We covered examples of analyzing cybersecurity incidents such as Anomalous DNS, phishing attacks and the Log4j vulnerability using Zeek IDS. We used Zeek IDS in offline packet analysis mode while it can still be used in a live captured mode. The examples used in the video are part of TryHackMe Zeek Exercises room which is part of the SOC Level 1 Track.

Burp Suite Practical Notes

The Complete Practical Web Application Penetration Testing Course

Highlights

Zeek is a passive, open-source network traffic analyser. Many operators use Zeek as a network security monitor (NSM) to support suspicious or malicious activity investigations. Zeek also supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting.

Run Zeek as a service to be able to perform live network packet capture or to listen to the live network traffic.
To run Zeek as a service we will need to start the “ZeekControl” module which requires superuser permissions to use. You can elevate the session privileges and switch to the superuser account to examine the generated log files with the following command: sudo su

Room Answers

Investigate the dns-tunneling.pcap file. Investigate the dns.log file. What is the number of DNS records linked to the IPv6 address?

320

Investigate the conn.log file. What is the longest connection duration?

9.420791

There are a massive amount of DNS queries sent to the same domain. This is abnormal. Let’s find out which hosts are involved in this activity. Investigate the conn.log file. What is the IP address of the source host?

10.20.57.3

Investigate the logs. What is the suspicious source address? Enter your answer in defanged format.

10[.]6[.]27[.]102

Investigate the http.log file. Which domain address were the malicious files downloaded from? Enter your answer in defanged format.

smart-fax[.]com

Investigate the malicious document in VirusTotal. What kind of file is associated with the malicious document?

VBA

Investigate the extracted malicious .exe file. What is the given file name in Virustotal?

PleaseWaitWindow.exe

Investigate the malicious .exe file in VirusTotal. What is the contacted domain name? Enter your answer in defanged format.

hopto[.]org

Investigate the http.log file. What is the request name of the downloaded malicious .exe file?

knr.exe

Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the signature.log file. What is the number of signature hits?

3

Investigate the http.log file. Which tool is used for scanning?

nmap

Investigate the http.log file. What is the extension of the exploit file?

.class

Investigate the log4j.log file. Decode the base64 commands. What is the name of the created file?

pwned

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles