![]() These indicators are often referred to as Indicators of Compromise (IOCs). Indicators consist of information derived from network traffic that relates to the infection. ![]() These infections can follow many different paths before the malware, usually a Windows executable file, infects a Windows host. This tutorial uses examples of Windows infection traffic from commodity malware distributed through mass-distribution methods like malicious spam (malspam) or web traffic. Filters for other types of infection traffic.Filters for web-based infection traffic.This tutorial covers the following areas: Instead, it shows some tips and tricks for Wireshark filters. This is not a comprehensive tutorial on how to analyze malicious network traffic. And you should also have a basic understanding of how malware infections occur. ![]() Keep in mind you must understand network traffic fundamentals to effectively use Wireshark. Pcaps for this tutorial are available here. It covers display filter expressions I find useful in reviewing pcaps of malicious network traffic from infected Windows hosts. ![]() Today's post provides more tips for analysts to better use Wireshark. To better accomplish this work, I use a customized Wireshark column display as described my previous blog about using Wireshark. As a Threat Intelligence Analyst for Palo Alto Networks Unit 42, I often use Wireshark to review packet captures (pcaps) of network traffic generated by malware samples. ![]()
0 Comments
Leave a Reply. |