Hot Topics

JA3

CapLoader 1.9.6

CapLoader 1.9.6 Released

| | 104.21.7.13:80, 104.223.118.109:443, 104.248.81.48:443, 151.236.9.107:443, 159.89.124.188:443, a85be79f7b569f1df5e6087b69deb493, aptekoagraliy, BackConnect XOR, CapLoader, GzipLoader, IcedID, JA3, JA4, joekairbos, lazirusairnaf, Loda, regex, Remcos, seedkraproboy, t13i010400_0f2cb44170f4_1b583af8cc09, t13i010400_0f2cb44170f4_5c4c70b73fa0, ThreatFox, win.loda
CapLoader now detects even more malicious protocols and includes several new features such as JA4 fingerprints, API support for sharing IOCs to ThreatFox and OSINT lookups of malware families on Malpedia. The ...
NETRESEC Network Security Blog
CapLoader 1.9.4

CapLoader 1.9.4 Released

| | CapLoader, JA3, JA3S, pcap, Protocol Detection, Protocol Identification, SPID, TLS, VXLAN
A new version of our advanced PCAP filtering tool CapLoader was released today. The new CapLoader 1.9.4 release includes features like JA3 hash extraction from TLS traffic and a fantastic thing called ...
NETRESEC Network Security Blog
Screenshot of original infection email from Unit 42

Emotet C2 and Spam Traffic Video

| | 37cdab6ff1bd1c195bacb776c5213bf2, 51c64c77e60f3980eea90869b68c58a8, C2, Command And Control, ec74a5c51106f0419184d0dd08fb05bc, Emotet, fd4bc6cea4877646ccd62f0792ec0b62, JA3, JA3S, pcap, smtp, SMTPS, Spam, spambot, STARTTLS, video, videotutorial, Windows Sandbox
This video covers a life cycle of an Emotet infection, including initial infection, command-and-control traffic, and spambot activity sending emails with malicious spreadsheet attachments to infect new victims. The video cannot be ...
NETRESEC Network Security Blog
NetworkMiner 2.7.3

NetworkMiner 2.7.3 Released

| | 6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c, Abuse.ch, BitRAT, carve, Cobalt Strike, CobaltStrike, DBSBL, DNSBL, Emotet, FileScan.IO, JA3, JoeSandbox, memdump, meterpreter, NetworkMiner, NetworkMinerCLI, OSINT, PIPI, Protocol Detection, Qbot, RFC8422, TrickBot, unfurl, X.509
NetworkMiner now extracts meterpreter payloads from reverse shells and performs offline lookups of JA3 hashes and TLS certificates. Our commercial tool, NetworkMiner Professional, additionally comes with a packet carver that extracts network ...
NETRESEC Network Security Blog
NetworkMiner 2.7 Logo

NetworkMiner 2.7 Released

| | ANY.RUN, DNS SRV, DNS TXT, JA3, JA3S, LPD, LPR, MalwareBazaar, NetworkMiner, OSINT, pcap, PCL, PostScript, RFC1179, SMB2, ThreatFox, URLhaus
We are happy to announce the release of NetworkMiner 2.7 today! The new version extracts documents from print traffic and pulls out even more files and parameters from HTTP as well as ...
NETRESEC Network Security Blog
Introducing RDP Inferences

Introducing RDP Inferences

| | Alert AA21-131A, Announcements, APT39, APT40, Corelight Labs, Crowbar, DarkSide ransomware, Duo, Emotet, encrypted traffic, encrypted traffic collection, JA3, Matrix ransomware, network detection response, Network Security, network security monitoring, network traffic analysis, network visibility, Palo Alto Networks, RDP, RDPBCGR, Richard Bejtlich, rsa, RSAConference, Vern Paxson, Zeek, Zscaler
By Anthony Kasza, Technical Director, Corelight Corelight recently released a new package, focused on RDP inferences, as part of our Encrypted Traffic Collection. This package runs on Corelight Sensors and provides network ...
Bright Ideas Blog
IdedID and Cobalt Strike

Analysing a malware PCAP with IcedID and Cobalt Strike traffic

| | 0314b8cd45b636f38d07032dc8ed463295710460ea7a4e214c1de7b0e817aab6, 104.236.115.181, 11965662e146d97d3fa3288e119aefb2, 1580103814, 172.67.188.12, 1768.py, 185.141.26.140, 1ab39f1c8fb3f2af47b877cafda4ee09374d7bd3, 213e9c8bf7f6d0113193f785cb407f0e8900ba75b9131475796445c11f3ff37c, 449c1967d1708d7056053bedb9e45781, 45.147.229.157, 452e969c51882628dac65e38aff0f8e5ebee6e6b, 485ba347cf898e34a7455e0fd36b0bcf8b03ffd8, 83.97.20.176, 8da75e1f974d1011c91ed3110a4ded38, 96a535122aba4240e2c6370d0c9a09d3, ameripermanentno.website, b63d7ad26df026f6cca07eae14bb10a0ddb77f41, banusdona.top, c2bdc885083696b877ab6f0e05a9d968fd7cc2bb, c7da494880130cdb52bd75dae1556a78f2298a8cc9a2e75ece8a57ca290880d3, CapLoader, Cobalt Strike, CobaltStrike, d45b3f9d93171c29a51f9c8011cd61aa44fcb474d59a0b68181bb690dbbf2ef5, Didier Stevens, e9b5e549363fa9fcb362b606b75d131dec6c020e, f98711dfeeab9c8b4975b2f9a88d8fea, IcedID, IceID, JA3, lesti.net, mazzappa.fun, momenturede.fun, Network Forensics, NetworkMiner, odichaly.space, pcap, SSLBL, training, vaccnavalcod.website, X.509
This network forensics walkthrough is based on two pcap files released by Brad Duncan on malware-traffic-analysis.net. The traffic was generated by executing a malicious JS file called StolenImages_Evidence.js in a sandbox environment ...
NETRESEC Network Security Blog
Beating alert fatigue with integrated data

Beating alert fatigue with integrated data

| | cisco, dns, http, JA3, partnership, Phantom, Playbooks, ServiceNow, sha1, SIEM, Splunk, Suricata
By Alex Kirk, Corelight Global Principal for Suricata More than 15 years after Gartner declared that “IDS is dead” because it was too noisy to be effectively managed, alert fatigue continues to ...
Bright Ideas Blog
Meet the Corelight CTF tournament winners

Meet the Corelight CTF tournament winners

| | Announcements, Capture the Flag, Cobalt Strike C2, ctf, dns, Elastic, JA3, Open Source Community, pcap, Splunk, ssl.log, Zeek
By John Gamble, Director of Product Marketing, Corelight This summer, Corelight hosted a virtual CTF tournament where hundreds of players raced to solve security challenges using Zeek data in Splunk and Elastic ...
Bright Ideas Blog
NetworkMiner 2.5

NetworkMiner 2.5 Released

| | CIFS, DoH, hashcat, HTTP/2, http2, HTTPS, JA3, John, KERBEROS, MS-BRWS, NBNS, NetBIOS, NetworkMiner, NetworkMinerCLI, OSINT, pcap
I am happy to announce the release of NetworkMiner 2.5 today! This new version includes new features like JA3 and parsers for the HTTP/2 and DoH protocols. We have also added support ...
NETRESEC Network Security Blog

Secure Guardrails