Using Suricata and Zeek data within BRIM to analyze a suspected malware compromise to a device on the network with no initial information to go off. Discovering the compromised machine along with the attacker’s devices within data streams. Deep dive into packet analyses.
Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.
BRIM
Open-source software to combine and analyze pcap data from both Suricata and Zeek/Bro captures. Data is structured in clear JSON-like structures for ease of use and search.
Download BRIM: https://www.brimdata.io/
Malware-Traffic-Analysis PCAP: https://www.malware-traffic-analysis.net/2015/02/08/index.html
Zeek in Action, Video 1, Suspected Malware Compromise Reference: youtube.com/watch?v=xpPEHtACrek
Investigate Suricata Alerts by Source and Destination
Note: No prior knowledge of the attacker or victim IP address
Notice the IP address beging used between src_ip - dest_ip
172.16. address space is within RFC 1918 Private Address spaces - reserved for NAT
Information Surmised:
- 172.16.137.40 - workstation in question
- Unknown Traffic Alert
- A Network Trojan Alert
- Generic Protocol Command Decode
- Device Retriveing External IP Address Detected
Possible Network Trojan
Pivot to Logs
- Right Click “Alerts” click pivot to logs to view Sircata Alerts
Sircata is reporting “ET JA3 Hash - Possible Malware - Dridex” under alerts
Possible Dridex Trojan
Unique DNS Queries
Using the queries to investigate the unique DNS queries:
These are all be derived from the Zeek logs/data. Nothing stands out as out of the norms.
HTTP Requests
Using the queries to investigate the unique HTTP Requests:
Request are orginiating from “172.16.17.40” device once again point to the workstation in question.
File Activity
Using the queries to investigate the unique File Activities:
No data to be displayed in the form of file activities.
HTTP Post Requests
Using the queries to investigate the unique HTTP Post Request:
No data to be displayed from HTTP Post Requests.
Windows Network Activity
Using the queries to investigate the unique Windows Network Activity:
No data to be displayed from Windows Network Activity.
Unique Network Connections
Using the queries to investigate the unique Unique Network Connections:
Summary of activity pulled from Zeek logs.
Activity occurring on port 3478, 12101, 12103, 20208
is unusual and warrants investigation
Open New Query
using right click “New Search with this value” to find information on port 3478
We could be seeing session traversal tools used with network access translation (NAT) from alerts from Zeek.
conn = community id = reference between Zeek and Surcata
Details of “conn”
Details:
Query Destination IP
Same two alerts from prior and a DNS request from stun.interntcalls.com
Investigate port 12101
Using the Back butons to return to ports and follow port 12101
Two Zeek connections logs which viewing the “details” presents opportunity to pivot to pcap.
Download PCAP Right Click to “Download Packets”
The only thing that is within the packet is x1 SYN
packet
History under details states = “S” just a SYN
packet
Port 12103
Again, just x1 SYN
packet which does not contain any information that can help investigation. The data being used by the attacker must be convulted within standard network traffic within HTTP, HTTPS or DNS.
HTTP Request
Investigating HTTP Request within the queries:
To return activty from HTTP Request data is not complete and returning to the “Activity Overview” and “HTTP” and “Pivot to Logs” under right click.
Clicking the “Packets” button at the top to retrieve the .PCAP and open in Wireshark.
After following the “TCP Stream” within wireshark cleartext shows after the “Checkip.dyndns.org” states the “Current IP Address: 212.38.170.7” to make note of.
Investigate Original Zeek Logs
Remove data in the field to return to original data and sort A-Z to view oldest to newest activity:
Investigate some “conn” logs by “Filter by Value” under right click:
This is a simple way of looking at the activity on the network capture to search across data for anomalies.
The events involving the 12101
ports begin at this point:
Piviot on the “CONN” id: 9n6GGiROkKsvIoT20N6VGbeiIK8=
Associated Surciata alert for JA3 Engine
Under “Details” we are provided with a “RU” for country code which Russian and KHM as the region. Yields a suspicious response which is outside the region of the user.
Notice alert on event shows a Self Signed Certificate to be noted:
Taking note of the Time of the event when actions began of “2015-02-08T18:32:17.212” and investigate original zeek logs for area:
Conclusion
Overview
- Mike-PC - 172.16.137.40
- Compromised at an earlier time and connected to network. Connections are being made to both Poland and Russia.
Scenario Questions You review the pcap and take notes. First, you document the following:
- Date and time of the activity:
2015-02-08T18:32:17.212
- IP address of Mike desktop computer:
172.16.137.40
- Host name of Mike’s desktop computer:
Mike-PC
- MAC address of Mike’s desktop computer:
08:00:2b:ef:ab:7c
Investigation Notes
-
Within these logs we can conclude that the device had gone to check it’s IP address then receiving SYN requests from a Russian address.
-
The initial Dridex compromise is not found within the logs.
-
TCP connects are outbound to Poland and Russian sites.
-
The TLS/SSL data on the stream is completely encrypted aside from the required cleartext from certificates.