Tuesday, June 18, 2019

Analyzing 2019-06-17-password-protected-Word-doc-causes-Dridex-infection.pcap using so-import-pcap

Brad Duncan has another great writeup over on the SANS Internet Storm Center today!  Let's download Brad's pcap and then analyze it using so-import-pcap!

sudo so-import-pcap ~/Downloads/2019-06-17-password-protected-Word-doc-causes-Dridex-infection.pcap

As soon as so-import-pcap completes, we can log into Squert and Kibana to review NIDS alerts and Bro logs.  The first two screenshots are from Squert and are thus NIDS alerts only.  We then pivot to Kibana where we see not only NIDS alerts but also Bro logs.

Squert Views Tab (NIDS Alerts)

Squert Summary Tab (NIDS Alerts)

Kibana Overview Dashboard showing NIDS Alerts and Bro logs

Bro Notices Dashboard showing Invalid SSL certificates

SSL Dashboard showing details of those SSL certs

If we filter the Connections Dashboard for dst port 443 and NOT ssl, we find some interesting connections

Here is the detail for those interesting connections

And if we pivot to full packet capture, we can see the full TCP stream for one of those connections

No comments:

Search This Blog

Featured Post

Sneak Peek: New Detections Feature coming in Security Onion 2.4.70!

Our latest video is a sneak peek at a NEW feature coming to our FREE and OPEN Security Onion platform in the upcoming 2.4.70 release! This n...

Popular Posts

Blog Archive