𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲

PureLogs Forensics I analyzed some PureLogs malware infections this morning and found some interesting behavior and artifacts that I want to share. PureLogs infections sometimes start with a dropper/downloader that retr...

💧 Dropper connects to legitimate website
📄 Fake PDF is downloaded over HTTPS
💾 Fake PDF is decrypted to a #PureLogs DLL
⚙️ InstallUtil.exe or RegAsm.exe is started
💉 PureLogs DLL is injected into the running process
👾 PureLogs connects to C2 server
netresec.com?b=257eead

CapLoader 2.0.1 Released This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader. Alert for IP lookup using ip-api.com in PCAP from tria.ge Transcript of ...

CapLoader 2.0.1 Released
⚠️ IP lookup alert
🔎 Better protocol identification
🐛 Bug fixes
netresec.com?b=2571527

Turns out this is Interlock RAT
malpedia.caad.fkie.fraunhofer.de/details/win....

𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲 (@netresec@infosec.exchange) Attached: 1 image @malware_traffic There's some unknown but interesting C2 traffic going on to net 104.16.0.0/13 (on CloudFlare). An HTTP POST is sent every 30 seconds (see Gantt chart) with gz compr...

Does anyone know what malware this is? C2 is on 104.16.0.0/13 (CloudFlare).

C2 domains:
🔥 event-time-microsoft[.]org
🔥 windows-msgas[.]com
🔥 event-datamicrosoft[.]live
🔥 eventdata-microsoft[.]live

PCAP from @malware-traffic-analysis.net
infosec.exchange/@netresec/11...

Detecting PureLogs traffic with CapLoader CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In th...

Video: Detecting #PureLogs C2 traffic with #CapLoader
netresec.com?b=256a8c4

CapLoader 2.0 Released I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to defin...

CapLoader 2.0 released today!
🔎 Identifies over 250 protocols in #PCAP
🎨 Define protocols from example traffic
🇶 Extracts JA3, JA4 and SNI from QUIC
💻 10x faster user interface
netresec.com?b=256dbbc

Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL]. *.000[.]pe *.1cooldns[.]com *.42web[.]io *.4cloud[.]click *.accesscan[.]org *.bumbleshrimp[.]com *.camdvr[.]org *.casacam[.]net *.ddnsfree[.]com *.ddnsgeek[.]com *.ddnsguru[.]com *.dynuddns[.]com *.dynuddns[.]net *.free[.]nf *.freeddns[.]org *.frge[.]io *.glize[.]com *.great-site[.]net *.infinityfreeapp[.]com *.kesug[.]com *.loseyourip[.]com *.lovestoblog[.]com *.mockbin[.]io *.mockbin[.]org *.mocky[.]io *.mybiolink[.]io *.mysynology[.]net *.mywire[.]org *.ngrok[.]io *.ooguy[.]com *.pipedream[.]net *.rf[.]gd *.urlbae[.]com *.webhook[.]site *.webhookapp[.]com *.webredirect[.]org *.wuaze[.]com Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.

Thank you CISA, @ncsc.gov.uk, @bsi.bund.de et al. for publishing the advisory on Russian GRU Targeting Western Logistics Entities and Technology Companies. This list of mocking services is great for threat hunting!
www.cisa.gov/news-events/...

MalwareTech – Darknet Diaries MalwareTech was an anonymous security researcher, until he accidentally stopped WannaCry, one of the largest ransomware attacks in history. That single act of heroism shattered his anonymity and pulle...

Correct link should be
darknetdiaries.com/episode/158/

JPG and EML files extracted from SMTP traffic by NetworkMiner 3.0

NetworkMiner automatically extracts EML files as well as attachments (here a jpg image) to disk when it parses emails in SMTP, POP3 or IMAP traffic.

Yes! Wireshark's "Export Packet Bytes" feature can also be used to extract files inside of other data structures, such as attachments in emails.

Comparison of tools that extract files from PCAP One of the premier features in NetworkMiner is the ability to extract files from captured network traffic in PCAP files. NetworkMiner reassembles the file contents by parsing protocols that are used t...

Comparison of tools that extract files from #PCAP
📖 #Chaosreader
⛏️ #NetworkMiner
🐿️ #Suricata
🌊 #tcpflow
🦈 #Wireshark
👁️ #Zeek
netresec.com?b=255329f

Decoding njRAT traffic with NetworkMiner I investigate network traffic from a Triage sandbox execution of njRAT in this video. The analysis is performed using NetworkMiner in Linux (REMnux to be specific). About njRAT / Bladabindi njRAT is a...

Did you know that NetworkMiner parses the #njRAT protocol? The following artefacts are extracted from njRAT C2 traffic:
🖥️ Screenshots of victim computer
📁 Transferred files
👾 Commands from C2 server
🤖 Replies from bot
🔑 Stolen credentials/passwords
⌨️ Keylog data
netresec.com?b=2541a39

LOL, Greenland has been a part of the Kingdom of Denmark since before USA even existed as a country!

How to Install NetworkMiner in Linux This guide shows how to install the latest version of NetworkMiner in Linux. To install an older NetworkMiner release, prior to version 3.0, please see our legacy NetworkMiner in Linux guide. STEP 1: ...

New instructions for installing NetworkMiner on Linux
netresec.com?b=2542784

NetworkMiner 3.0 Released I am very proud to announce the release of NetworkMiner 3.0 today! This version brings several new protocols as well as user interface improvements to NetworkMiner. We have also made significant chang...

NetworkMiner 3.0 Released!
🔐 QUIC
🏭 CIP (EtherNet/IP)
🏭 UMAS (over Mobdus)
👾 Remcos RAT
🔍 Improved OS fingerprinting
🐧 Better Linux integration
netresec.com?b=254caa9

How to set PCAP as default save file format in Wireshark Did you know that there is a setting in Wireshark for changing the default save file format from pcapng to pcap? In Wireshark, click Edit, Preferences. Then select Advanced and look for the capture.pc...

How to set #PCAP as default savefile format in #Wireshark
📝 Edit
📃 Preferences
💡 Advanced
✍️ Change capture.pcap_ng to FALSE
netresec.com?b=2523d40

Setting capture.pcap_ng to FALSE in Wireshark's Edit, Preferences, Advanced let's you save capture files as .pcap instead of .pcapng as default.

That's a very useful feature! Thanks for sharing 🙏

Use pcap as default savefile format instead of pcapng (#20388) · Issues · Wireshark Foundation / Wireshark · GitLab Description The pcapng file format provides some useful features, such as allowing multiple link layer types to be defined in a...

Here's a feature request to have #Wireshark bring back PCAP as the default savefile format instead of pcapng.
gitlab.com/wireshark/wi...

PolarProxy 1.0.1 Released The new release of PolarProxy generates JA4 fingerprints and enables ruleset to match on specific decryption errors, for example to enable fail-open in case the TLS traffic cannot be decrypted and ins...

PolarProxy 1.0.1 Released
🆔 More #JA4
🔂 Fail-open on #TLS errors
⏩ Better performance
netresec.com?b=2523c96

Neat, just found out that @synacktiv.com are on Bluesky as well! Linking their original bsky post here.

dns.​qry.​name should have the same value as dns.​resp.​name Here's a Wireshark display filter for you: dns.count.answers > 0 and lower(dns.qry.name) == lower(dns.resp.name)

Here's a Wireshark display filter that detects this type of LLMNR (multicast name resolution) spoofing:

dns.​count.​answers > 0 and lower(dns.​qry.​name) != lower(dns.​resp.​name)

This is an interesting Kerberos relay attack! It leverages LLMNR spoofing/poisoning to trick victims to connect to the attacker's machine and authenticate using Kerberos.

Filtering on the domain name is quicker since only the client request is needed to extract the hostname from the SNI extension.

Interesting idea 🤔 That would technically be doable. One drawback is that the TLS firewall will have to wait for the server certificate before deciding whether to block it or not.

Blocking Malicious sites with a TLS Firewall Over 90 percent of all web traffic is encrypted nowadays, which is great of course. However, as HTTP and DNS traffic gets encrypted, defenders have a more difficult time blocking malicious network tra...

A TLS firewall is similar to a DNS firewall, except it blocks connections to unwanted websites even if the DNS traffic is encrypted.
netresec.com?b=2515cf0

Covered Topics:
👾 C2 traffic analysis
🔓 Analyzing decrypted HTTPS traffic
↔️ Lateral movement
🎯 Threat Hunting
🔍 JA3 and JA4
🌐 Passive DNS
#DFIR #PCAP

Network Forensics Training Upcoming Network Forensics Trainings and Classes from Netresec

We’ve now scheduled our next Network Forensics for Incident Response training
📅 Dates: May 12-15, 2025
🕑 Duration: Four half-days
🌐 Type: Live Online Network Forensics Training
💵 Price: € 960 EUR
www.netresec.com?page=Training

bsky.app/profile/Goss...

Original source: https://infosec.exchange/@cR0w/113239726857971779

#DirectoryTraversalMemes

Can you elaborate on "making it illegal to share info produced by [Recorded Future"? Would this also apply to info from platforms like Recorded Future's tria.ge ?