Experts in Network Forensics and Network Security Monitoring. Creators of #NetworkMiner, #CapLoader, #PacketCache, #PolarProxy and #RawCap.
#PCAP or it didn't happen!
| Blog | https://www.netresec.com/?page=Blog |
| Bluesky | https://bsky.app/profile/netresec.com |
| https://twitter.com/netresec | |
| GitHub | https://github.com/Netresec |
| RSS | https://www.netresec.com/rss.ashx |
As part of the investigation, I have looked closely at Telegram's protocol and analyzed packet captures provided by IStories.
I have also done some packet captures of my own.
I dive into the nitty-gritty technical details of what I found and how I found it on my blog:
Telegram is indistinguishable from an FSB honeypot
https://rys.io/en/179.html
Yes, my packet captures and a small Python library I wrote in the process are all published along.
@malware_traffic There's some unknown but interesting C2 traffic going on to net 104.16.0.0/13 (on CloudFlare). An HTTP POST is sent every 30 seconds (see Gantt chart) with gz compressed data.
The C2 servers use domain names like:
π₯ event-time-microsoft[.]org
π₯ windows-msgas[.]com
π₯ event-datamicrosoft[.]live
π₯ eventdata-microsoft[.]live
They also use this trycloudflare.com domain:
π₯ varying-rentals-calgary-predict.trycloudflare[.]com
Anyone knows what malware this is?
Researchers uncover how the Facebook app used localhost STUN communication with the browser to track visited websites in Covert Web-to-App Tracking via Localhost on Android. This trick works even if the user browses in incognito mode and uses a VPN.
The Meta Pixel uses a technique known as SDP Munging to insert the _fbp cookie contents to the SDP "ice-ufrag" field, resulting in a Binding Request STUN message sent to the loopback address as the following figure shows. This data flow cannot be observed using Chrome's regular debugging tools (such as DevTools).
CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the PureLogs C2 protocol. The PureLogs protocol detection was added to[...]
Ein weiteres Tool, das ich nutze, ist #NetworkMiner
Es ist ein leistungsstarkes Open-Source-Tool fΓΌr #NetworkForensics, das mir die Extraktion von Artefakten wie Dateien, Bildern, E-Mails und PasswΓΆrtern aus PCAP-Dateien ermΓΆglicht. NetworkMiner kann auch live Netzwerkverkehr erfassen und detaillierte Informationen ΓΌber jede IP-Adresse aggregieren, was fΓΌr passive Asset-Discovery und Γbersichten ΓΌber kommunizierende GerΓ€te nΓΌtzlich ist.
Seit 2007 hat sich NetworkMiner zu einem beliebten Tool fΓΌr Incident-Response-Teams und StrafverfolgungsbehΓΆrden entwickelt und wird weltweit eingesetzt.
FΓΌr mich ein unverzichtbares Werkzeug, um Netzwerkdaten effizient und prΓ€zise zu analysieren.
π βπΌ
#CyberSecurity #OpenSource #DigitalForensics #InfoSec #NetworkAnalysis #DFIR
New Blog!
There is lots of RFC1918 space out there, yet most people use the same 10 /24 subnets
I ended up having my OOB LAN collide with someones home network a few weeks ago, and decided to find a new subnet to use that won't collide backed up with actual usage data!
Picking uncontested private IP subnets with usage data
https://blog.benjojo.co.uk/post/picking-unused-rfc1918-ip-space
BKA names identity of the suspected boss of the Trickbot gang
https://www.heise.de/en/news/BKA-names-identity-of-the-suspected-boss-of-the-Trickbot-gang-10421313.html?utm_source=flipboard&utm_medium=activitypub
Posted into heise online in English @heise-online-in-english-heiseonline
I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to define their own protocol detections based on example network traffic. User Defined Protocols CapLoader's[...]
MichaΕ "rysiek" WoΕΊniak Β· πΊπ¦
Lazou
benjojo
heise online