This post is also available in: 日本語 (Japanese)
Executive Summary
Wireshark is a tool used to review packet captures (pcaps) of network activity. Since 2018, I have written various Wireshark tutorials and conducted in-person workshops at conferences across the globe. My in-person workshops were designed to help people in information security roles use Wireshark to review traffic from Windows-based malware infections.
Since early 2020, travel restrictions due to COVID-19 (the coronavirus) have halted these in-person workshops. Due to this setback, we want to announce an initial series of video tutorials developed to replicate most aspects of these formerly in-person workshops.
Wireshark Workshop Videos
The following are the first five videos of our Palo Alto Networks Unit 42 Wireshark Workshop:
Part 1: Introduction and Prerequisites - 14 minutes and 5 seconds
Part 2: Setting Up Wireshark - 23 minutes and 36 seconds
Part 3: Host Identification - 30 minutes and 19 seconds
Part 4: Non-Malicious Activity - 45 minutes and 38 seconds
Part 5: Introductions to Windows Malware Infections - 39 minutes and 11 seconds
These videos are designed to be watched sequentially, starting with “Part 1: Introduction and Prerequisites.” After Part 1, each workshop video builds on material covered in the previous video(s).
As the opportunity arises, I will create more Wireshark Workshop videos. Future videos will focus on traffic from specific families of Windows-based malware, and some will cover traffic from other malicious activities like phishing websites.
Supporting Material
Pcaps used for these Wireshark Workshop videos are available at this GitHub repository. The repository also contains PDF files of slides used for the workshop videos.
Wireshark Tutorials as Supplemental Material
The following Wireshark Tutorials were published before this initial series of Wireshark Workshop videos:
- Changing Your Column Display
- Display Filter Expressions
- Identifying Hosts and Users
- Exporting Objects from a Pcap
- Examining Trickbot Infections
- Examining Ursnif Infections
- Examining Qakbot Infections
- Decrypting HTTPS Traffic
- Examining Dridex Infection Traffic
- Examining Emotet Infection Traffic
- Examining Traffic from Hancitor Infections
Combined with our five workshop videos, these Wireshark tutorials can help security professionals better understand Wireshark and various types of Windows-based malware infections.
Conclusion
This blog announced an initial series of five video tutorials for a Unit 42 Wireshark Workshop. These videos are designed to help people use Wireshark to review traffic from Windows-based malware infections. Combined with WIreshark Tutorials already published by Palo Alto Networks Unit 42, these videos can help security professionals build their skills in analyzing malicious traffic caused by Windows-based malware.
Table of Contents
Related Malware Resources
Threat Research
Threat Actor Groups
High Profile Threats
Get updates from Unit 42