Next Steps: Next Steps: 4. Search for HTTP traffic to a specific domain 6.

4. Search for HTTP traffic to a specific domain 6. Get All requested Domains & Their IPs
Investigate Files: Scan the generated files Investigate the traffic streams: Use Block
with virustotal or investigate them further No. 3
Description: Description:
with malware analysis tools Investigate websites: Investigate the
Wireshark Investigate Websites: Investigate the domains/IPs that downloaded these malicious If you have a specific domain that you want to
investigate its http traffic (probably you got it from
This query helps in getting all requested domains that
successfully restuned IPs or CNAME domains and their
domains/IPs that downloaded these malicious files. Which machines are connected to these
Cheatsheet files. Which machines are connected to these
websites and so on
websites and so on Block No. 2 or from an alert or log files), you can use
this query to find its http traffic.
equivalent domains/IP.
Steps:
Investigating & Hunting in Network 1. in Filters, type the following query:
Steps:
Packets 2. Get All HTTP Traffic 3. Get The Full HTTP Communication 1. in Filters, type the following query:
dns and dns.flags.response == 1 and
dns.flags.rcode == 0
Network Investigation - Starting Point http.host == <domain name>
Description: Description: 2. In each result, you can see the UI down the
http.host contains <part of the domain>
Most of backdoors, downloaders and command & Once you find the HTTP traffic that you want to dessect of the packet. Choose the "Domain Name
1. Live Network Monitoring: To capture network
➡️
traffic, you need to click on Menu: Capture Start control communications (C&C) use HTTP protocol to
communicate with the attacker.
investigate further, you can use Wireshark to get the
exact communication between the client & the server
Note: only use the domain without "http" or
"https"
System (response)" tab and you see the requested
domain and the returned results
in plain text mode or hexdecimal mode (for binary Next Steps:
Wireshark allows you to see all the requested websites traffic).
Investigate each result's HTTP stream: Use
and the all the paths that were requested from them.
Steps: Block No. 3 on each result
Steps:
➡️
1. Right click on any traffic Follow ➡️
TCP Stream
Look for similar communications: Search
using User-Agent or URI to find other
1. Go to Statistics ➡️ HTTP ➡️ Requests (or HTTP Stream, both end up the same) domains that might have been used by the
attacker. Block No. 8
Export any downloaded files: Use Block No. 1
2. Opening Packet Capture File: To open a packet and filter with the domain name to save any
➡️
capture file (pcap, pcapng). Just go to File Open downloaded files from this domain
and choose the file you want

5. Get All failed DNS requests

1. Exporting Downloaded & Uploaded Files
Next Steps:
Description:
Description: Investigate each result's HTTP
This query helps in getting all requested domains that
It's very useful in our investigation to export any communication: Use Block No. 4
2. Then, you can see the the whole traffic and you didn't exist. This helps in finding malware with domain
downloaded files from the network like executable Investigate each result's communications
can decide if you want to convert into Hex, C generation algorithm (DGA) that generates new
files, possible malicious documents, scripts and so on generally: given the IP (if it was an A record).
Array, YAML (with base64 encoding) and much domains everyday and the attacker just reserve one
and Wireshark gives us the ability to do so Use block No. 7 with the result's IP
more while needed
2. You can filter by website name, URI or scroll Look for failed DNS requests: this is the next
Steps: Steps: part of DNS investigation generally. Use block
through all the websites. Also, this shows you the
1. Go to File ➡️
Export Objects ➡️
HTTP (or FTP if contacted IPs directly without a domain/website
1. in Filters, type the following query:
dns and dns.flags.response == 1 and
No. 6
you suspect some files are downloaded from FTP) name
dns.flags.rcode == 3
7. Search for network communications using IP
2. Each result will repesent a domain that wasn't
found like this
Description:
Given the source IP (infected machine's IP) or the
destination IP (C&C IP or a suspicious domain IP), get
all traffic or network communication that is done to or
from this IP. Whatever it's TCP, UDP, HTTP or anything
2. You can filter by content type (HTML, XML, Next Steps: else
JSON... etc) and you can export all files to disk
Investigate other communications with the Steps:
same website: Use Block No. 2 and find the Next Steps: 1. in Filters, type the following query:
same website. Investigate the infected machines: if the ip.addr == <ip address>
Look for similar communications: Search names of the domains seem suspicious, it's tcp and ip.addr == <ip address>
using User-Agent or URI to find other wise to investigate these machines deeper Note: you can replace "tcp" with "udp", "http",
domains that might have been used by the Investigate the infected machines "ssl" or any other protocol you want
attacker. Block No. 8 & Block No. 15 successful traffic: using the destination IP,
Search for the same server IP in DNS Next Steps:
search for TCP or UDP traffic. Use block No.
responses: there might be multiple malicious 7 Investigate the HTTP traffic: Use block No. 3
domains that are sharing the same attacker's Look for successful DNS requests: Use To investigate all sent & received data in plain
IP. Block No. 13 block No. 6 text

facebook.com/MaltrakTraining linkedin.com/in/amrthabet youtube.com/@AmrThabet

Watch a 1-Hour Hands-on Video Tutorial For this
Copyrighted by MalTrak Ltd. By Amr Thabet
twitter.com/Amr_Thabet https://maltrak.com linkedin.com/company/maltrak Cheat Sheet at: https://maltrak.com/cheatsheet
 8. Search for HTTP traffic using User-Agent 10. Investigate an HTTP packet further 11. Extract & Validate SSL Certificates 12. DNS Requests For Suspicious Top Level Domains 14. MZ/EXE Files Downloads From TCP

Description: Description: Description: Description: Description:

Given a user-agent that has been seen in one Inside Wireshark, you have multiple ways to analyze an This block will help you find, extract and validate SSL This query helps in finding suspicious domains that This query aims to find all TCP traffic or HTTP Traffic
communication, this query will help find HTTP traffic to HTTP traffic (or any traffic really) that can be quite certificates. You can't decrypt HTTPS traffic but the has been requested through DNS by looking for that downloaded an executable file. Executable files
possibly other domains with the same User-Agent helpful. Here are some examples least you can do is to check the SSL certificate and domains with suspicious TLD start with "MZ" and contains also "PE" letters in their
identify if it's valid or not and is it blacklisted or not headers
Steps: Tips Steps:
1. in Filters, type the following query: Steps:
1. in Filters, type the following query: 1. in the 3rd section of the wireshark UI (down left) Steps:
1. in Filters, type the following query:
you have the packet dissected into different 1. in Filters, type the following query: dns.qry.name contains ".xyz" ||
http.user_agent == <user-agent>
dns.qry.name contains ".top" || tcp.payload contains "MZ" && tcp.payload
http.user_agent contains <part of user- protocols. You can investigate the HTTP protocol tls.handshake.type == 11
contains "PE" && tcp.payload contains
dns.qry.name contains ".tk" ||
agent> from here
2. In the packet dissect section in the UI (the dns.qry.name contains ".cc" || "This program cannot be run in DOS mode"
Next Steps: bottom section in the UI), go to Transport Layer dns.qry.name contains ".ru" ||

Investigate each of HTTP traffic: Use block Security ➡️

Handshake Protocol: Certificates dns.qry.name contains ".it" Next Steps:
Export The Downloaded Files: Use the Block
No. 3 dns.qry.name contains "." && not
No. 1 to export the MZ file and check its hash
(dns.qry.name contains ".com" ||
in VirusTotal or scan with an Antivirus
dns.qry.name contains ".org" ||
dns.qry.name contains ".net") Investigate The HTTP Communication With
9. Get FTP Communications & Login Credentials
This Domain: Use block No. 4
Next Steps:
Description:
Investigate each of Resulted Domains: Use
With this query, you will be able to get all the FTP block No. 4 to investigate the HTTP traffic 15. Search in HTTP Traffic For a Specific URI
communication and as well the username and Investigate The HTTP Traffic Using The IP:
password to login to the FTP Server. FTP is commonly 2. You can write click on any item click on "Apply as The query will return as well the response Description:
used by attackers to exfiltrate data a Column" to be part of your results. And then it will from the DNS server, get the equivalent IP This query aims to find all HTTP Traffic that requested
be one of the columns in the results and investigate it further using Block No. 7
Steps: a specific page regardless of the domain. This is
2. Right click on the certificate that has the highest
1. To get all FTP communications, in Filters, type helpful in terms of finding any requests to download
length and click "Export Packets Bytes" and save
the following query: 13. Get The Domain For a Specific IP specific file extensions such as ".dll", ".exe" or ".ps1".
the file as ".cer"
ftp
Or, it can be useful in the case of malware contacting
2. To get all login credentials, in Filters, type the Description:
the exact same URI from different domains (which is a
following two queries: This is a simple query to get the equivalent domain for common behavior in C&C communications).
ftp and ftp.request.command == "USER" a specific IP by searching for the DNS response that
returned this IP Steps:
ftp and ftp.request.command == "PASS"
1. in Filters, type the following query:
Steps: http.request.uri == "/index.php"
1. in Filters, type the following query: http.request.uri contains ".exe"
3. Now go to your file browser (My Computer) and
dns.a == <IP Address>
click on the certificate to get more info if it's valid Next Steps:
or not. Choose the "Certificate Path" to see if it's Next Steps:
Export The Downloaded Files: Use the Block
1. For the the whole communication: Right click on valid
The column is created in the results section Find Any Other Related IPs: You can query No. 1 to export the downloaded files or scripts
any traffic➡️ Follow ➡️
TCP Stream with this domain name using a query similar to Investigate The HTTP Communication With
Block No. 12 & find other IPs returned for this This Domain: Use block No. 4
specific domain at another time
Investigate The HTTP Communication With
This Domain: Use block No. 4

3. You can also use part of the results as a Filter to Next Steps:
query similar traffic. Right click on any item and Check the No. of bytes
➡️
click "Apply as Filter" Selected downloaded/uploaded: This can help you Watch a 1-Hour Hands-on Video Tutorial For
this Cheat Sheet at:
find if it's a normal browsing/downloading or
data exfiltration (way more upload than https://maltrak.com/cheatsheet
download)
Check the time of network requests: if
Next Steps:
there's a request every 60 secs or 2-3 mins
Extract all downloaded & uploaded files in for long time, it might be a malware looking
FTP: Use block No. 1 for new commands (beaconing)
Investigate The FTP IP Further: Use block Check the workday to network requests: It's
No.13 to get the domain behind the FTP Note: you can choose "Not selected" if you not common to find network connections out
server want to exclude this from results of the working hours or at night.

facebook.com/MaltrakTraining linkedin.com/in/amrthabet youtube.com/@AmrThabet

Copyrighted by MalTrak Ltd. By Amr Thabet
twitter.com/Amr_Thabet https://maltrak.com linkedin.com/company/maltrak