Analyzing PCAP with Zeek - HTB Sherlocks - KnockKnock

preview_player
Показать описание
00:00 - Going over the Scenario
01:30 - Talking about why I'm using Zeek and running it in a docker
05:20 - Showing a Corelight Zeek Cheat Sheet, which is tremendously helpful
08:00 - Showing Zeek-Cut on the x509 log, then looking at the SSL Log
11:50 - Looking for a single IP that sent multiple SSH Banners
13:20 - Creating an alias for zeek-grek (alias zeek-grep='grep -e "^#" -e'), which lets us easily filter logs
17:00 - Looking at the HTTP Log, discovering a wget downloading ransomware
21:10 - Looking at the FTP Log, and showing the passwords are hidden. Editing the Zeek Config to unmask the password
24:30 - Editing the FTP Logged commands to add PASS so we see failed logins too
34:10 - Using the DNS Log to see that our attacker was likely using Amazon EC2
36:15 - Looking at how many connections each IP made, discovering our attacker doing a port scan using date -d @epoch to convert to human readable time
42:30 - Editing our zeek config to also extract_files, then looking at the ransomware download
53:15 - Looking at the files downloaded over FTP
1:07:00 - Start answering the questions. Doing some Grep Fu to see all the open ports during initial recon
1:18:10 - Finding when the port knock happened
  1. IppSec
Рекомендации по теме
Analyzing PCAP with 1:31:13

Analyzing PCAP with Zeek - HTB Sherlocks - KnockKnock

12 Days of 0:13:03

12 Days of Defense - Day 2: How to use Zeek for PCAP Analysis

ZW21 Day2 PacketTotal 0:30:30

ZW21 Day2 PacketTotal – A Community Service for Zeek Based PCAP Analysis Jamin Becker

Cybersecurity Tool for 0:08:19

Cybersecurity Tool for Network Analysis - Zeek

PCAP Network Capture 0:42:27

PCAP Network Capture & Zeek Processing

Network forensics and 0:15:35

Network forensics and PCAP investigations using Brim for malware analysis (Suricata + Zeek)

How To Easily 0:19:30

How To Easily Connect Zeek to Python

Getting Started with 0:30:00

Getting Started with Zeek PCAPs | Chris Brenton

Cutting through network 0:33:37

Cutting through network forensic data with Zeek

Introduction to Zeek 0:59:50

Introduction to Zeek Log Analysis w/ Troy Wojewoda

Packet & Log 0:24:07

Packet & Log Analysis with Zeek P1 | TryHackMe Zeek

Industrial Control Systems 0:11:10

Industrial Control Systems (ICS) PCAPs For Zeek And Wireshark

Zeek in Action, 0:25:20

Zeek in Action, Video 7, Capture Loss Statistics

Pcap Analysis #9 0:18:51

Pcap Analysis #9

Using Zeek Signatures 0:21:59

Using Zeek Signatures To Detect CVEs

Visualizing, Analyzing and 0:42:22

Visualizing, Analyzing and Filtering Zeek Events using a Graphical Frontend and OpenGL, Nick Skelsey

Zeek and ICS 0:15:24

Zeek and ICS Protocols | SANS ICS Concepts

Zeek From Home 0:52:25

Zeek From Home - Zeek Scripts - 101 to 595 in 45 mins by Aashish Sharma - 10 June

Network Capture & 0:05:19

Network Capture & Zeek

Using Zeek Logs 0:04:52

Using Zeek Logs in CloudShark

Zeek: Enhanced Security 0:09:17

Zeek: Enhanced Security with Suricata

KringleCon 2019 - 0:10:24

KringleCon 2019 - 12/12 - Zeek Analysis Terminal & Weather Data Filtering

Daily Cyber Shorts: 0:00:53

Daily Cyber Shorts: Industrial Control Systems (ICS) PCAP Resources For Zeek And Wireshark

Packet Analysis with 0:31:41

Packet Analysis with Zeek P3 | Frameworks & Packages | TryHackMe

Комментарии
Автор

amazing stuff.
would have taken me a more than a day to find all the info you found from just a pcap.
+1 for more blue team vids

exec_mayank
Автор

Amazing content, keep up the great work!

eaf
Автор

Zeek is one of my favorite tools. I use it together with Brim to visualize the data.

danielpeccini
Автор

Great video! I'm really enjoying the HTB Sherlocks series

treybaxter
Автор

Great video and a nice Mistborn sweater!

AP-rvkk
Автор

Are the HTB Sherlocks going to be user-generated like the machines? I'd like to see the data from Sherlocks in a SIEM so that it feels close to home. I'd probably have a mental breakdown if I were forced to raw dog PCAP with zeek cli everyday.

dadamnmayne
Автор

really enjoying sherlocks. thanks ippsec :)

Hckr-eixj
Автор

amazing video Ippsec, do you plan to release more of those Sherlocks challenges?

jaylal
Автор

Great Video! Which Text Editor do you use for the notes?

TobiNr
Автор

Not sure if it comes up often but there is a way to format timestamps returned from date in the case of the one at 1:22:52 the following could be used:

zoes
Автор

the 'analy' part got me laughing not gonna lie haha

samuel-ffsl
Автор

I couldn't unzip the file. Is the password to unzip the file still hackthebox?

Fbarrett
Автор

Wait, you have a face?! I swear you were a disembodied voice until half an hour ago...

semitangent
Автор

When you were doing the zeek-grep alias, I think you could have done easier, just by manipulating the syntax somehow else, like: cat ssh.log |zeek-cut id.orig_h client | grep "45.43.62.46"....the output is the same :)

LyOnCr
Автор

hey @ippsec what your thoughts about exegol repo

ChesapeakeMonstro