NETRESEC - Network Forensics and Network Security Monitoring's Avatar

NETRESEC - Network Forensics and Network Security Monitoring

@netresec.com.web.brid.gy

Network forensics, packet sniffers and IT security products. Download NetworkMiner and other free software for network security analysis. [bridged from https://netresec.com/ on the web: https://fed.brid.gy/web/netresec.com ]

9
Followers 0
Following 66
Posts 29.01.2025
Joined
Posts Following

Latest posts by NETRESEC - Network Forensics and Network Security Monitoring @netresec.com.web.brid.gy

Preview
CISA mixup of IOC domains Googles Threat Intelligence Group (GTIG) and Mandiants recent Disrupting the GRIDTIDE Global Cyber Espionage Campaign report is great and it has lots of good Indicators of Compromise (IOC). Many of these IOCs had already been shared by CISA last year as part of their Alert AA25-141A titled Russian G[...]
26.02.2026 09:35 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
njRAT runs MassLogger njRAT is a remote access trojan that has been around for more than 10 years and still remains one of the most popular RATs among criminal threat actors. This blog post demonstrates how NetworkMiner Professional can be used to decode the njRAT C2 traffic to extract artifacts like screenshots, command[...]
02.02.2026 19:39 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Decoding malware C2 with CyberChef This video tutorial demonstrates how malware C2 traffic can be decoded with CyberChef. The PCAP files with the analyzed network traffic can be downloaded from malware-traffic-analysis.net. CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444: From_Hex('Auto') XOR({'option':'He[...]
20.01.2026 12:10 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Latrodectus BackConnect I recently learned that the great folks from The DFIR Report have done a writeup covering the Latrodectus backdoor. Their report is titled From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion. I found it particularly interesting that the threat actors used Latrodectus to drop a B[...]
10.12.2025 13:00 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
NetworkMiner 3.1 Released This NetworkMiner release brings improved extraction of artifacts like usernames, passwords and hostnames from network traffic. We have also made some updates to the user interface and continued our effort to extract even more details from malware C2 traffic. More Artifacts Extracted Usernames and p[...]
01.12.2025 08:20 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Optimizing IOC Retention Time Are you importing indicators of compromise (IOC) in the form of domain names and IP addresses into your SIEM, NDR or IDS? If so, have you considered for how long you should keep looking for those IOCs? An IoT botnet study from 2022 found that 90% of C2 servers had a lifetime of less than 5 days and[...]
06.11.2025 12:05 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Online Network Forensics Class I will teach a live online network forensics training on February 23-26. The full title of the class is Network Forensics for Incident Response, where we will analyze PCAP files containing network traffic from hackers and malware. The training is split into four interactive sessions running from 13:[...]
20.10.2025 05:30 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Gh0stKCP Protocol Gh0stKCP is a transport protocol based on KCP, which runs on top of UDP. Gh0stKCP has been used to carry command-and-control (C2) traffic by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0. @Jane_0sint recently tweeted about ValleyRAT using a new UDP based C2 protocol. I wanted to t[...]
24.09.2025 09:40 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Define Protocol from Traffic (XenoRAT) This video shows how to define a protocol in CapLoader just by providing examples of what the protocol looks like. CapLoader can then identify that protocol in other traffic, regardless of IP address and port number, simply by looking for traffic that behaves similar to what it was trained on. We ca[...]
21.08.2025 12:50 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
PureRAT = ResolverRAT = PureHVNC PureRAT is a Remote Access Trojan, which can be used by an attacker to remotely control someone else's PC. PureRAT provides the following features to an attacker: See the victims user interfaceInteract with the victim PC using mouse and keyboardView the webcamListen to the microphoneRecord keystroke[...]
12.08.2025 15:43 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
PureLogs Forensics I analyzed some PureLogs Stealer malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader that retrieves a .pdf file from a legitimate website. The dropper I will demo here downloaded this fi[...]
02.07.2025 11:52 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
CapLoader 2.0.1 Released This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader. Alert for IP lookup using ip-api.com in PCAP from tria.ge Transcript of ip-api.com IP lookup traffic IP lookup services, like ip-api, checkip.amazonaws.com and ident.me, ar[...]
01.07.2025 13:48 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Detecting PureLogs traffic with CapLoader CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the C2 protocol used by the PureLogs Stealer malware. The PureLogs pro[...]
09.06.2025 14:26 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
CapLoader 2.0 Released I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to define their own protocol detections based on example network traffic. User Defined Protocols CapLoader's[...]
02.06.2025 13:47 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Comparison of tools that extract files from PCAP One of the premier features in NetworkMiner is the ability to extract files from captured network traffic in PCAP files. NetworkMiner reassembles the file contents by parsing protocols that are used to transfer files across a network. But there are other tools that also can extract files from PCAP f[...]
