Snort Intrusion Detection Rule Writing And Pcap Analysis Download UPDATED

Snort Intrusion Detection Rule Writing And Pcap Analysis Download

Reading Fourth dimension: 28 minutes

Example 001 PCAP Analysis

Case 001 Brief and Materials.

Get the materials and follow forth!

Have y'all built your DFIR Fort Kickass, yet? How to build a DFIR Analyst Workstation plant here.

Make sure you empathise the basic rundown of forensic artifacts.

This post assumes y'all have a DFIR Annotator Station set to analyze the PCAPs from The Case of the Stolen Szechuan Sauce.

---

Learning Objectives

• Understand the advantages and goals of PCAP Analysis
• How to pivot into and away from PCAP Analysis (how to use findings for quicker analysis)
• Common tools to use
• How data reduction aids in investigations

Semi-Required Knowledge

• Networking basics
  • Private Address Spaces vs Public
  • TCP Handshake Basics
  • Common Port Assignments
• Basic Linux Command Line Fu
• Bones Wireshark Skills (Brad'southward MTA Wireshark Tutorials)
• Bones Virtual Machine Operation

Mutual Tools

• Snort
• Tcpdump
• WireShark
• TShark

Tools Covered Here

• Snort
• Tcpdump
• Wireshark

Other Learning Resources on this Topic

• Book: "Mastering TShark Network Forensics: Moving From Nada to Hero"
• Book: "Practical Packet Analysis, 3E: Using Wireshark to Solve Existent-World Network Problems"
• Book: "The TCP/IP Guide: A Comprehensive, Illustrated Net Protocols Reference"
• SANS Course: "SEC503: Intrusion Detection In-Depth"
• SANS Course: "FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response"
• tcpdump homo folio

Music

• Robot Music
• Metal Forensics

Notes

• Keep solid notes on your thinking around evidence and information that you find
  • This is for team mates to understand your thinking
  • Understand your own thinking afterward… or after sleep.
• Notes should be accompanied by screenshots that tell a story
  • Examples: Highlights, Boxes, Arrows Text. The reader should chop-chop empathize what they're looking at
• A not bad annotation keeping App that teams can apply to coordinate is OneNote.
  • Each host gets a tab etc.
• A neat piece of software to take Screen Shots is Greenshot

Applicable Pivots

• From Disk Analysis: Malicious IP Addresses, Malicious Filenames
• To Deejay Assay: Malicious IP Addresses, Malicious Filenames
• From Memory Analysis: Malicious IP Addresses, Malicious Filenames
• To Memory Analysis: Malicious IP Addresses, Malicious Filenames
• From Log Analysis: Malicious IP Addresses, Malicious Filenames
• To Log Analysis: Malicious IP Addresses, Malicious Filenames
• And so on…

---

PCAP Analysis with SIFT REMNUX

Overview

Parcel Capture (PCAP) files are tremendous resources for investigations when they are available. For an idea of how sensors are placed to assemble network traffic check out my article, "Edifice a SIEM at Home". An enterprise form installation is the same full general idea but a very different word beyond the scope of this post. Many Intrusion Detection Systems and Firewalls offer the power to download the PCAP of a falgged event. For instance, if the system suspects a detail commutation of packets is malicious shell code information technology will flag the event and salve that exchange of packets (example investigation). These small slices of PCAP typically practice not tell the complete story. The PCAP provided for this analysis is from the 'edge sensor' located on the victim network. Information technology is small for portability, but big plenty that just an insane person would begin excavation through it starting at frame one. An annotator must acquire to pivot through the data effectively. Using information reduction, indicators of interest, or Indicators of Compromise (IOC) analysts can pin through large information sets quickly and effectively. Snort is a great example of a tool an annotator can use to pin through network traffic effeciently. Proceed in listen this is merely an intro, and is being used to quickly triage the PCAP information.

Installing Snort

Add Snort to your analysis VM with: sudo apt update && sudo apt install snort. Alternatively, y'all tin run those ii commands separately as shown.

Setting HOME_NET

Snort works off of signatures, or 'rules', to detect anomalies in network traffic. Many of these rules are written with the idea that the Snort Intrusion Detection Arrangement (IDS) will as a permanent sensor in an surroundings. Snort runs more finer when it has knowledge of the environment information technology is monitoring. The HOME_NET variable tells Snort what network it is defending. This variable is set in /etc/snort/snort.conf past default. The rules written for snort recognize this variable and alert accordingly.

