Network Forensics and
Network Security Monitoring
Netresec is an independent software vendor with focus on the network security field. We specialize in software for network forensics and analysis of network traffic.
Our most well known product is NetworkMiner, which is available in a professional as well as free open source version. We also develop and maintain other software tools, such as CapLoader (for big pcap files) and RawCap (a lightweight sniffer).
We at Netresec additionally maintain a comprehensive list of publicly available pcap files.
NetworkMiner
NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
CapLoader
CapLoader is a Windows tool designed to handle large amounts of captured network traffic in the tcpdump/libpcap format (PCAP). CapLoader displays the contents of opened PCAP files as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
PolarProxy
PolarProxy is a transparent TLS and SSL inspection proxy created for incident responders, malware analysts and security researchers. PolarProxy is primarily designed to intercept and decrypt TLS encrypted traffic from malware that is run in a controlled environment, such as a sandbox. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file.
Additional software from Netresec can be found on our products page.
Headlines from our Blog
Googles Threat Intelligence Group (GTIG) and Mandiants recent Disrupting the GRIDTIDE Global Cyber Espionage Campaign report is great and it has lots of good Indicators of Compromise (IOC). Many of these IOCs had already been shared by CISA last year as part of their Alert AA25-141A titled Russian G[...]
njRAT is a remote access trojan that has been around for more than 10 years and still remains one of the most popular RATs among criminal threat actors. This blog post demonstrates how NetworkMiner Professional can be used to decode the njRAT C2 traffic to extract artifacts like screenshots, command[...]
This video tutorial demonstrates how malware XOR encrypted and obfuscated C2 traffic can be decoded with CyberChef. The analyzed PCAP files can be downloaded from malware-traffic-analysis.net. CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444: From_Hex(Auto) XOR({option:Hex[...]
This blog post demonstrates how artifacts, such as reverse shell commands and VNC session screenshots, can be extracted from Latrodectus BackConnect C2 traffic with NetworkMiner. I recently learned that the great folks from The DFIR Report have done a writeup covering the Latrodectus backdoor. Their[...]
This NetworkMiner release brings improved extraction of artifacts like usernames, passwords and hostnames from network traffic. We have also made some updates to the user interface and continued our effort to extract even more details from malware C2 traffic. More Artifacts Extracted Usernames and p[...]
Are you importing indicators of compromise (IOC) in the form of domain names and IP addresses into your SIEM, NDR or IDS? If so, have you considered for how long you should keep looking for those IOCs? An IoT botnet study from 2022 found that 90% of C2 servers had a lifetime of less than 5 days and[...]
I will teach a live online network forensics training on February 23-26. The full title of the class is Network Forensics for Incident Response, where we will analyze PCAP files containing network traffic from hackers and malware. The training is split into four interactive sessions running from 13:[...]
Gh0stKCP is a transport protocol based on KCP, which runs on top of UDP. Gh0stKCP has been used to carry command-and-control (C2) traffic by malware families such as PseudoManuscrypt and ValleyRAT/Winos4.0. @Jane_0sint recently tweeted about ValleyRAT using a new UDP based C2 protocol. I wanted to t[...]