π™½π™΄πšƒπšπ™΄πš‚π™΄π™²'s Avatar

π™½π™΄πšƒπšπ™΄πš‚π™΄π™²

@netresec.com

Experts in Network Forensics and Network Security Monitoring. Creators of #NetworkMiner, #CapLoader, #PolarProxy and RawCap. Website: https://www.netresec.com/ Mastodon: @netresec@infosec.exchange

743
Followers 244
Following 76
Posts 06.02.2024
Joined
Posts Following

Latest posts by π™½π™΄πšƒπšπ™΄πš‚π™΄π™² @netresec.com

✨DFRWS EU 2026 Workshops πŸ“ Workshop Dates 23–24 March 2026 πŸ“ Hybrid β€’ LinkΓΆping, Sweden Explore workshop details πŸ‘‰ https://buff.ly/Q45nyji Register πŸ‘‰ https://buff.ly/lsQrqiZ

✨DFRWS EU 2026 Workshops πŸ“ Workshop Dates 23–24 March 2026 πŸ“ Hybrid β€’ LinkΓΆping, Sweden Explore workshop details πŸ‘‰ https://buff.ly/Q45nyji Register πŸ‘‰ https://buff.ly/lsQrqiZ

✨DFRWS EU 2026 Workshops

All DFRWS #Workshops and Social Events are inclusive in Registration. πŸ‘

πŸ“ Workshop Dates 23–24 March 2026
πŸ“ Hybrid β€’ LinkΓΆping, Sweden

Explore workshop details πŸ‘‰ buff.ly/Q45nyji
Register πŸ‘‰ buff.ly/lsQrqiZ

#NetworkTrafficAnalysis #MemoryForensics #DFIR #TorAnalysis

05.03.2026 08:30 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

πŸ” A major phishing-as-a-service platform disrupted.

Tycoon2FA enabled large-scale account compromise by bypassing MFA protections.

Through Europol’s Cyber Intelligence Extension Programme, industry intelligence was turned into operational results.

Read more here: https://ow.ly/GECE50YoZIO

04.03.2026 16:02 πŸ‘ 8 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0

I'm interested in getting in touch with anyone who was involved in the WANK/OILZ worm outbreak at NASA/CERN/DoE in 1989.

I've talked to a few folks, but there are still blanks in this story - if you were part of that please ping me.

01.03.2026 10:03 πŸ‘ 6 πŸ” 8 πŸ’¬ 0 πŸ“Œ 0
Preview
CISA mixup of IOC domains Googles Threat Intelligence Group (GTIG) and Mandiants recent Disrupting the GRIDTIDE Global Cyber Espionage Campaign report is great and it has lots of good Indicators of Compromise (IOC). Many of th...

netresec.com?b=26233f4

27.02.2026 16:37 πŸ‘ 0 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
GRU unit 26165 domains: accesscan[.]org glize[.]com You’ve verified them, right? You’ve verified them, right?

GRU unit 26165 domains: accesscan[.]org glize[.]com You’ve verified them, right? You’ve verified them, right?

21 of the world's best intelligence and security agencies cannot be wrong... right?
netresec.com?b=26233f4

27.02.2026 16:34 πŸ‘ 2 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Preview
CISA mixup of IOC domains Google's Threat Intelligence Group (GTIG) and Mandiant's recent Disrupting the GRIDTIDE Global Cyber Espionage Campaign report is great and it has lots of good Indicators of Compromise (IOC). ...

Do CISA analysts type out IOC domains by hand?
netresec.com?b=26233f4

26.02.2026 10:41 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
✨ DFRWS EU 2026 Workshops Hands-on Analysis of Network Packets Carved from Memory & PCAP Analysis of Unencrypted Tor Traffic Led by Erik Hjelmvik (Netresec, Sweden), the session is designed for practitioners and researchers working with network and memory forensics in real-world investigations. πŸ“ Workshop Dates 23–24 March 2026 Details here: πŸ‘‰ https://buff.ly/oT8OtbE

✨ DFRWS EU 2026 Workshops Hands-on Analysis of Network Packets Carved from Memory & PCAP Analysis of Unencrypted Tor Traffic Led by Erik Hjelmvik (Netresec, Sweden), the session is designed for practitioners and researchers working with network and memory forensics in real-world investigations. πŸ“ Workshop Dates 23–24 March 2026 Details here: πŸ‘‰ https://buff.ly/oT8OtbE

✨ DFRWS EU 2026 Workshops

Led by Erik Hjelmvik (Netresec, Sweden), the session is designed for practitioners and researchers working with network and memory forensics in real-world investigations.

