Analyzing PCAP with Zeek - HTB Sherlocks - KnockKnock

Опубликовано: 10 Декабрь 2023
на канале: IppSec

10,420

290

00:00 - Going over the Scenario
01:30 - Talking about why I'm using Zeek and running it in a docker
05:20 - Showing a Corelight Zeek Cheat Sheet, which is tremendously helpful
08:00 - Showing Zeek-Cut on the x509 log, then looking at the SSL Log
11:50 - Looking for a single IP that sent multiple SSH Banners
13:20 - Creating an alias for zeek-grek (alias zeek-grep='grep -e "^#" -e'), which lets us easily filter logs
17:00 - Looking at the HTTP Log, discovering a wget downloading ransomware
21:10 - Looking at the FTP Log, and showing the passwords are hidden. Editing the Zeek Config to unmask the password
24:30 - Editing the FTP Logged commands to add PASS so we see failed logins too
34:10 - Using the DNS Log to see that our attacker was likely using Amazon EC2
36:15 - Looking at how many connections each IP made, discovering our attacker doing a port scan using date -d @epoch to convert to human readable time
42:30 - Editing our zeek config to also extract_files, then looking at the ransomware download
53:15 - Looking at the files downloaded over FTP
1:07:00 - Start answering the questions. Doing some Grep Fu to see all the open ports during initial recon
1:18:10 - Finding when the port knock happened

Смотрите видео Analyzing PCAP with Zeek - HTB Sherlocks - KnockKnock онлайн, длительностью часов минут секунд в хорошем качестве, которое загружено на канал IppSec 10 Декабрь 2023. Делитесь ссылкой на видео в социальных сетях, чтобы ваши подписчики и друзья так же посмотрели это видео. Данный видеоклип посмотрели 10,420 раз и оно понравилось 290 посетителям.

443