALERT

35 FROM IDS ALERT

36 FROM IDS ALERT

37 FROM IDS ALERT

38 FROM IDS ALERT

39 FROM IDS ALERT

40 UP NEXT... Find root cause after post-infection alert Wireshark setup
Find traffic based on an IDS alert Find root cause after post-infection alert Example of exploit kit traffic

41 ROOT CAUSE AFTER POST-INFECTION
Alerts for Fareit/Pony, Terdot.A/Zloader, and Tor

42 ROOT CAUSE AFTER POST-INFECTION
Filter: http.request and ip.addr eq

43 ROOT CAUSE AFTER POST-INFECTION

44 ROOT CAUSE AFTER POST-INFECTION
Filter: http.request and ip.addr eq

45 ROOT CAUSE AFTER POST-INFECTION
Domains from the alerts nyatguted.com soevenghappar.ru

46 ROOT CAUSE AFTER POST-INFECTION

47 ROOT CAUSE AFTER POST-INFECTION
"nyatguted.com" and site:malwr.com

48 ROOT CAUSE AFTER POST-INFECTION
"nyatguted.com" and site:hybrid-analysis.com

49 ROOT CAUSE AFTER POST-INFECTION

50 ROOT CAUSE AFTER POST-INFECTION
Filter: ssl.handshake.extensions_server_name

51 ROOT CAUSE AFTER POST-INFECTION

52 ROOT CAUSE AFTER POST-INFECTION

53 ROOT CAUSE AFTER POST-INFECTION

54 http.request or ssl.handshake.extensions_server_name
ROOT CAUSE AFTER POST-INFECTION http.request or ssl.handshake.extensions_server_name

55 ROOT CAUSE AFTER POST-INFECTION

56 UP NEXT... Example of exploit kit traffic Wireshark setup
Find traffic based on an IDS alert Find root cause after post-infection alert Example of exploit kit traffic

57 Rig EK is often easiest to replicate. EKs are evolving.
EXPLOIT KIT TRAFFIC Rig EK is often easiest to replicate. EKs are evolving. Rig EK URL patterns changed last week on June12th or June 13th. Rig EK payload is encrypted.

58 EXPLOIT KIT TRAFFIC

59 Post-infection alerts
EXPLOIT KIT TRAFFIC Post-infection alerts

60 http.request and ip.addr eq 185.158.153.204
EXPLOIT KIT TRAFFIC http.request and ip.addr eq

61 EXPLOIT KIT TRAFFIC Landing page exploit payload
Flow of events from the EK domain: Landing page exploit payload

62 payload EXPLOIT KIT TRAFFIC Landing page & IE exploit
Flow of events from the EK domain: Landing page & IE exploit payload

63 (http.request or http.response) and ip.addr eq 185.158.153.204
EXPLOIT KIT TRAFFIC (http.request or http.response) and ip.addr eq

64 EXPLOIT KIT TRAFFIC

65 EXPLOIT KIT TRAFFIC

66 EXPLOIT KIT TRAFFIC File  Export Objects  HTTP

67 EXPLOIT KIT TRAFFIC

68 (http.request or http.response) and ip.addr eq 185.158.153.204
EXPLOIT KIT TRAFFIC (http.request or http.response) and ip.addr eq

69 EXPLOIT KIT TRAFFIC File  Export Objects  HTTP

70 EXPLOIT KIT TRAFFIC Example from Tuesday :

71 EXPLOIT KIT TRAFFIC

72 EXPLOIT KIT TRAFFIC Example from yesterday on

73 (http.request or http.response) and ip.addr eq 185.158.153.204
EXPLOIT KIT TRAFFIC (http.request or http.response) and ip.addr eq

74 EXPLOIT KIT TRAFFIC

75 EXPLOIT KIT TRAFFIC

76 ip contains red.troy.systems
EXPLOIT KIT TRAFFIC ip contains red.troy.systems

77 EXPLOIT KIT TRAFFIC

78 EXPLOIT KIT TRAFFIC

79 SUMMARY Wireshark setup Find traffic based on an IDS alert
Find root cause after post-infection alerts Example of exploit kit traffic

80 Analyzing Exploit Kit Traffic with Wireshark
Analyzing Malicious Traffic with Wireshark Bradley Duncan Threat Intelligence Analyst | Palo Alto Networks Unit 42

Download ppt "Analyzing Exploit Kit Traffic with Wireshark"

Similar presentations

Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.

Breaking the Lifecycle of the Modern Threat Santiago Polo Sr. Systems Engineer Palo Alto Networks, Inc.
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.

Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.
Capture Packets using Wireshark. Introduction Wireshark – – Packet analysis software – Open source.

Capture Packets using Wireshark. Introduction Wireshark – – Packet analysis software – Open source.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
TSS Academy Troubleshooting with.

TSS Academy Troubleshooting with.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,

University of Calgary – CPSC 441.  Wireshark (originally named Ethereal)is a free and open-source packet analyzer.  It is used for network troubleshooting,
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)

CPSC 441 Tutorial TA: Fang Wang The content of these slides are taken from CPSC 526 TUTORIAL by Nashd Safa (Extended and partially modified)
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.

Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE

Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Online Game Trojan SecurityLabs.websense.com Hermes Li.

Online Game Trojan SecurityLabs.websense.com Hermes Li.
Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.

Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

Similar presentations

Ads by Google