Threat hunting

Network forensic tools

Profiles to Wireshark
Unzip and import into the Wireshark profiles folder (Restart Wireshark)

I offer a 2 day traning course in Wireshark and huntning with Wireshark and other tools. A lot of personal in CERT, SAC and SOC teams often find it usefull for analyst to known how to use Wireshark and other tools for pcap analysis. I encounter verry often that a lot of analyst don't know how to detect evil traffic in capture files.

This basis course will help analyst to know what to look for, even if they dont know what they are looking for.

My Sponsor is Netresec
They sponsor the Networkminer witch is part of the course.

GQUIC Profile
Hunting for GQUIC connections setups can be quite a task, if you cant find the CHLO packet. This is made easy to find with this profile.. Even if this is a fully encrypted protocoal we can til see usefull information about the domain, user agents, time, IP and port.


ICMP Profile
Hunting for ICMP tunneling is quite easy with this Wireshark profile. Exampel of a pTunnel running below.


iSCSI profile
Hunting for iSCSI auth traffic and authentications. Easy to spot with this profile 


DHCP Profile
Often you will hunt for a rough DHCP server placed on your network. This profile will make this very easy.
Optimized for Wiresharek 3.x versions.


DNS Profile
This will make DNS identification easy and bring DNS traffic to life in Wireshark


SMB Profile
This will bring the analysis of SMB and SMB2 (SMB3) network traffic to life in Wireshark.

In the latest SMB profile i now have detection of exploit attempt of the Eternal Blue Vulnerability

DDOS profile
Based on my work for an ISP and the manage of Advanced DDOS mitigation. This is based on known DDOS attacks. You can analyze the type of attack quite fast. Tested Wireshark V2.6.3


Magic numbers profile
Based on file types and there magic numbers it is easy to look for different file types in network traffic like exe files and so on, hidden in network traffic. Tested Wireshark V2.6.3

Geolite2 databases for Wireshark
Wireshark can do name resolution on captured traffic.