πŸ“ Workshop Dates 23–24 March 2026
πŸ“ Details here: πŸ‘‰ buff.ly/oT8OtbE

06.02.2026 08:30 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0

Erik Hjelmvik will run a hands-on network forensic workshop at the upcoming Digital Forensics Research Conference in Sweden. Participants will get the chance to analyze:
πŸ”ͺ Packets carved from memory dumps
πŸ§… Unencrypted Tor traffic
dfrws.org/dfrws-eu-202...

05.02.2026 10:10 πŸ‘ 2 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
njRAT runs MassLogger njRAT is a remote access trojan that has been around for more than 10 years and still remains one of the most popular RATs among criminal threat actors. This blog post demonstrates how NetworkMiner Pr...

Decoding #njRAT C2 traffic to extract screenshots, commands and transferred files
netresec.com?b=262adb9

02.02.2026 19:41 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
Attributive Questions in High Profile Incidents On 30 January 2026, CERT.PL published findings concerning an electric sector attack on Poland in December 2025. This report, presumably the most complete on the incident covering multiple sources a…

Some initial thoughts on recent disclosures concerning the December 2025 incident targeting the Polish electric sector - with a focus on #CTI elements such as attribution implications and methodology:
pylos.co/2026/01/31/a...

31.01.2026 17:54 πŸ‘ 7 πŸ” 3 πŸ’¬ 1 πŸ“Œ 1
NetworkMiner has been around for a long time, and it shows β€” in a good way. It feels opinionated. It feels calm. It feels like a tool made by people who’ve already had a few bad days in incident response. No hype. No buzzwords. Just packets telling you what happened.

NetworkMiner has been around for a long time, and it shows β€” in a good way. It feels opinionated. It feels calm. It feels like a tool made by people who’ve already had a few bad days in incident response. No hype. No buzzwords. Just packets telling you what happened.

Thank you for those kind words! πŸ’œ
www.linkedin.com/pulse/issue-...

27.01.2026 08:28 πŸ‘ 2 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
Online Network Forensics Class I will teach a live online network forensics training on February 23-26. The full title of the class is Network Forensics for Incident Response, where we will analyze PCAP files containing network tra...

The early bird discount, for our live online network forensics class, expires by the end of this week. Sign up if you’d like to analyze PCAP files together with Erik Hjelmvik (creator of NetworkMiner and PolarProxy).
netresec.com?b=25A2e4f

26.01.2026 07:06 πŸ‘ 0 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

DFRWS EU 2026 is seeking posters showcasing interesting digital forensics research for presentation in LinkΓΆping, Sweden, 24–27th March 2026. πŸ“₯ Submit via EasyChair (PDF) - Rolling notification until the program is full! #DFRWSEU2026 #DFRWS #DigitalForensics

21.01.2026 08:54 πŸ‘ 0 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
Decoding malware C2 with CyberChef This video tutorial demonstrates how malware C2 traffic can be decoded with CyberChef. The PCAP files with the analyzed network traffic can be downloaded from malware-traffic-analysis.net. CyberChef r...

🎬 Video: Decoding malware C2 with #CyberChef
netresec.com?b=261f535

20.01.2026 12:39 πŸ‘ 2 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0

Big thank you to @thedfirreport.bsky.social for capturing this intrusion traffic! πŸŽ‰

10.12.2025 17:00 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Keylog extracted from BackConnect VNC network traffic by NetworkMiner

Keylog extracted from BackConnect VNC network traffic by NetworkMiner

Keylog of attacker's hands-on keyboard actions from BackConnect VNC session

10.12.2025 17:00 πŸ‘ 0 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0
Attacker fails to inspect ad_users.txt

Attacker fails to inspect ad_users.txt

Here's one of the screenshots from the BackConnect VNC sessions in the blog post

10.12.2025 17:00 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
Latrodectus BackConnect I recently learned that the great folks from The DFIR Report have done a writeup covering the Latrodectus backdoor. Their report is titled From a Single Click: How Lunar Spider Enabled a Near Two-Mont...

Extracting VNC screenshots and keylog data from #Latrodectus πŸ•·οΈ BackConnect
netresec.com?b=25Cfd08

10.12.2025 13:22 πŸ‘ 6 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0
Preview
NetworkMiner 3.1 Released This NetworkMiner release brings improved extraction of artifacts like usernames, passwords and hostnames from network traffic. We have also made some updates to the user interface and continued our e...