Using our analyst station to do triage and incident response equally a stand solitary system requires that we inform snort of the network that was defended when the PCAP was collected. From the client interview we know the network is ten.42.something.something . We run a quick tcpdump command to sample the PCAP for hosts fitting this general description tcpdump -nr case001.pcap 'host ten.42' -c15. This reads the instance pcap, disables DNS resolution, and pulls the offset 15 packets that take a host with an address that starts with ten.42.

Looking at the concluding 2 Octets of each host in the ten.x network nosotros can make a fairly decent guess here that the Habitation Network is x.42.85.0/24. This is close enough for our purpose. Edit the /etc/snort/snort.conf file where ipvar HOME_NET any is and change information technology to ipvar HOME_NET ten.42.85.0/24.

We disable DNS resolution for speed and to reduce noise the adversary may choice upward on. Bad guys are smart enough to stand up DNS servers that the authorization for their evil domains. You potentially tip your paw if yous send traffic to their monitored DNS server; try and use -due north as often every bit possible when using tcpdump for investigations.

Finding the Snort Config

Equally a side bit of grooming – to locate a file in Linux you can just use the locate command. Update, and then inquire. Notice the lack of results earlier updatedb was used.

Testing Snort

Exam snort to ensure your changes didn't interruption anything and y'all are ready to go with snort -c /etc/snort/snort.conf -T -i lo. This tells Snort to use the default config file at /etc/snort/snort.conf, run a Test against that configuration and apply the loopback interface.

And promise for a consequence like this…

General Approach

The name of the game in near forensics is information reduction; this holds particularly true in analyzing network traffic. Reducing the noise is key. If you have analyzed other artifacts prior to this and obtained a known Malicious IP address you could start your search that way. If yous oasis't done assay on other artifacts you must find interesting data using tools in your arsenal. Both approaches volition exist shown.

Assessing the PCAP

To rapidly understand the scope of the PCAP use the control capinfos against it.

Important items to note:

• Package capture date time range. Was this during the incident time frame?
• Number of packets. How much am I dealing with here?

An interesting note: this was not captured by a Kali box, despite what it says in the Capture oper-sys field. This was captured by a virtual router at the edge of the victim network.

Knowing that there are well-nigh half a million packets in this we must find a mode to assess the data in quick meaningful ways.

Alerts

I way to pivot into the data apace is to see if any depression hanging fruit can be constitute with Snort. We are almost ask snort to read the pcap and write alerts to the screen. The alerts volition be 'flags' about anomalies in the traffic, or outright threats. Like whatever other 'alarm' in this business they are not always full proof. It is up to the analyst to be… well… an analyst and ANALYZE the information. This is what separates the true analyst from the alert monkey. An alert monkey see's the alert, pushes a push, and gets a banana. Alert monkey's don't get the summit spot in the SOC. Be the analyst. Look into the data.

To begin the analysis ensure the pcap is living a directory in the advisable case directory. As an instance, for this case a directory titled /cases/szechuan/pcap. In SIFT analysts practise most of their piece of work in the /cases directory. A good do is to ensure data is kept in an organized fashion. As always it is a practiced idea to use the tee control to create outputs every time a tool is run. Some tools take a long time to run. Only reviewing the output can be much faster than running the tool a second fourth dimension (looking at you retention analysis).

Earlier analyzing the results let'southward talk about noise reduction. If you recollect the PCAP has over 400k packets. If yous count the number of lines in the output file you volition observe just a few hundred alerts.

wc -l snort.out

256 alerts is much easier to await at versus 411 yard lines. Note: over fourth dimension the exact number of alerts may change.

Take a look through the alerts. Look for things that stand out like references to hacking tools and malware. Alerts in this situation can be noisy due to a lack of tuning. In that location is also activeness that won't be flagged here that usually would be flagged past other tools. For example, Security Onion applies the Snort rule set: downloaded.rules. It flags an event that makes quick work of this PCAP. Security Onion will be covered nearly the end of this post. Yes, the downloaded.rules rule set could be added hither just for now this will work groovy (adding rules hither can exist a real bear – let's curlicue on). Look through the output either through scrolling, or using less snort.out (or whatever y'all named the output with tee).

Can you lot detect evidence of hacking tools being used in the traffic?

---

Spoilers alee.

