- Anomalous DNS
- Phishing
- Log4J
cd Desktop/Exercise-Files/anomalous-dns
ls
zeek -Cr dns-tunneling.pcap
head dns.log
#AAAA record maps to IPv6 address
cat dns.log | zeek-cut qtype_name | grep "AAAA" | wc -l
head conn.log
cat conn.log | zeek-cut duration | sort -n | uniq
cat dns.log | zeek-cut query | grep -v -e "update.com" | sort -nr | uniq
#this shows 15 addresses
#we can see unique domain queries by simply checking the address
1. Investigate the dns-tunneling.pcap file. Investigate the dns.log file. What is the number of DNS records linked to the IPv6 address? - 320
2. Investigate the conn.log file. What is the longest connection duration? - 9.420791
3. Investigate the dns.log file. Filter all unique DNS queries. What is the number of unique domain queries? - 6
4. Investigate the conn.log file. What is the IP address of the source host? - 10.20.57.3
cd Desktop/Exercise-Files/phishing
zeek -Cr phishing.pcap
ls
head conn.log
#to defang IP address, cover the delimiter '.' in square brackets
head http.log
./clear-logs.sh
zeek -Cr phishing.pcap hash-demo.zeek
#extract files hashes in log file
zeek -Cr phishing.pcap file-extract-demo.zeek
#create dir for extracted files
ll
cd extract_files/
ls
file *
#check file type
#here, the two malicious files can be the doc and the exe file
md5sum extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3
#gives md5 b5243ec1df7d1d5304189e7db2744128
md5sum extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl
#gives md5 cc28e40b46237ab6d5282199ef78c464
#we can use VirusTotal to look it up
#for the malicious doc file, we can view Relations on VirusTotal
#this shows that the related filetype is vba
#the malicious shell command can be found in Behaviour - Process and Service Actions
#for the exe, the domain name can be found in network communication
cd ..
cat http.log | zeek-cut uri
1. Investigate the logs. What is the suspicious source address? - 10[.]6[.]27[.]102
2. Investigate the http.log file. Which domain address were the malicious files downloaded from? - smart-fax[.]com
3. Investigate the malicious document in VirusTotal. What kind of file is associated with the malicious document? - vba
4. What is the executed Shell Command by the malicious document? - c:/analyse/1564071314.9150934_80fc752d-3099-4df0-9c50-4d7c0e228e26
5. Investigate the extracted malicious .exe file. What is the given file name in Virustotal? - PleaseWaitWindow.exe
6. Investigate the malicious document in VirusTotal. What is the contacted domain name? - hopto[.]org
7. Investigate the http.log file. What is the request name of the downloaded malicious .exe file? - knr.exe
cd Desktop/Exercise-Files/log4j
zeek -Cr log4shell.pcapng detection-log4j.zeek
ls
head signatures.log
cat signatures.log | zeek-cut ts | wc -l
head http.log
#shows the log4j exploit file
cat http.log | zeek-cut user_agent
#shows Nmap Scripting Engine
head log4j.log
echo d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg== | base64 -d
#decodes the base64 command
#this shows us the file name
1. Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the signature.log file. What is the number of signature hits? - 3
2. Investigate the http.log file. Which tool is used for scanning? - Nmap
3. Investigate the http.log file. What is the extension of the exploit file? - .class
4. Investigate the log4j.log file. Decode the base64 commands. What is the name of the created file? - pwned