Security Onion Blog

Monday, June 17, 2019

Analyzing 2019-06-17-Rig-EK-sends-AZORult-and-follow-up-malware.pcap using so-import-pcap

Brad Duncan has a great writeup over on the SANS Internet Storm Center today.  Let's download Brad's pcap and then analyze it using so-import-pcap!

sudo so-import-pcap ~/Downloads/2019-06-17-Rig-EK-sends-AZORult-and-follow-up-malware.pcap

 As soon as so-import-pcap completes, we can log into Squert and Kibana to review NIDS alerts and Bro logs.  The first three screenshots are from Squert and are thus NIDS alerts only.  We then pivot to Kibana where we see not only NIDS alerts but also Bro logs.
Squert Views Tab (NIDS Alerts)

Squert Summary Tab (NIDS Alerts)

Squert NIDS Alerts

Kibana Overview Dashboard

Kibana NIDS Dashboard

Kibana Notices Dashboard

Kibana HTTP Dashboard

Pivot to full packet capture to see the full EXE
at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Search This Blog

Featured Post

Registration Now Open for Augusta Cyber Week 2024!

Registration is now open for Augusta Cyber Week in beautiful Augusta GA from September 30, 2024 through October 5, 2024! This includes: 4-da...

Popular Posts

Blog Archive