Discover and read the best of Twitter Threads about #pcap
Most recents (4)
So you got an Intel AX210 adapter installed on your Linux computer and are ready to start capturing Wi-Fi traffic on 6 GHz, except that it doesn't work. Here's what you should know. π§΅
First, you need to be running Linux kernel 5.10 or newer. Intel drivers (iwlwifi) are part of the upstream Linux kernel. Intel introduced support for the AX210 adapter (and 6 GHz) in version 5.10.
Second, if using iw for managing the Wi-Fi interface, make sure you install iw 5.9 or newer. Older versions of iw implemented some initial support for 6 GHz but used a channel numbering scheme that was later abandoned, with channels 191, 195, etc. 
(1/of a few) Doing some training #threathunting runs with #suricata -with pcap from bit.ly/3jNUCyw
Fun fact: Alerts count only for 8% of the total logs produced - we also have protocol logs like Flow records, KRB5, SMB, DNS, TLS, HTTP, DCERPC,Fileinfo
Fun fact: Alerts count only for 8% of the total logs produced - we also have protocol logs like Flow records, KRB5, SMB, DNS, TLS, HTTP, DCERPC,Fileinfo
(2/of a few)
Just as regular protocol and flow logging of #Suricata gives us:
633 FLOW logs
295 HTTP logs
182 TLS logs
130 DNS logs
114 SMB logs
90 DCERPC logs
66 FILEINFO logs
23 KRB5 logs
2 NTP logs
Let's see some examples of the generated data...
Just as regular protocol and flow logging of #Suricata gives us:
633 FLOW logs
295 HTTP logs
182 TLS logs
130 DNS logs
114 SMB logs
90 DCERPC logs
66 FILEINFO logs
23 KRB5 logs
2 NTP logs
Let's see some examples of the generated data...
(3/of a few)
Quick and dirty cmd look at the DNS logs generated by #Suricata gives us the domain list for our #threathunting review
Couple of those jump out (at lest to me)
Quick and dirty cmd look at the DNS logs generated by #Suricata gives us the domain list for our #threathunting review
Couple of those jump out (at lest to me)
2020-07-16 - #Hancitor URL from (I assume) malspam:
hxxp://dunafacility[.]partners/wp-includes/tannerbaum.php
XLS: app.any.run/tasks/ab9808d6β¦
DLL: app.any.run/tasks/4e4a8162β¦
Follow-up malware: app.any.run/tasks/d94c1428β¦
hxxp://dunafacility[.]partners/wp-includes/tannerbaum.php
XLS: app.any.run/tasks/ab9808d6β¦
DLL: app.any.run/tasks/4e4a8162β¦
Follow-up malware: app.any.run/tasks/d94c1428β¦
2020-07-16 - #Hancitor info:
Paste: pastebin.com/s5iRrWRj
Pastebin raw: pastebin.com/raw/s5iRrWRj
Blog with #pcap and other data: malware-traffic-analysis.net/2020/07/16/indβ¦
If anyone knows what the follow-up malware is, let us all know. I don't recognize it.
Paste: pastebin.com/s5iRrWRj
Pastebin raw: pastebin.com/raw/s5iRrWRj
Blog with #pcap and other data: malware-traffic-analysis.net/2020/07/16/indβ¦
If anyone knows what the follow-up malware is, let us all know. I don't recognize it.
π¨ New blog with @_bromiley on CVE-2019-19781 - "I Promise It'll Be 200 OK", covering:
β’ ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ π
β’ @snort π· #detection tricks (negative distance, exploitation flowbits)
ππ fireeye.com/blog/products-β¦
β’ #DFIR tips ‡οΈ
β’ ASCII encoding trick evading most (all?) public rules /.%2e/%76pns/ π
β’ @snort π· #detection tricks (negative distance, exploitation flowbits)
ππ fireeye.com/blog/products-β¦
β’ #DFIR tips ‡οΈ
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Blog contains a sampling of CVE-2019-19781 post-compromise activity: fireeye.com/blog/products-β¦
Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
Quick & dirty #DFIR searches (use zgrep) in /var/log/
httpaccess.* : 'GET.*\.xml HTTP/1\.1\" 200' [use -B 1]
httpaccess.* : '/vpn/\.\./'
bash.* : 'nobody'
@_bromiley @snort @mpgn_x64 @TrustedSec @4real_br4nd4n @BakedSec @sans_isc @FireEye @Mandiant Gr33tz to all the cool people who have published helpful research that we linked to in the blog: @craigtweets & @TripwireInc, @HackingDave & @TrustedSec, @sans_isc, @x1sec, and sorta @mpgn_x64 π
As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 ππ½ββοΈ
As well as teammates @a_tweeter_user, @BakedSec, @4real_br4nd4n, and @nluedtke1 ππ½ββοΈ
