Monday, June 17, 2019

Analyzing 2019-06-17-Rig-EK-sends-AZORult-and-follow-up-malware.pcap using so-import-pcap

Brad Duncan has a great writeup over on the SANS Internet Storm Center today.  Let's download Brad's pcap and then analyze it using so-import-pcap!

sudo so-import-pcap ~/Downloads/2019-06-17-Rig-EK-sends-AZORult-and-follow-up-malware.pcap

As soon as so-import-pcap completes, we can log into Squert and Kibana to review NIDS alerts and Bro logs.  The first three screenshots are from Squert and are thus NIDS alerts only.  We then pivot to Kibana where we see not only NIDS alerts but also Bro logs.

Squert Views Tab (NIDS Alerts)

Squert Summary Tab (NIDS Alerts)

Squert NIDS Alerts

Kibana Overview Dashboard

Kibana NIDS Dashboard

Kibana Notices Dashboard

Kibana HTTP Dashboard

Pivot to full packet capture to see the full EXE

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.