Finding beacons: ZEEK + RITA
Once, the tools have been properly installed. Start analyzing packet captures. For demonstration purposes I will use (https://www.activecountermeasures.com/malware-of-the-day-zeus/)
How to
1. Check the pcap info
- capinfos zeus_1hr.pcap
2. Parse the pcap file using zeek
- sudo zeek –no-checksums –readfile zeus_1hr.pcap
- ls
Note: As a result we get a lot of log files separated by protocol
3. We can read these log files using less
- less -Sx20 files.log
4. We can use head to grab the column name, and filter the log document using zeek-cut, lets look at conn.log
- head conn.log | grep fields
- cat conn.log| zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p duration
Note:
id.orig_h = Source IP
id.orig_p = Source port
id.resp_h = Destination IP
id.resp_p = Destination port
duration = session duration
Find long connections
1. Knowing how to filter columns we can proceed to sort them, in order to find long connections, sort by duration
- cat conn.log| zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p duration | sort -k5rn
2. Now we can remove the “-“ connections and add the time of unique sessions using datamash (sort and datamash work with columns)
- cat conn.log| zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p duration | sort | grep -v “-” | grep -v “^$” | datamash -g 1,3 sum 5 | sort -k3rn
3. We can also search for multiple unique sessions via http protocol
- cat http.log | zeek-cut id.orig_h id.resp_h | sort | uniq -c | sort -rn
4. We can now check the pcap file for requests going to the host that has highest
- sudo ngrep -qI zeus_1hr.pcap “GET /” host 67.207.93.135
Note: We can search for the values in there such as the URI or domain name of the server on the internet to see if there is any association with malware in our case it shows it is part of Zeus malware
5. We can enumerate ports and services
- cat conn.log| zeek-cut service | grep -v “-” | sort | uniq -c | sort -nr
6. We can also convert duration to time
- cat conn.log| zeek-cut -d ts
7. We can also filter by column using awk command
- cat conn.log| zeek-cut -d ts id.orig_h id.resp_h service | awk ‘{if($4 != “-” && $4 != “dns”) print $1,$2,$3,$4}’
8. We can check conn.log to filter connections by source and count of sessions
- cat conn.log| zeek-cut id.orig_h | sort | uniq -c | sort -rn
9. We can search for the top destinations
- cat conn.log| zeek-cut id.resp_h | sort | uniq -c | sort -rn
10. Also filter by destination ports
- cat conn.log| zeek-cut id.resp_p | sort | uniq -c | sort -rn
Note: Notice uncommon ports are visited more often than known ports such as 80, we can check for duration of the sessions and confirm the flow, in this example we noticed port 9200 has a persistent connection
- cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | sort -k4rn | head -5
Extra: We can convert that time to seconds
- eval “echo $(date -ud “@$seconds” +’$((%s/3600/24)) days %H hours %M Minutes %S Seconds’)”
Finding beacons ZEEK + RITA (files)
1. After parsing the pcap, we get a file named files.log, reading it using less we can gather the headers
- sudo zeek –no-checksums –readfile zeus_1hr.pcap
- less -Sx20 file.log
2. We can search by filename and its respective hash
- cat files.log | zeek-cut -d ts filename sha1
3. Also, filter by file name to exclude “-“
- cat files.log | zeek-cut filename | grep -iEv “(-)”
4. search by host, destination, protocol, application and filename
- cat files.log | zeek-cut tx_hosts rx_hosts source mime_type filename
5. Filter the results, example, exclude “x509” and iv the column 6 is not equals to “-“
- cat files.log | zeek-cut -d ts tx_hosts rx_hosts source mime_type filename | grep -v ‘x509’ | awk ‘$6!=”-“‘
Finding beacons ZEEK + RITA (DNS)
1. After parsing the pcap, we get a file named dns.log, reading it using less we can gather the headers
- sudo zeek –no-checksums –readfile zeus_1hr.pcap
- less -Sx20 dns.log
2. We can filter all the columns
- cat dns.log| grep fields | awk ‘{ for (i = 1; i <= NF; i++) print $i }’
3. Convert the timestamps to human readable
- cat dns.log | zeek-cut -d ts
4. We can filter by source, destination IPs & DNS query
- cat dns.log | zeek-cut -d ts id.resp_h id.dest_h query
5. We can use grep to get rid of the domain local queries, or legit queries that we see, | is used as “or”
- cat dns.log | zeek-cut -d ts id.resp_h id.dest_h query | grep -iEv ‘(desktop-)’
- cat dns.log | zeek-cut -d ts id.resp_h id.dest_h query | grep -iEv ‘(desktop-|in-addr.arpa)’
Using RITA to import logs into database
1. Import the .log files
- sudo rita import . malware_db
2. Once, the data has been imported we can search by beacons
- sudo rita show-beacons malware_db –human-readable
3. This can be printed in html format
- sudo rita html-report malware_db
4. Search for an interesting IP and list the files where it appears
- grep -iRl 67.207.93.135
5. Search within a specific log
- grep -iR 67.207.93.135 conn.log
