Texas Cyber Summit II

Moloch is an open-source tool for full network traffic capture and analysis.
https://molo.ch/

Trying to get a handle on what's happening on your network? Network defenders need a thorough understanding of traffic on their networks, and Moloch is an excellent way to get insight into what's happening on the wire.
Moloch is a free and open-source platform for full packet capture and analysis. It's scalable from small to very large applications and packages a whole bundle of handy tools, from connection maps to a built-in CyberChef instance for decoding and analysis.
Moloch makes an excellent threat hunting application. Analysts can pivot seamlessly from traffic metadata to raw capture analysis. Want to try another tool, or look at an old capture? Moloch ingests and exports standard PCAP files.
I'll walk you through the basics first. We'll talk about the Sessions, SPI, and Connections views. We'll talk about Moloch's customization options, where to find documentation, and how you can structure your workflow to chase down important artifacts quickly. Once we're comfortable with the bread and butter, we'll look at some of Moloch's advanced features. Hunts, recurring cron queries, and Moloch's powerful API will be the focus.
To cap things off, we'll take some time to walk through some publicly-available PCAP to apply our newfound skills. You should leave this talk with a solid understanding of how to leverage Moloch for your own investigations - sure to come in handy if you plan to compete in certain CTFs...

First 100 days, I wanted to make a positive impact on the organization. I get a lay of the land and notice it was a majority Windows shop with no endpoint visibility. I go over how I prove to management and IT Operations when an opportunity presents itself. There is a suspicious beaconing of a known malicious domain. I quickly deploy Sysmon with PowerShell, as WinRM is enabled everywhere. Bam! I find Kovter fileless malware and break down the analysis. Now that I have buy-in, I go over the methods to get quick wins by deploying technologies like Sysmon, OSqeury, turn on auditing and Windows firewalls. I go over the benefits of Sysmon, how to deploy in the environment on a budget I do a post-mortem assessment and what I would have done differently.

This session is part one of a hands-on workshop presented across two separate sessions. The training provides a foundation for investigating packet captures (pcaps) of malicious network traffic from hosts running Microsoft Windows. Participants will review basic investigation concepts, set up Wireshark, and identify hosts and users in network traffic. The training provides several examples of infection traffic that focuses on mass-distribution commodity malware commonly seen from malicious spam. Pcaps for this workshop will be available online. For the best hands-on experience, participants should have a relatively current version of Wireshark (version 2.6 or better), preferably in a non-Windows environment.

• You will be required to bring your own laptop, please install a virtual machine (VM) running Linux is recommended for participants using a Windows-based laptop.

This session is part two of a hands-on workshop presented across two separate sessions. The training provides a foundation for investigating packet captures (pcaps) of malicious network traffic from hosts running Microsoft Windows. Participants will review basic investigation concepts, set up Wireshark, and identify hosts and users in network traffic. The training provides several examples of infection traffic that focuses on mass-distribution commodity malware commonly seen from malicious spam. Pcaps for this workshop will be available online. For the best hands-on experience, participants should have a relatively current version of Wireshark (version 2.6 or better), preferably in a non-Windows environment.

• You will be required to bring your own laptop, please install a virtual machine (VM) running Linux is recommended for participants using a Windows-based laptop.