Tuesday, June 18, 2019

Analyzing 2019-06-17-password-protected-Word-doc-causes-Dridex-infection.pcap using so-import-pcap

Brad Duncan has another great writeup over on the SANS Internet Storm Center today!  Let's download Brad's pcap and then analyze it using so-import-pcap!

sudo so-import-pcap ~/Downloads/2019-06-17-password-protected-Word-doc-causes-Dridex-infection.pcap

As soon as so-import-pcap completes, we can log into Squert and Kibana to review NIDS alerts and Bro logs.  The first two screenshots are from Squert and are thus NIDS alerts only.  We then pivot to Kibana where we see not only NIDS alerts but also Bro logs.

Squert Views Tab (NIDS Alerts)

Squert Summary Tab (NIDS Alerts)

Kibana Overview Dashboard showing NIDS Alerts and Bro logs

Bro Notices Dashboard showing Invalid SSL certificates

SSL Dashboard showing details of those SSL certs

If we filter the Connections Dashboard for dst port 443 and NOT ssl, we find some interesting connections

Here is the detail for those interesting connections

And if we pivot to full packet capture, we can see the full TCP stream for one of those connections

No comments:

Search This Blog

Featured Post

Security Onion 2.4.111 now available!

In October, we released version 2.4.110: https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html Last week, Surica...

Popular Posts

Blog Archive