NetworkMiner 3.1 Released!
πŸ”‘ More usernames, passwords and hostnames from #PCAP
πŸ’» Improved user interface
πŸ‘Ύ Better details from malware C2 traffic
netresec.com?b=25C4039

01.12.2025 09:12 πŸ‘ 2 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Post image

CN #APT targeting attendees of a diabetes conference in Singapore in December
attd.z23.web.core[.]windows[.]net/ATTD-ASIA-2025.zip (live link, careful!)
ATTD-ASIA-2025.lnk a12357ff6c0f7b021f32b0c9cd3d01c4
ATTD-ASIA-2025.zip a8082a80cef9ccee9d7a35f5366e3afb
gzv.msi 32e7dcbd26b6455974d5b2c52c3ca421 🐴

20.11.2025 20:10 πŸ‘ 3 πŸ” 1 πŸ’¬ 2 πŸ“Œ 0

C2 runs on:
πŸ”₯ portabalbufe[.]com
πŸ”₯ 172.67.212.147:443
Other C2 indicators:
πŸ”₯ JA3 a0e9f5d64349fb13191bc781f81f42e1
πŸ”₯ JA4 t12d190800_d83cc789557e_7af1ed941c26
πŸ”₯ Cert hash 25aa00e75ca12bc66ff475ebe9c6bfbd466e91ed

20.11.2025 20:42 πŸ‘ 3 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

That's great! Long lived IOCs like that are golden.

10.11.2025 09:56 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

The boring answer is of course "it depends". But most incident responders would probably agree that a C2 IP address can be considered "old" when a couple of weeks have passed since it was last seen active.

06.11.2025 15:59 πŸ‘ 0 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
π™½π™΄πšƒπšπ™΄πš‚π™΄π™² (@netresec@infosec.exchange) Here's a copy-paste friendly version of our ASCII Pyramid of Pain License: CC0 ``` ,/\ ,Β΄V_-\ IOC Pyramid ,Β΄\/-__-\ of Pain ,Β΄\\/-_--_-\ ,Β΄\\\V_--TTP-_...

Agreed, real-world IOC decay/score varies depending on TA choices as well as the actions we take as defenders.

Fantastic that you like our ASCII Pyramid of Pain 😊
Here's a CC0 licensed copy-paste friendly version:
infosec.exchange/@netresec/11...

06.11.2025 15:41 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

I love the idea of calculating the decay rate of an IOC. It's not always strictly mathematical, because it also relies on threat actors' choices about how they use the IOCs, but as an estimate and for decision making, this seems promising.

Also, I really like @netresec.com's ASCII art Pyramid. πŸ˜€

06.11.2025 13:23 πŸ‘ 6 πŸ” 1 πŸ’¬ 2 πŸ“Œ 0
Preview
Optimizing IOC Retention Time Are you importing indicators of compromise (IOC) in the form of domain names and IP addresses into your SIEM, NDR or IDS? If so, have you considered for how long you should keep looking for those IOCs...

Monitoring for too many old indicators not only costs money, it can even inhibit detection of real intrusions.
πŸ“† Include "last seen" date when publishing IOCs
❌ Prune old IOCs
πŸ“œ Prioritize long lived IOCs over short lived ones
netresec.com?b=25Be9dd

06.11.2025 13:08 πŸ‘ 3 πŸ” 1 πŸ’¬ 1 πŸ“Œ 1
Post image

🚨 The #DFRWSEU 2026 paper submission deadline has been extended to 10th October 2025 πŸŽ‰

Submit your paper showcasing cutting-edge digital forensics research.

πŸ“€ Submit here: buff.ly/BN8Jlnb
ℹ️ Conference details: buff.ly/KOw9Xpr

#DFRWS #DigitalForensics #CFP

24.09.2025 15:15 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
Gh0stKCP Protocol Gh0stKCP is a command-and-control (C2) transport protocol based on KCP. It has been used by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0. @Jane_0sint recently tweeted about ValleyR...

Gh0stKCP is a C2 transport protocol based on KCP. It has been used by malware families such as #PseudoManuscrypt and #ValleyRAT.
netresec.com?b=259a5af

24.09.2025 10:27 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Preview
Define Protocol from Traffic (XenoRAT) This video shows how to define a protocol in CapLoader just by providing examples of what the protocol looks like. CapLoader can then identify that protocol in other traffic, regardless of IP address ...

Video: Detecting #XenoRAT C2 connections using example traffic from known malware sample.
πŸ”₯ e0b465d3bd1ec5e95aee016951d55640
πŸ”₯ 5ab23ac79ede02166d6f5013d89738f9
πŸ“‘ Huy1612-24727.portmap[.]io:24727
πŸ“‘ 193.161.193.99:24727
πŸ“‘ 147.185.221.30:54661
netresec.com?b=258f641

21.08.2025 13:22 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0