MalwareLab

@[email protected]
657 Followers
163 Following
121 Posts
#Malware Analysis, #DFIR, Computer #Forensics, Incident Response, #ThreatIntel, #OSINT, #CyberSecurity
#Linux, #FreeBSD, #ReactOS and #MeshCore enthusiast 
Tips, Tricks, Tools and Trainings by ladislav_b (#Network Analyst @ESET, #Slovakia). Opinions are my own.
Webhttps://malwarelab.eu
Webhttps://baco.sk
Xhttps://x.com/malwarelab_eu
X (personal)https://x.com/ladislav_b
nostrb40c155b55a94238005acc780ad8feb89daab358d73c2035c5e14b96289e4243
MalwareLabMar 9

Investigation scenario:
We just received three notifications with alerts from #Suricata #IDS

1) GPL SMTP vrfy root, from unknown IP to our mailserver

Shortly after that, two more alerts appeared:

2) ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response; from the same unknown IP to Windows computer in our network
3) ET MALWARE Possible Metasploit Payload Common Construct Bind_API, again from the same unknown IP to the same Windows computer

What happened?
What to do? How to analyze network traffic and investigate those alerts?

We do not have any EDR or XDR installed on that Windows computer. Right now,we have only Suricata eve.json logs ingested to the #OpenObserve #SIEM

If you would like to see more, you are welcome to attend my @suricata webinar on March 11.
Register here: https://us02web.zoom.us/webinar/register/WN_I6BNbCU2SNG2fAOEiotPiQ

MalwareLabMar 5
SuricataMar 3

📢📢📢 Ladislav Bačo is back for round two!

On March 11, Ladislav Bačo ( @malwarelab_eu ) shares practical approaches for integrating network forensics into IR workflows, with perspectives for home and small office networks.

Register: https://us02web.zoom.us/webinar/register/WN_I6BNbCU2SNG2fAOEiotPiQ

#Suricata

MalwareLabFeb 18

Yesterday I led a half-day workshop for a group of high school students. The content was purely practical: a lot of labs and hands-on exercises and challenges about computer networks, #networktrafficanalysis and #cybersecurity.

Girls made their own Ethernet cables to connect to our lab network. Then they analyzed common network protocols and their privacy issues and how the browser settings can affect the amount of sensitive information in the network traffic.

Pro tip: together with HTTPS-Only Mode in all windows, also enable DNS over HTTPS using Increased Protection or Max Protection.
Pro tip 2: even with those hardened settings, it is often possible to see which websites the user visits, because of TLS SNI or TLS Certificates

After that, the girls had the opportunity to try CTF-like activity in the lab network full of old #MikroTik and #Ubiquiti devices and virtual machines with various services exposed.

A little bit off-topic: This was the first workshop I completely led using my old #ThinkPad with #FreeBSD

#MayTheSourceBeWithYou
#PCAPorItDidntHappen

#education #womeninstem #womenintech #SecurityGirl #AjTyvIT #wireshark #CTF #handsonlearning #learningbydoing

MalwareLabFeb 12
The Zeek Network Security MonitorFeb 6

If you've wanted to learn Zeek scripting but didn't know where to start, Evan put together a comprehensive tutorial covering the basics through building a real detection.

https://www.youtube.com/watch?v=nae8cdrUUKY

#Zeek #NetworkMonitoring #Infosec

Zeek Scripting Tutorial: Learn the Fundamentals

YouTube
MalwareLabFeb 10
SuricataFeb 10

Think IDS/IPS is only for enterprises? Think again.

In this webinar with Ladislav Bačo on Feb 11th, learn how #Suricata makes network monitoring accessible for SOHO, HomeLabs, and small networks—often for under €100 using everyday hardware.

Register! https://us02web.zoom.us/webinar/register/WN_v5O3SUzGQ4qzAasqM0oHoA

MalwareLabFeb 6

RE: https://infosec.exchange/@suricata/116020101997773445

Join me on Wednesday to see how to build your own home network monitoring setup under $100.
Traffic capture, IDS, lightweight SIEM and alerting included.

MalwareLabFeb 2
evacideFeb 2
Notepad++ publishes a blog post saying they caught a probably-Chinese state actor hijacking their product in an attack against highly-selective targets that began last June: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

Show threadMalwareLabFeb 2
@daan you are welcome. Of course, testing with more than one device is definitely more useful and funny.
I tested #reticulum with lilygo t3 v2.1, heltec v2 and v3.
I observed that on older devices with esp32 (not esp32s3), RNode firmware boots and runs much faster and smoothly than MeshCore. So I switched my older devices to RNodes and newer devices to MeshCore nodes.
Show threadMalwareLabFeb 2
@daan yes, I tried #RNode and #LoRa. But only indoor test for short range. I tested serial and WiFi connection between computer with #RNS and RNode and Bluetooth connection between smartphone and another RNode. All three worked. And yes, with very recent RNS and RNode firmware it is possible to connect LoRa device with computer also over WiFi
Show threadMalwareLabFeb 2
@bxxb @cm justice swapping firmware is not usually enough. Unfortunately, most of the LoRa boards can support either 433 MHz or 868 MHz bands, but not both of them simultaneously. So if you have 433 MHz board, you probably have to buy and use another board