05.05.2025 16:05 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Decoding njRAT traffic with NetworkMiner I investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using NetworkMiner in Linux (REMnux to be specific). About njRAT / Bladabindi njRAT is a Remote Access Trojan (RAT) that can be used to remotely control a hacked computer. It has been arou[...]
28.04.2025 06:00 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
How to Install NetworkMiner in Linux This guide shows how to install the latest version of NetworkMiner in Linux. To install an older NetworkMiner release, prior to version 3.0, please see our legacy NetworkMiner in Linux guide. STEP 1: Install Mono and GTK2Mono is an open source cross-platform implementation of the .NET framework, it[...]
10.04.2025 07:30 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Online Network Forensics Training I will teach a live online class next month. The subject for the class is Network Forensics for Incident Response. The training is split into four interactive 4-hour sessions, so that you have the rest of each work-day free to either practice what you learned in class or catch up with your 'normal'[...]
07.04.2025 06:25 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
NetworkMiner 3.0 Released I am very proud to announce the release of NetworkMiner 3.0 today! This version brings several new protocols as well as user interface improvements to NetworkMiner. We have also made significant changes under the hood, such as altering the default location to where NetworkMiner extracts files from n[...]
04.04.2025 10:53 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
How to set PCAP as default save file format in Wireshark Did you know that there is a setting in Wireshark for changing the default save file format from pcapng to pcap? In Wireshark, click Edit, Preferences. Then select Advanced and look for the capture.pcap_ng setting. Change the value to FALSE if you want Wireshark to save packets in the pcap file form[...]
25.02.2025 10:33 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
PolarProxy 1.0.1 Released The new release of PolarProxy generates JA4 fingerprints and enables ruleset to match on specific decryption errors, for example to enable fail-open in case the TLS traffic cannot be decrypted and inspected. JA4 FingerprintsJA4 fingerprints provide several improvements over its JA3 predecessor. One[...]
07.02.2025 10:10 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Blocking Malicious sites with a TLS Firewall Over 90 percent of all web traffic is encrypted nowadays, which is great of course. However, as HTTP and DNS traffic gets encrypted, defenders have a more difficult time blocking malicious network traffic. One solution to this problem is to use a TLS firewall, which effectively blocks encrypted conn[...]
27.01.2025 10:45 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
VoIP tab in NetworkMiner Professional The VoIP tab is a unique feature only available in NetworkMiner Professional. The analyzed PcapNG file comes from a blog post by Johannes Weber titled VoIP Captures. See our NetworkMiner Professional tutorial videos for more tips and hints.
04.10.2024 06:20 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Browsers tab in NetworkMiner Professional The Browsers tab is a unique feature only available in NetworkMiner Professional. The PCAP files analyzed in this video are pwned-se_150312_outgoing.pcap and pwned-se_150312_incoming.pcap, which are snippets of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides). More information[...]
03.10.2024 09:10 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Files tab in NetworkMiner Professional The PCAP file analyzed in this video is pwned-se_150312_outgoing.pcap, which is a snippet of the 4.4 GB Hands-on Network Forensics dataset from FIRST 2015 (slides). See our NetworkMiner Professional tutorial videos for more tips and hints.
02.10.2024 07:10 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Hosts tab in NetworkMiner Professional The PCAP file analyzed in this video is MD_2015-07-22_112601.pcap, which is a snippet of the training data used in our network forensics classes from 2015 to 2019. Techniques, tools and databases mentioned in the tutorial: CIDR notationSatorip0fmac-ages Check out our Passive OS Fingerprinting blog p[...]
01.10.2024 08:25 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Opening capture files with NetworkMiner Professional This video tutorial demonstrates how to open capture files with NetworkMiner Professional The analyzed pcap-ng file is github.pcapng from CloudShark. More info about this capture file can be found in our blog post Forensics of Chinese MITM on GitHub. See our NetworkMiner Professional tutorial videos[...]
30.09.2024 12:50 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
Video Tutorial: Installing NetworkMiner Professional This video tutorial covers how to install NetworkMiner Professional. Use the official 7-zip tool to extract the password protected 7zip archive. Recommended locations for NetworkMiner: DesktopMy DocumentsC:\Users\{user}\AppData\Local\Programs\USB flash drive See our NetworkMiner Professional tutoria[...]
30.09.2024 08:45 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0
Preview
CapLoader 1.9.7 Released A new release of CapLoader has been published! Some of the changes can be seen directly in the user interface, such as Community ID values for flows and a few other new columns in the Flows and Services tabs. Other improvements are more subtle, like improved detection of remote management protocols[...]
06.09.2024 09:45 ๐Ÿ‘ 0 ๐Ÿ” 0 ๐Ÿ’ฌ 0 ๐Ÿ“Œ 0