Signatures and Sessions: Malware HTTP Analysis
In this lab, you'll investigate network traffic from a host that has been infected with the Trickbot malware. In particular, you'll dive into Trickbot's HTTP traffic and investigate HTTP Header IoCs. You'll also analyze a Trickbot HTTP response to uncover a hidden executable. Towards the end of the lab, you'll leverage Suricata to uncover Trickbot by using Signature-based (and Behavior-based) rules.
Terms and conditions apply.
Getting Started in the Lab Environment
Here are the initial instructions and explanation of the lab environment. Read this while your environment is busy creating itself from nothing. Yes, this violates physics; we know. How fun!
Importing the Packet Capture
In this challenge, you'll import the Trickbot packet capture into Arkime.
Investigating HTTP Header IoCs
In this challenge, you'll dive into evasion patterns of Trickbot: a piece of malware that exfiltrates highly sensitive data (e.g., banking information, account credentials, etc.). In particular, you'll leverage Arkime to inspect Trickbot pcaps and look for suspicious HTTP traffic.
Suricata: Signature-based Rule
In this challenge, you'll explore alerting mechanisms for Trickbot. In particular, you'll investigate Trickbot through a Signature-based Suricata rule. You'll also use an Suricata/Arkime integration to see the Suricata alerts within Arkime!
Suricata: Behavior-based Rules
In this challenge, you'll explore alerting mechanisms for Trickbot. In particular, you'll investigate Trickbot through a Behavior-based Suricata rule.
The Last Challenge
This is the last challenge of this lab, and your last chance to experience the environment before clicking finish lab, ending this small little world that flittered into existence just for you.
Provided environment for hands-on practice
We will provide the credentials and environment necessary for you to practice right within your browser.
Follow along with the author’s guided walkthrough and build something new in your provided environment!
Did you know?
On average, you retain 75% more of your learning if you get time for practice.
- Basic knowledge of Linux, HTTP, and packet captures.