We covered examples of analyzing cybersecurity incidents such as Anomalous DNS, phishing attacks and the Log4j vulnerability using Zeek IDS. We used Zeek IDS in offline packet analysis mode while it can still be used in a live captured mode. The examples used in the video are part of TryHackMe Zeek Exercises room which is part of the SOC Level 1 Track.
The Complete Practical Web Application Penetration Testing Course
Introduction to Zeke and Its Modes
The presenter introduced the Zeke Exercises room, suggesting that it’s beneficial to have completed the original Zeke rooms on TryHackMe first. He highlighted that the video would cover tasks related to anomalous DNS, phishing, and Log4j vulnerabilities.
I learned that Zeke can be used in two modes:
- Live Capture: For real-time traffic analysis.
- Offline pcap Analysis: For analyzing saved packet capture files, which was the focus of this video.
A key takeaway is that when Zeke analyzes a pcap file, it generates various log files based on the network traffic, providing a detailed record of network events.
Task 1: Anomalous DNS
The goal of this task was to inspect a pcap file and confirm a true positive alert related to DNS.
- To begin, I used the command to analyze the DNS tunneling pcap file:
zek -C -r <pcap_file_name> - Investigating DNS Log (IPv6 Records): To find the number of DNS records linked to IPv6 addresses, I used:
cat dns.log | zq cut qtype_name | sort | uniq -cI looked for “AAAA” records (quad-A records are specifically for IPv6). - Investigating Connection Log (Longest Duration): To find the longest connection duration, I ran:
cat conn.log | zq cut duration | sort -r | head -n 1 - Investigating DNS Log (Unique Queries): To find the number of unique domain queries, I used a more complex command involving cutting specific fields and then sorting and counting unique entries. I had to manually inspect the output to get the correct count.
cat dns.log | zq cut query | cut -d . -f 2,3 | sort | uniq -c(initially) (Later adjusted to)cat dns.log | zq cut query | cut -d . -f 1,2 | sort | uniq -c - Finding the Source Host: To find the IP address of the source host involved in the abnormal DNS activity, I used:
cat conn.log | zq cut id.orig_h | sort | uniq -c
Task 2: Phishing Scenario
This task involved analyzing a pcap file and using Zeke scripts to extract artifacts. Zeke scripts are used to extract files and Indicators of Compromise (IOCs) like MD5 hashes.
- Finding the Suspicious Source Address: I reused the command:
cat conn.log | zq cut id.orig_h | sort | uniq -cThe source IP found was then converted to a “defanged” format for safer sharing. - Finding the Malicious Download Domain: To identify the domain from which malicious files were downloaded, I used:
cat http.log | zq cut url hostI identified “smartfacts.com” as the suspicious domain. - Analyzing Malicious Files with VirusTotal: A Zeke script (
hash_demo.zeek) was used to extract file hashes:zek -C <pcap_file_name> hash_demo.zeekThen, I inspected the generatedfiles.logusing:cat files.log | zq cut md5 sha1 filename mime_typeI then took the MD5 hash of the malicious document and searched it on VirusTotal. By looking at the “Relations” tab, the file type was identified as VBA (Visual Basic for Applications). The MD5 hash of the malicious executable was also searched on VirusTotal, and its file name was identified from the details page. The “Behavior” tab on VirusTotal for the executable showed contacted domain names. - Finding the Requested Executable Name: This was identified earlier when inspecting the
http.log– the file was named “k&r.exe”.
Task 3: Log4j Scenario
This final task involved analyzing a pcap file with a Zeke script specifically designed to detect Log4j vulnerabilities.
- I used the command:
zek -C <pcap_file_name> detection-log4j.zeek - Investigating Signature Log: I examined the
signatures.logfile. To determine the number of signature hits, I counted unique UIDs:cat signatures.log | zq cut uid | sort | uniq -c - Investigating HTTP Log (Scanning Tool & Exploit Extension): To identify the scanning tool, I analyzed the
http.log, focusing on theuser_agentfield:cat http.log | zq cut user_agent | sort | uniqThe tool was identified as Nmap. To find the extension of the exploit file, I examined theurlfield inhttp.log:cat http.log | zq cut url | sort | uniqThe extension was “.class”. - Investigating Log4j Log (Base64 Decoding): The
log4j.logfile contained Base64 encoded commands. I used:cat log4j.log | zq cut value matched_valueThen, I decoded the Base64 strings using:echo "<base64_string>" | base64 -dOne of the decoded commands revealed the creation of a file named “pwned”.
Room Answers
Investigate the dns-tunneling.pcap file. Investigate the dns.log file. What is the number of DNS records linked to the IPv6 address?
320
Investigate the conn.log file. What is the longest connection duration?
9.420791
There are a massive amount of DNS queries sent to the same domain. This is abnormal. Let’s find out which hosts are involved in this activity. Investigate the conn.log file. What is the IP address of the source host?
10.20.57.3
Investigate the logs. What is the suspicious source address? Enter your answer in defanged format.
10[.]6[.]27[.]102
Investigate the http.log file. Which domain address were the malicious files downloaded from? Enter your answer in defanged format.
smart-fax[.]com
Investigate the malicious document in VirusTotal. What kind of file is associated with the malicious document?
VBA
Investigate the extracted malicious .exe file. What is the given file name in Virustotal?
PleaseWaitWindow.exe
Investigate the malicious .exe file in VirusTotal. What is the contacted domain name? Enter your answer in defanged format.
hopto[.]org
Investigate the http.log file. What is the request name of the downloaded malicious .exe file?
knr.exe
Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the signature.log file. What is the number of signature hits?
3
Investigate the http.log file. Which tool is used for scanning?
nmap
Investigate the http.log file. What is the extension of the exploit file?
.class
Investigate the log4j.log file. Decode the base64 commands. What is the name of the created file?
pwned
Video Walkthrough
