Brad Duncan has
another great writeup over on the SANS Internet Storm Center today! Let's download
Brad's pcap and then analyze it using
so-import-pcap!
sudo so-import-pcap ~/Downloads/2019-06-17-password-protected-Word-doc-causes-Dridex-infection.pcap
As soon as so-import-pcap completes, we can log into Squert and Kibana to review NIDS alerts and Bro logs. The first two screenshots are from Squert and are thus NIDS alerts only. We then pivot to Kibana where we see not only NIDS alerts but also Bro logs.
 |
| Squert Views Tab (NIDS Alerts) |
 |
| Squert Summary Tab (NIDS Alerts) |
 |
| Kibana Overview Dashboard showing NIDS Alerts and Bro logs |
 |
| Bro Notices Dashboard showing Invalid SSL certificates |
 |
| SSL Dashboard showing details of those SSL certs |
 |
| If we filter the Connections Dashboard for dst port 443 and NOT ssl, we find some interesting connections |
 |
| Here is the detail for those interesting connections |
 |
| And if we pivot to full packet capture, we can see the full TCP stream for one of those connections |
No comments:
Post a Comment