CobaltStrike

Cookie parameters from GzipLoader request in NetworkMiner 2.8.1

Forensic Timeline of an IcedID Infection

| | BackConnect, Cobalt Strike, CobaltStrike, ec74a5c51106f0419184d0dd08fb05bc, GzipLoader, IcedID, JA3S, Keyhole, Keylog, NetworkMiner, VNC, Windows Sandbox
The BackConnect and VNC parsers that were added to NetworkMiner 2.8.1 provide a unique possibility to trace the steps of an attacker with help of captured network traffic from a hacked computer ...
NETRESEC Network Security Blog
NetworkMiner 2.7.3

NetworkMiner 2.7.3 Released

| | 6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c, Abuse.ch, BitRAT, carve, Cobalt Strike, CobaltStrike, DBSBL, DNSBL, Emotet, FileScan.IO, JA3, JoeSandbox, memdump, meterpreter, NetworkMiner, NetworkMinerCLI, OSINT, PIPI, Protocol Detection, Qbot, RFC8422, TrickBot, unfurl, X.509
NetworkMiner now extracts meterpreter payloads from reverse shells and performs offline lookups of JA3 hashes and TLS certificates. Our commercial tool, NetworkMiner Professional, additionally comes with a packet carver that extracts network ...
NETRESEC Network Security Blog
Services tab in CapLoader

Detecting Cobalt Strike and Hancitor traffic in PCAP

| | 1768.py, CapLoader, Cobalt Strike, CobaltStrike, Hancitor, Netresec, nsm, pcap, periodicity, PIPI, Protocol Identification, video, videotutorial, Windows Sandbox
This video shows how Cobalt Strike and Hancitor C2 traffic can be detected using CapLoader. Your browser does not support the video tag. I bet you're going: 😱 OMG he's analyzing Windows ...
NETRESEC Network Security Blog
CapLoader 1.9 Logo

CapLoader 1.9 Released

| | Anchor_DNS, BPF, CapLoader, CobaltStrike, DNP3, HTran, IEC-104, Netresec, OSINT, pcap, Pcap-NG, periodicity, RemoteFX, RevengeRAT, Row Filter, Tofsee, Winsecsrv, WireGuard
A new version of the PCAP filtering tool CapLoader has been released today. The new CapLoader version 1.9 is now even better at identifying protocols and periodic beacons than before. The user ...
NETRESEC Network Security Blog
IdedID and Cobalt Strike

Analysing a malware PCAP with IcedID and Cobalt Strike traffic

| | 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6, 104.236.115.181, 11965662e146d97d3fa3288e119aefb2, 1580103814, 172.67.188.12, 1768.py, 185.141.26.140, 1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3, 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c, 449c1967d1708d7056053bedb9e45781, 45.147.229.157, 452e969c51882628dac65e38aff0f8e5ebee6e6b, 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8, 83.97.20.176, 8da75e1f974d1011c91ed3110a4ded38, 96a535122aba4240e2c6370d0c9a09d3, ameripermanentno.website, b63d7ad26df026f6cca07eae14bb10a0ddb77f41, banusdona.top, c2bdc885083696b877ab6f0e05a9d968fd7cc2bb, c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3, CapLoader, Cobalt Strike, CobaltStrike, d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5, Didier Stevens, e9b5e549363fa9fcb362b606b75d131dec6c020e, f98711dfeeab9c8b4975b2f9a88d8fea, IcedID, IceID, JA3, lesti.net, mazzappa.fun, momenturede.fun, Network Forensics, NetworkMiner, odichaly.space, pcap, SSLBL, training, vaccnavalcod.website, X.509
This network forensics walkthrough is based on two pcap files released by Brad Duncan on malware-traffic-analysis.net. The traffic was generated by executing a malicious JS file called StolenImages_Evidence.js in a sandbox environment ...
NETRESEC Network Security Blog