Security Onion Blog

Monday, June 17, 2019

Analyzing 2019-06-17-Rig-EK-sends-AZORult-and-follow-up-malware.pcap using so-import-pcap

Brad Duncan has a great writeup over on the SANS Internet Storm Center today.  Let's download Brad's pcap and then analyze it using so-import-pcap!

sudo so-import-pcap ~/Downloads/2019-06-17-Rig-EK-sends-AZORult-and-follow-up-malware.pcap

 As soon as so-import-pcap completes, we can log into Squert and Kibana to review NIDS alerts and Bro logs.  The first three screenshots are from Squert and are thus NIDS alerts only.  We then pivot to Kibana where we see not only NIDS alerts but also Bro logs.
Squert Views Tab (NIDS Alerts)

Squert Summary Tab (NIDS Alerts)

Squert NIDS Alerts

Kibana Overview Dashboard

Kibana NIDS Dashboard

Kibana Notices Dashboard

Kibana HTTP Dashboard

Pivot to full packet capture to see the full EXE
at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Search This Blog

Featured Post

Sneak Peek: New Detections Feature coming in Security Onion 2.4.70!

Our latest video is a sneak peek at a NEW feature coming to our FREE and OPEN Security Onion platform in the upcoming 2.4.70 release! This n...

Popular Posts

Blog Archive