NETRESEC Network Security Blog

This video tutorial demonstrates how malware C2 traffic can be decoded with CyberChef. The PCAP files with the analyzed network traffic can be downloaded from malware-traffic-analysis.net. CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444: From_Hex('Auto') XOR({'option':'He[...]

This blog post demonstrates how artifacts, such as reverse shell commands and VNC session screenshots, can be extracted from Latrodectus BackConnect C2 traffic with NetworkMiner. I recently learned that the great folks from The DFIR Report have done a writeup covering the Latrodectus backdoor. Their[...]

This NetworkMiner release brings improved extraction of artifacts like usernames, passwords and hostnames from network traffic. We have also made some updates to the user interface and continued our effort to extract even more details from malware C2 traffic. More Artifacts Extracted Usernames and p[...]

Are you importing indicators of compromise (IOC) in the form of domain names and IP addresses into your SIEM, NDR or IDS? If so, have you considered for how long you should keep looking for those IOCs? An IoT botnet study from 2022 found that 90% of C2 servers had a lifetime of less than 5 days and[...]

I will teach a live online network forensics training on February 23-26. The full title of the class is Network Forensics for Incident Response, where we will analyze PCAP files containing network traffic from hackers and malware. The training is split into four interactive sessions running from 13:[...]

Gh0stKCP is a transport protocol based on KCP, which runs on top of UDP. Gh0stKCP has been used to carry command-and-control (C2) traffic by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0. @Jane_0sint recently tweeted about ValleyRAT using a new UDP based C2 protocol. I wanted to t[...]

This video shows how to define a protocol in CapLoader just by providing examples of what the protocol looks like. CapLoader can then identify that protocol in other traffic, regardless of IP address and port number, simply by looking for traffic that behaves similar to what it was trained on. We ca[...]

PureRAT is a Remote Access Trojan, which can be used by an attacker to remotely control someone else's PC. PureRAT provides the following features to an attacker: See the victims user interfaceInteract with the victim PC using mouse and keyboardView the webcamListen to the microphoneRecord keystroke[...]

I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader (PureCrypter) that retrieves a .pdf file from a legitimate website. The dropper I will demo here down[...]

This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader. Alert for IP lookup using ip-api.com in PCAP from tria.ge Transcript of ip-api.com IP lookup traffic IP lookup services, like ip-api, checkip.amazonaws.com and ident.me, ar[...]

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the C2 protocol used by the PureLogs Stealer malware. The PureLogs pro[...]

I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to define their own protocol detections based on example network traffic. User Defined Protocols CapLoader's[...]

One of the premier features in NetworkMiner is the ability to extract files from captured network traffic in PCAP files. NetworkMiner reassembles the file contents by parsing protocols that are used to transfer files across a network. But there are other tools that also can extract files from PCAP f[...]

I investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using NetworkMiner in Linux (REMnux to be specific). About njRAT / Bladabindi njRAT is a Remote Access Trojan (RAT) that can be used to remotely control a hacked computer. It has been arou[...]

This guide shows how to install the latest version of NetworkMiner in Linux. To install an older NetworkMiner release, prior to version 3.0, please see our legacy NetworkMiner in Linux guide. STEP 1: Install Mono and GTK2Mono is an open source cross-platform implementation of the .NET framework, it[...]

UPDATE - Training Canceled The training event in May has been canceled. We are sorry for the inconvenience.

I am very proud to announce the release of NetworkMiner 3.0 today! This version brings several new protocols as well as user interface improvements to NetworkMiner. We have also made significant changes under the hood, such as altering the default location to where NetworkMiner extracts files from n[...]

Did you know that there is a setting in Wireshark for changing the default save file format from pcapng to pcap? In Wireshark, click Edit, Preferences. Then select Advanced and look for the capture.pcap_ng setting. Change the value to FALSE if you want Wireshark to save packets in the pcap file form[...]

The new release of PolarProxy generates JA4 fingerprints and enables ruleset to match on specific decryption errors, for example to enable fail-open in case the TLS traffic cannot be decrypted and inspected. JA4 FingerprintsJA4 fingerprints provide several improvements over its JA3 predecessor. One[...]

Over 90 percent of all web traffic is encrypted nowadays, which is great of course. However, as HTTP and DNS traffic gets encrypted, defenders have a more difficult time blocking malicious network traffic. One solution to this problem is to use a TLS firewall, which effectively blocks encrypted conn[...]