Tuesday, August 31, 2021

Quick Malware Analysis: malware-traffic-analysis.net TA551-Shathak-Bazarloader pcap from 2021-08-30

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/08/30/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Here are some of the interesting Suricata alerts, Zeek logs, and session transcripts:










Security Onion 2.3.70 WAZUH Hotfix Now Available!

We recently released Security Onion 2.3.70 and a couple of hotfixes:
https://blog.securityonion.net/2021/08/security-onion-2370-now-available.html
https://blog.securityonion.net/2021/08/security-onion-2370-curator-hotfix-now.html
https://blog.securityonion.net/2021/08/security-onion-2370-grafana-hotfix-now.html

Today, we are releasing a WAZUH hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-wazuh

After we released Security Onion 2.3.70, there was a change on the upstream Wazuh repo that caused our installer to attempt to update Wazuh which resulted in an error. We've added some logic to prevent this from happening.

If you haven't updated recently, then you should review the blog posts linked above so that you are aware of all recent changes.

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:

https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:

https://securityonion.net/download

Then follow the steps here:

https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Monday, August 30, 2021

Quick Malware Analysis: malware-traffic-analysis.net BazaCall-BazaLoader pcap from 2021-04-16

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/04/16/index2.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Here are some of the interesting Suricata alerts, Zeek logs, and session transcripts:










Saturday, August 28, 2021

Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-08-19

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/08/19/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Want to follow along? All you need is a minimal virtual machine with 4GB RAM and you can follow the screenshots here:

 

Thursday, August 26, 2021

Quick Malware Analysis: malware-traffic-analysis.net ICEDID/BOKBOT pcap from 2021-04-23

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/04/23/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Some of the interesting Suricata alerts, Zeek logs, and session transcripts can be seen below. Want to follow along? All you need is a minimal virtual machine with 4GB RAM and you can follow the screenshots here:
https://docs.securityonion.net/en/2.3/first-time-users.html










Wednesday, August 25, 2021

Quick Malware Analysis: malware-traffic-analysis.net TA551/SHATHAK + URSNIF/GOZI/ISFB pcap from 2021-04-28

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/04/28/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Here are some of the interesting Suricata alerts, Zeek logs, and session transcripts:











Tuesday, August 24, 2021

Quick Malware Analysis: malware-traffic-analysis.net TA551/SHATHAK + ICEDID/BOKBOT pcap from 2021-04-29

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/04/29/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Here are some of the interesting Suricata alerts, Zeek logs, and session transcripts:









Security Onion 2.3.70 GRAFANA Hotfix Now Available!

We recently released Security Onion 2.3.70:
https://blog.securityonion.net/2021/08/security-onion-2370-now-available.html

Yesterday, we released a CURATOR hotfix:
https://blog.securityonion.net/2021/08/security-onion-2370-curator-hotfix-now.html

Today, we are releasing a GRAFANA hotfix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-grafana-dash-allow

This GRAFANA hotfix is only required if you are running a standalone Fleet server.

If you haven't updated recently, then you should review the blog posts linked above so that you are aware of all recent changes.

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:
https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:

https://securityonion.net/download

Then follow the steps here:

https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Monday, August 23, 2021

Quick Malware Analysis: malware-traffic-analysis.net Hancitor pcap from 2021-05-13

Thanks to Brad Duncan for sharing this pcap!
https://www.malware-traffic-analysis.net/2021/05/13/index.html

We did a quick analysis of this pcap on the latest version of Security Onion via so-import-pcap:
https://docs.securityonion.net/en/2.3/so-import-pcap.html

Here are some of the interesting Suricata alerts, Zeek logs, and session transcripts:










Security Onion 2.3.70 CURATOR Hotfix Now Available!

We recently released Security Onion 2.3.70:
https://blog.securityonion.net/2021/08/security-onion-2370-now-available.html

Today, we are releasing a hotfix for Security Onion 2.3.70 with an additional fix:
https://docs.securityonion.net/en/2.3/release-notes.html#hotfix-curator

This hotfix is required if you are running Elastic in true cluster mode to prevent a possible issue with running out of disk space.

If you haven't updated recently, then you should review the blog post linked above so that you are aware of all recent changes.

Internet-Connected Deployments

If your Security Onion deployment has Internet access, simply run "sudo soup" as described here:

https://docs.securityonion.net/en/2.3/soup.html

Airgap Deployments

If you have an airgap deployment, download the new ISO image from the usual location:

https://securityonion.net/download

Then follow the steps here:

https://docs.securityonion.net/en/2.3/airgap.html#security-onion-version-updates

Questions or Problems

If you have questions or problems, please see our community support forum guidelines:

https://docs.securityonion.net/en/2.3/community-support.html

You can then find the community support forum at:

https://securityonion.net/discuss

Pivoting from PCAP to CyberChef and Using Magic in Security Onion 2.3.70

In Security Onion 2.3.60, we added the ability to select a small section of text in the SOC PCAP interface and then send that selected text to CyberChef (for example, you might select a base64 encoded string and send it to CyberChef to decode it).


But we didn't stop there! 

One of the great new features in Security Onion 2.3.70 is the ability to quickly and easily send the entire PCAP transcript to CyberChef which allows you to do file extraction or other analysis.

For example, suppose you are looking at an interesting HTTP file download in our SOC PCAP interface and want to extract the file. 


Click the CyberChef button on the right side of the table header.


CyberChef will launch in a new tab. It will then show the hexdump in the Input box, automatically apply the "From Hexdump" recipe, and show the HTTP transcript in the Output box.


You may want to apply an operation from the left column. One option is to use the "Extract Files" operation. If you choose this option, you may want to specify certain file types for extraction. In this case, let's instead remove the client HTTP headers using the "Strip HTTP headers" operation.


If a magic wand appears in the Output box, then CyberChef has detected some applicable operations and you can click the magic wand to automatically apply those operations. Here, CyberChef is automatically applying "Strip HTTP headers" again to remove the web server HTTP headers and then rendering the actual PNG image.


For more information, please see our PCAP and CyberChef documentation.

Of course, you can also extract files using Wireshark or NetworkMiner, but it's good to have options!