Zeek - Packet inspection

Inspect network traffic in three real-life incident cases (Suspicious DNS Query, Phishing Campaign, and Log4j) with Zeek.

By Ren Sie
Posted on September 18, 2024

Refer to Zeek Exercises for the challenge room on TryHackMe

Case #1 - Anomalous DNS

Scenario

An alert triggered: "Anomalous DNS Activity". Inspect the PCAP and retrieve the artefacts to confirm this alert is a true positive.

Task

During this exercise, we will use the Zeek command with the -Cr option to analyze the packet capture file.

zeek -Cr dns-tunneling.pcap

Investigate the dns-tunneling.pcap file. Investigate the dns.log file. What is the number of DNS records linked to the IPv6 address?

After reviewing the dns.log, we should focus on the qtype_name field for further investigation.

MX (Mail Exchange): Directs email to the mail servers responsible for receiving emails for a domain.
CNAME (Canonical Name): Maps an alias domain name to a canonical (true) domain name.
TXT (Text): Holds arbitrary text data, often used for domain verification and security purposes.
AAAA (IPv6): Provides the IPv6 address associated with a domain name.
A (IPv4): Provides the IPv4 address associated with a domain name.

Use the command grep 'AAAA' to find out how many queries are for AAAA (IPv6) records.

Investigate the conn.log file. What is the longest connection duration?

After reviewing the conn.log, we should focus on duration field for further investigation.

Investigate the dns.log file. Filter all unique DNS queries. What is the number of unique domain queries?

After reviewing the dns.log, we should focus on the query field for further investigation.

rev: Reverses each domain name. E.g., cisco-update.com > moc.etadpu-ocsic.
cut -d '.' -f 1-2: Splits the reversed name by dots (.) and extract the first two fields. (E.g., moc.etadpu-ocsic).
2nd rev: Reverses these parts back to their original order. This gives you the last two segments of the original domain name.
sort: Sorts the result alphabetically.
uniq: Removes duplicate from the list.

There is a massive amount of DNS queries sent to the same domain. This is abnormal. Let's find out which hosts are involved in this activity. Investigate the conn.log file. What is the IP address of the source host?

After reviewing the dns.log, we should focus on the id.orig_h field for further investigation.

uniq -c: Counts the number of occurrences of each unique output.

Case #2 - Phishing

Scenario

An alert triggered: "Phishing Attempt".  Inspect the PCAP and retrieve the artefacts to confirm this alert is a true positive.

Task

During this exercise, we will use the Zeek command with the -Cr option to analyze the packet capture file.

zeek -Cr phishing.pcap

Investigate the logs. What is the suspicious source address?

By examining the conn.log, we can identify which IP addresses appear most frequently in the sender field.

Note: The more frequently an IP address appears in the sender field, the more likely it is to be associated with spam or phishing activities.

Investigate the http.log file. Which domain address were the malicious files downloaded from?

By analyzing the http.log, we can determine which files are downloaded and from which domain.

Application/x-dosexec is a MIME type that often indicates executable file, which can be used to distribute malware.

Investigate the malicious document in VirusTotal. What kind of file is associated with the malicious document?

Using the hash-demo.zeek script, we can obtain the MD5 hash values of files, which we will then upload to VirusTotal for analysis.

zeek -Cr phishing.pcap hash-demo.zeek.

By reviewing the files.log, we can identify any malicious files and their corresponding hash values.

Upload its hash value to VirusTotal.

Unfortunately, the information which contained malicious file’s file type was removed by VirusTotal by the time I worked on this lab in August 2024. No related information can be found online either.

Investigate the extracted malicious .exe file. What is the given file name in Virustotal?

The answer is provided by the previous screenshot.

Investigate the malicious .exe file in VirusTotal. What is the contacted domain name? Enter your answer in defanged format.

The malicious activity can be found under “Behaviour” tab.
To identify the contacted domain, we will go to the "DNS Resolutions" section.

In a fully qualified domain name (FQDN) like dunlop.hopo.org:

  • "hopo.org" is the main domain name.
  • "dunlop" is a subdomain of hopo.org.

Investigate the http.log file. What is the request name of the downloaded malicious .exe file?

By examining the http.log, we can find the names of downloaded malicious files in the URI field.

Case #3 - Log4J

Scenario

An alert triggered: "Log4J Exploitation Attempt". Inspect the PCAP and retrieve the artefacts to confirm this alert is a true positive.

Task

During this exercise, we will use the Zeek command with the -Cr option to analyze the packet capture file using a specific script (detection-log4j.zeek).

zeek -Cr log4shell.pcapng detection-log4j.zeek

After retrieving the log file generated by the Zeek command, we will use zeek-cut to extract the information needed for the following questions.

cat file.log | zeek-cut

Investigate the log4shell.pcapng file with detection-log4j.zeek script. Investigate the signature.log file. What is the number of signature hits?

By looking up uid, we can learn how many hits by the script.

Investigate the http.log file. Which tool is used for scanning?

Among the list of user agents, Nmap is the tool used for network scanning.

Investigate the http.log file. What is the extension of the exploit file?

By examining the URI field and response MIME types, we can identify the names and types of downloaded files.

“application/x-java-applet” is a MIME type that indicates a file is a Java applet, a small program designed to run within a web browser.

Investigate the log4j.log file. Decode the base64 commands. What is the name of the created file?

By reviewing log4j.log, we can find the malicious commands in the URI field.

Based on the previous screenshot, we know the command is encoded in base64. By using the echo command and piping it with base64 --decode, we can extract the original text.

"echo 'base64 data' | base64 --decode"

The decoded output indicates that the attacker used the touch utility to create a file in the /tmp directory. Next, it finds the location of the nc (netcat) executable and writes the path to the file /tmp/pwned. Finally, the attacker establishes a reverse shell connection to the IP address 192.168.56.102 on port 80, executing the /bin/sh shell and providing verbose output.

Share: X (Twitter) Facebook LinkedIn