Erik Hjelmvik, Author at Security Boulevard
Windows Sandbox

Running NetworkMiner in Windows Sandbox

NetworkMiner can be run in a highly efficient Windows Sandbox in order to analyze malicious PCAP files in Windows without accidentally infecting your Windows PC. This blog post shows how to set up a Windows Sandbox that always boots up a fresh install of Windows 10 with the latest version ... Read More
I love the smell of PCAP in the Morning

Live Online Training – PCAP in the Morning

Would you like to spend four mornings in May analyzing capture files together with me? I have now scheduled a live online network forensics training called 'PCAP in the Morning' that will run on May 3-6 (Monday to Thursday) between 8:30 AM and 12:30 PM EDT. We will be analyzing ... Read More
SolarWinds Backdoor State Diagram

Targeting Process for the SolarWinds Backdoor

The SolarWinds Orion backdoor, known as SUNBURST or Solorigate, has been analyzed by numerous experts from Microsoft, FireEye and several anti-virus vendors. However, we have noticed that many of the published reports are either lacking or incorrect in how they describe the steps involved when a cli[...] ... Read More
23 SUNBURST Targets Identified

Twenty-three SUNBURST Targets Identified

Remember when Igor Kuznetsov and Costin Raiu announced that two of the victims in FireEye's SUNBURST IOC list were ***net.***.com and central.***.gov on Kaspersky's Securelist blog in December? Reuters later reported that these victims were Cox Communications and Pima County. We can now reveal that[...] ... Read More
Were you targeted by SUNBURST? Image credit: NASA

Robust Indicators of Compromise for SUNBURST

There has been a great deal of confusion regarding what network based Indicators of Compromise (IOC) SolarWinds Orion customers can use to self assess whether or not they have been targeted after having installed a software update with the SUNBURST backdoor. Many of the published IOCs only indicate[...] ... Read More
Sunburst stages 1 to 3 (passive, associated and active)

Finding Targeted SUNBURST Victims with pDNS

Our SunburstDomainDecoder tool can now be used to identify SUNBURST victims that have been explicitly targeted by the attackers. The only input needed is passive DNS (pDNS) data for avsvmcloud.com subdomains. Companies and organizations that have installed trojanized a SolarWinds Orion update contai[...] ... Read More
SUNBURST Security Applications Chart

Extracting Security Products from SUNBURST DNS Beacons

The latest version of our SunburstDomainDecoder (v1.7) can be used to reveal which endpoint protection applications that are installed on trojanized SolarWinds Orion deployments. The security application info is extracted from DNS queries for 'avsvmcloud.com' subdomains, which is used by SUNBURST as[...] ... Read More
SunburstDomainDecoder.exe output showing int.lukoil-international.uz tr.technion.ac.il rst.atlantis-pak.ru ci.dublin.ca.us and mutualofomahabank.com

Reassembling Victim Domain Fragments from SUNBURST DNS

We are releasing a free tool called SunburstDomainDecoder today, which is created in order to help CERT organizations identify victims of the trojanized SolarWinds software update, known as SUNBURST or Solorigate. SunburstDomainDecoder can be fed with DNS queries to avsvmcloud.com in order to reveal[...] ... Read More
PolarProxy and Arkime Logo

Capturing Decrypted TLS Traffic with Arkime

The latest version of Arkime (The Sniffer Formerly Known As Moloch) can now be fed with a real-time stream of decrypted HTTPS traffic from PolarProxy. All that is needed to enable this feature is to include 'pcapReadMethod=pcap-over-ip-server' in Arkime's config.ini file and start PolarProxy with th[...] ... Read More