---

In the alerts there was a great pivot bespeak that should catch your eye. NMAP. This is an case of how agreement set on methodologies is a huge do good to defenders. Network defenders should spend time attending Penetration Testing, and Red Teaming, courses to understand the tools of the adversary. A bully hunter will sympathize what sort of animal left tracks in the mud. Likewise, defenders should sympathize when they are looking at evidence of a predator in their systems.

Have a look at the NMAP warning. Is this an internal system or an external system reaching into the network? Yous accept Private IP Accost ranges (RFC 1918) memorized don't you? Also, what is the host at .10? In a existent case you would want to ask the victim company what arrangement is at this address since they likely didn't provide a network map. The Administrator of the victim network would tell you this is the Domain Controller! You are looking at an outside organisation sending an NMAP probe to a cardinal piece of the network. The Domain Controller is the heart of a Windows Enterprise. Both the attacker and the Defender want complete potency of this arrangement. NMAP, or Network Mapper, is a common tool for attackers to probe and and map out systems and open ports on target systems. This is a key moment in the 'impale concatenation'. A good analyst looks at action prior to and later a key event to attempt and empathise the whole picture. What occurs just minutes afterwards? By the way 'minutes afterwards' in the PCAP is a tremendous amount of data versus merely a few lines of text in the Alerts output. Meet how data reduction helps?

Moment later we observe rapid connections from an outside source to an within source; in this example the Domain Controller. Side note: there is no practiced reason to accept the DC exposing anything to the Internet. Ever. It should be in a private network. If Admins need access from the outside globe the just ingress route should be a VPN tunnel. What sort of assail methodology would involve multiple connections per second to a service? A brute force! This remote organization is likely attempting different username and countersign combinations! At that place is more to the story however. Take a closer look at the details. What are the source and destination ports?

Do non make the error of simply observing the destination port! Allow'southward walk through this together.

1. Exterior organisation connecting inbound to
2. An inside host; the Domain Controller's
3. Remote Desktop Protocol Port 3389
4. The host attempting the connexion increments the source port by 2 every endeavour.

Take a screenshot of this event and take notes. This source IP just became interesting equally it is attempting to brute force its style into the server. This action is very normal for any server that is exposing services to the Net. In fact, it will begin experiencing attacks soon after it is connected. This article from "All Things Considered" discusses how a device was started experiencing logon attempts afterwards just 41 minutes!

At present nosotros have an indicator of involvement to look into! Now we can use this IP address as a pivot into the data.

Pivots

Pivots are data points discovered elsewhere in the investigation that are used to speed upwards your analysis. For case, an IP Address found in something like Retentivity Analysis from the same case can be used as a "search term" in the PCAP. You volition hear about pivots oftentimes here at DFIRmadness. That's because information technology is ane of the most import skills for an annotator to wield through the course of an investigation.

Who is Going Where?!

We at present take an indicator to piece of work with. Let's table that for a moment and look at how nosotros tin can explore a large PCAP rapidly. A peachy tool to do this from the command line is tcpdump. In that location are some mutual switches you lot will seen thrown with the tcpdump you should be familiar:

-r simply reads the provided PCAP filename
-due north Disables DNS resolution
-t Practice not print the date time postage
-tttt Print the time as hours, minutes, seconds and fractions of a second since midnight.
-v Verbose
-X Provide the Hex output of the frame.
-c Number of packets to display before exiting.

Yous are encouraged to do human being tcpdump and read through the capabilities of the tool.

A quick lesson on how to read the IP and port pairing: the IP and Port are displayed equally IP.PORT. For example, 192.168.10.24.lxxx would be 192.168.ten.24 port 80.

To get start allow's read a sample of the activity in the PCAP related to 194.61.24.102.

Flags to Keep an Eye On

[Due south] SYN
[S.] SYN/ACK
[.] ACK
[R] RST (Reset)
[F] FIN

Remember TCP basics like the 3 mode handshake? [South] , [Due south.] , [.]

If non it is a good time to go review!

• NetworkLessons.com YouTube Video
• Sunny Classroom YouTube Video
• Cisco YouTube Video
• Jeremy Druin's Packet Analysis Intro <<<
• Jeremy Druin's TCP Walk-through

A lot of hacking tools break the rules or look similar anomalies. Every bit an analyst you desire to look for these. Go on in heed sometimes there are actual anomalies due to bad captures or bad connections; though these are the exception not the rule.

