Security Onion Blog

Monday, June 17, 2019

Analyzing 2019-06-17-Rig-EK-sends-AZORult-and-follow-up-malware.pcap using so-import-pcap

Brad Duncan has a great writeup over on the SANS Internet Storm Center today.  Let's download Brad's pcap and then analyze it using so-import-pcap!

sudo so-import-pcap ~/Downloads/2019-06-17-Rig-EK-sends-AZORult-and-follow-up-malware.pcap

 As soon as so-import-pcap completes, we can log into Squert and Kibana to review NIDS alerts and Bro logs.  The first three screenshots are from Squert and are thus NIDS alerts only.  We then pivot to Kibana where we see not only NIDS alerts but also Bro logs.
Squert Views Tab (NIDS Alerts)

Squert Summary Tab (NIDS Alerts)

Squert NIDS Alerts

Kibana Overview Dashboard

Kibana NIDS Dashboard

Kibana Notices Dashboard

Kibana HTTP Dashboard

Pivot to full packet capture to see the full EXE
at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Search This Blog

Featured Post

New Security Onion Online Training Class - Detection Engineering with Security Onion!

We've just added an exciting new course to our online Security Onion 2.4 training catalog! It's called "Detection Engineering w...

Popular Posts

Blog Archive