We covered examples of analyzing cybersecurity incidents such as Anomalous DNS, phishing attacks and the Log4j vulnerability using Zeek IDS. We used Zeek IDS in offline packet analysis mode while it can still be used in a live captured mode. The examples used in the video are part of TryHackMe Zeek Exercises room which is part of the SOC Level 1 Track.

The Complete Practical Web Application Penetration Testing Course

Introduction to Zeke and Its Modes

The presenter introduced the Zeke Exercises room, suggesting that it’s beneficial to have completed the original Zeke rooms on TryHackMe first. He highlighted that the video would cover tasks related to anomalous DNS, phishing, and Log4j vulnerabilities.

I learned that Zeke can be used in two modes:

  • Live Capture: For real-time traffic analysis.
  • Offline pcap Analysis: For analyzing saved packet capture files, which was the focus of this video.

A key takeaway is that when Zeke analyzes a pcap file, it generates various log files based on the network traffic, providing a detailed record of network events.

Task 1: Anomalous DNS

The goal of this task was to inspect a pcap file and confirm a true positive alert related to DNS.

  • To begin, I used the command to analyze the DNS tunneling pcap file: zek -C -r <pcap_file_name>
  • Investigating DNS Log (IPv6 Records): To find the number of DNS records linked to IPv6 addresses, I used: cat dns.log | zq cut qtype_name | sort | uniq -c I looked for “AAAA” records (quad-A records are specifically for IPv6).
  • Investigating Connection Log (Longest Duration): To find the longest connection duration, I ran: cat conn.log | zq cut duration | sort -r | head -n 1
  • Investigating DNS Log (Unique Queries): To find the number of unique domain queries, I used a more complex command involving cutting specific fields and then sorting and counting unique entries. I had to manually inspect the output to get the correct count. cat dns.log | zq cut query | cut -d . -f 2,3 | sort | uniq -c (initially) (Later adjusted to) cat dns.log | zq cut query | cut -d . -f 1,2 | sort | uniq -c
  • Finding the Source Host: To find the IP address of the source host involved in the abnormal DNS activity, I used: cat conn.log | zq cut id.orig_h | sort | uniq -c

Task 2: Phishing Scenario

This task involved analyzing a pcap file and using Zeke scripts to extract artifacts. Zeke scripts are used to extract files and Indicators of Compromise (IOCs) like MD5 hashes.

  • Finding the Suspicious Source Address: I reused the command: cat conn.log | zq cut id.orig_h | sort | uniq -c The source IP found was then converted to a “defanged” format for safer sharing.
  • Finding the Malicious Download Domain: To identify the domain from which malicious files were downloaded, I used: cat http.log | zq cut url host I identified “smartfacts.com” as the suspicious domain.
  • Analyzing Malicious Files with VirusTotal: A Zeke script (hash_demo.zeek) was used to extract file hashes: zek -C <pcap_file_name> hash_demo.zeek Then, I inspected the generated files.log using: cat files.log | zq cut md5 sha1 filename mime_type I then took the MD5 hash of the malicious document and searched it on VirusTotal. By looking at the “Relations” tab, the file type was identified as VBA (Visual Basic for Applications). The MD5 hash of the malicious executable was also searched on VirusTotal, and its file name was identified from the details page. The “Behavior” tab on VirusTotal for the executable showed contacted domain names.
  • Finding the Requested Executable Name: This was identified earlier when inspecting the http.log – the file was named “k&r.exe”.

Task 3: Log4j Scenario

This final task involved analyzing a pcap file with a Zeke script specifically designed to detect Log4j vulnerabilities.

  • I used the command: zek -C <pcap_file_name> detection-log4j.zeek
  • Investigating Signature Log: I examined the signatures.log file. To determine the number of signature hits, I counted unique UIDs: cat signatures.log | zq cut uid | sort | uniq -c
  • Investigating HTTP Log (Scanning Tool & Exploit Extension): To identify the scanning tool, I analyzed the http.log, focusing on the user_agent field: cat http.log | zq cut user_agent | sort | uniq The tool was identified as Nmap. To find the extension of the exploit file, I examined the url field in http.log: cat http.log | zq cut url | sort | uniq The extension was “.class”.
  • Investigating Log4j Log (Base64 Decoding): The log4j.log file contained Base64 encoded commands. I used: cat log4j.log | zq cut value matched_value Then, I decoded the Base64 strings using: echo "<base64_string>" | base64 -d One of the decoded commands revealed the creation of a file named “pwned”.

Room Answers

Investigate the dns-tunneling.pcap file. Investigate the dns.log file. What is the number of DNS records linked to the IPv6 address?

320

Investigate the conn.log file. What is the longest connection duration?

9.420791

There are a massive amount of DNS queries sent to the same domain. This is abnormal. Let’s find out which hosts are involved in this activity. Investigate the conn.log file. What is the IP address of the source host?

10.20.57.3

Investigate the logs. What is the suspicious source address? Enter your answer in defanged format.

10[.]6[.]27[.]102

Investigate the http.log file. Which domain address were the malicious files downloaded from? Enter your answer in defanged format.

smart-fax[.]com

Investigate the malicious document in VirusTotal. What kind of file is associated with the malicious document?

VBA

Investigate the extracted malicious .exe file. What is the given file name in Virustotal?

PleaseWaitWindow.exe

Investigate the malicious .exe file in VirusTotal. What is the contacted domain name? Enter your answer in defanged format.

hopto[.]org

Investigate the http.log file. What is the request name of the downloaded malicious .exe file?

knr.exe

Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the signature.log file. What is the number of signature hits?

3

Investigate the http.log file. Which tool is used for scanning?

nmap

Investigate the http.log file. What is the extension of the exploit file?

.class

Investigate the log4j.log file. Decode the base64 commands. What is the name of the created file?

pwned

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles