Using Wireshark: Identifying Hosts and Users

When a host is infected or otherwise compromised, security professionals need to quickly review packet captures of suspicious network traffic to identify affected hosts and users. This tutorial offers tips on how to gather pcap data using Wireshark, the widely used network protocol analysis tool.

Using Wireshark – Display Filter Expressions

As a Threat Intelligence Analyst for Palo Alto Networks Unit 42, I often use Wireshark to review packet captures (pcaps) of network traffic generated by malware samples. To better accomplish this work, I use a customized Wireshark column display as described my previous blog about using Wireshark. Today’s post provides more tips for analysts to

Rig EK One Year Later: From Ransomware to Coin Miners and Information Stealers

What a difference a year makes! As the dominant exploit kit (EK) in our current threat landscape, Rig EK has gone through significant changes. How much has Rig EK changed? In order to find out, we compared activity levels, malware payloads, and network traffic characteristics from January of 2017 with January of 2018. The contrast

Decline in Rig Exploit Kit

Unit 42 investigates recent developments in the EITest & pseudo-Darkleech campaigns contributing to the decline of Rig exploit kits.

Campaign Evolution: EITest from October through December 2016

EITest is a name originally coined by Malwarebytes Labs in 2014 to describe a campaign that uses exploit kits (EKs) to deliver malware. Until early January 2016, “EITest” was used as a variable name in the attacker’s malicious injected script in pages on legitimate websites compromised by this campaign. While the variable name is gone,

Get updates on Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit 42

Follow us on