In this episode, Richard Bejtlich traces a trickbot infection known as CATBOMBER, posted by Brad Duncan on his Malware Traffic Analysis site.
Richard uses try.zeek.org to look at the PCAP for signs of suspicious and malicious activity and answer the questions posed on Brad Ducan’s site.
If you would like to follow along, please see the introductory video in the series and Video 1, Suspected Malware Compromise.
If you would like to discuss the video, or consider creating one yourself, please visit the Zeek community Slack workspace and join the #documentation channel.