NETRESEC Network Security Blog

There is a wonderful little web-based alert and event front-end called EveBox, which renders Eve JSON formatted data to a web UI. This blog post demonstrates how EveBox can be used to show alert and flow information that FlowCarp has extracted from a Remcos malware infection. Remcos RAT The starting[...]

I am thrilled to announce the release of a brand new tool called FlowCarp! FlowCarp is a simple command line tool that performs a very complicated task. It identifies the application layer protocol in network traffic without relying on port numbers, static signatures or code that tries to parse the[...]

Googles Threat Intelligence Group (GTIG) and Mandiants recent Disrupting the GRIDTIDE Global Cyber Espionage Campaign report is great and it has lots of good Indicators of Compromise (IOC). Many of these IOCs had already been shared by CISA last year as part of their Alert AA25-141A titled Russian G[...]

njRAT is a remote access trojan that has been around for more than 10 years and still remains one of the most popular RATs among criminal threat actors. This blog post demonstrates how NetworkMiner Professional can be used to decode the njRAT C2 traffic to extract artifacts like screenshots, command[...]

This video tutorial demonstrates how malware XOR encrypted and obfuscated C2 traffic can be decoded with CyberChef. The analyzed PCAP files can be downloaded from malware-traffic-analysis.net. CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444: From_Hex(Auto) XOR({option:Hex[...]

This blog post demonstrates how artifacts, such as reverse shell commands and VNC session screenshots, can be extracted from Latrodectus BackConnect C2 traffic with NetworkMiner. I recently learned that the great folks from The DFIR Report have done a writeup covering the Latrodectus backdoor. Their[...]

This NetworkMiner release brings improved extraction of artifacts like usernames, passwords and hostnames from network traffic. We have also made some updates to the user interface and continued our effort to extract even more details from malware C2 traffic. More Artifacts Extracted Usernames and p[...]

Are you importing indicators of compromise (IOC) in the form of domain names and IP addresses into your SIEM, NDR or IDS? If so, have you considered for how long you should keep looking for those IOCs? An IoT botnet study from 2022 found that 90% of C2 servers had a lifetime of less than 5 days and[...]

I will teach a live online network forensics training on February 23-26. The full title of the class is Network Forensics for Incident Response, where we will analyze PCAP files containing network traffic from hackers and malware. The training is split into four interactive sessions running from 13:[...]

Gh0stKCP is a transport protocol based on KCP, which runs on top of UDP. Gh0stKCP has been used to carry command-and-control (C2) traffic by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0. @Jane_0sint recently tweeted about ValleyRAT using a new UDP based C2 protocol. I wanted to t[...]

This video shows how to define a protocol in CapLoader just by providing examples of what the protocol looks like. CapLoader can then identify that protocol in other traffic, regardless of IP address and port number, simply by looking for traffic that behaves similar to what it was trained on. We ca[...]

PureRAT is a Remote Access Trojan, which can be used by an attacker to remotely control someone else's PC. PureRAT provides the following features to an attacker: See the victims user interfaceInteract with the victim PC using mouse and keyboardView the webcamListen to the microphoneRecord keystroke[...]

I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader (PureCrypter) that retrieves a .pdf file from a legitimate website. The dropper I will demo here down[...]

This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader. Alert for IP lookup using ip-api.com in PCAP from tria.ge Transcript of ip-api.com IP lookup traffic IP lookup services, like ip-api, checkip.amazonaws.com and ident.me, ar[...]

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the C2 protocol used by the PureLogs Stealer malware. The PureLogs pro[...]

I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to define their own protocol detections based on example network traffic. User Defined Protocols CapLoader's[...]

One of the premier features in NetworkMiner is the ability to extract files from captured network traffic in PCAP files. NetworkMiner reassembles the file contents by parsing protocols that are used to transfer files across a network. But there are other tools that also can extract files from PCAP f[...]

I investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using NetworkMiner in Linux (REMnux to be specific). About njRAT / Bladabindi njRAT is a Remote Access Trojan (RAT) that can be used to remotely control a hacked computer. It has been arou[...]

This guide shows how to install the latest version of NetworkMiner in Linux. To install an older NetworkMiner release, prior to version 3.0, please see our legacy NetworkMiner in Linux guide. STEP 1: Install Mono and GTK2Mono is an open source cross-platform implementation of the .NET framework, it[...]

UPDATE - Training Canceled The training event in May has been canceled. We are sorry for the inconvenience.