A Quick Peek

Now that we have an Indicator that in interesting to us we can take a quick glance at any traffic involving our interesting host. Let's pull the showtime 20 packets:

tcpdump -nr case001.pcap 'host 194.61.24.102' -c twenty

The first thing to glance at is the date of the first bundle. Notice that the date time stamp is not as useful as it could exist. Permit's try that over again with tttt.

A total date time grouping tin can be obtained with tttt and is oftentimes helpful in increasing situational awareness. In this instance, nosotros can now say with confidence when the starting time observed contact occurred with the interesting remote host of 194.61.24.102. Is that time UTC or local? What do most forensics tools log their fourth dimension in? We know this outcome took place in Mount Time (call back the info from the client interview – or from data obtained in the forensics). Information technology took place in September – which makes it 6 hours behind UTC. This means that if you desire to correlate this to local time you need to subtract 6 hours from the fourth dimension displayed past the tool. Keep in mind some tools can exist off! Again, the annotator must be on their toes at all times.

Look at the data. What are the first few events between this host and the Domain Controller? Does this expect normal? Let's walk through this.

Hither we see the ICMP Echo Request and its related respond. That's piece of cake enough to sympathise. The remote host sent a ping and our Domain Controller replied. Notation, and screenshot, this every bit information leakage the customer should shore upwards during the Recovery stages of the Incident Response process. We should not allow our machines to reply to pings to outside machines. We know this request and answer pair together due to the matching id number. This is a slap-up case of why learning protocols and their internal functions is cardinal.

Allow's wait a bit deeper. Accept you seen annihilation odd yet? Await at the traffic that occurred at the same time as the ping. Does this await similar a standard 3 mode handshake for port lxxx and 443?

No. This is non normal. It could be some fault with the capture- but it'due south unlikely. We see the remote host try to SYN (initiate communication) with port 443, and then it immediately sends an ACK to port 80. It is even more odd that these 2 weird packets are seemingly related when we await the Seq and Ack numbers. They're seeming related but also very odd! Take a look at other 3 Way Hand Shakes in the information. What nosotros expect to come across is a Seq number displayed, followed by an Ack of Sequence + 1. The increase of 1 in the handshake is due to the 1 scrap flag being exchanged. Many folks incorrectly assume that this increment is a blueprint of TCP regardless of the $.25 exchanged. In other words, it is non just incrementing considering information technology is supposed to exercise that as some sort of pattern to show a relation. It is a typical blueprint considering of the one fleck flag typically being exchanged. Use this knowledge to the odd pair we come across above.

Now that nosotros know it is odd, what do we practice nigh it? We could only flag this equally odd and move on. All the same, we can also quickly spin up some VM'south and take a deeper await. Before nosotros do that, allow's put together a hypothesis as to what is going on hither. Nosotros come across an ICMP probe from a system prior to that organisation initiating a suspected brute force. At the same time as this ICMP probe nosotros run into some very odd behavior in the packets from that system. Additionally, look back at the Snort alert. We saw a reference to NMAP. Allow's test in our lab and meet what we discover. For an accurate exam we must set up a lab where the two systems are in divide networks – in geekier terms: we need the traffic to transit layer three just like it did in the existent world. In other words, 2 machines in the same subnet won't be an accurate exam.

To exam if this was in fact NMAP two virtual machines were spun upward in split up virtual networks connected via a virtual router. We know that the assault centered on 3389, and that in that location was not a wide port scan prior. Allow's run into what the traffic looks similar when nosotros comport a Service Scan against a single port of 3389.

Well, lookie here! We take proven our theory! That is the exact same signature! Take a look at the odd activity again. It fifty-fifty includes the ICMP'due south!

This side by side screenshot is simply a comparison of the port values when tcpdump is run without the -n flag.

Why would an assailant send a single probe to 3389? A better question is: how did they know 3389 was open up!?!? Are y'all familiar with shodan.io? If not you lot actually should be regardless if you are an attacker or a defender. Head over to YouTube and get caught up with a smashing channel, Lawrence Systems. The take away is that if you hook something up to the Internet information technology will exist establish and indexed. Attackers can go "shopping" for open RDP servers (as an instance) to attack.

We have now confirmed that 194.61.24.102 probed our RDP server with NMAP; and then likely initiated an RDP Brute Force assail (a very mutual alienation technique (sadly)).

Tin can you lot figure out which tool was used to do the Brute Force? Hint: it was not NMAP.

Who is Who in The Zoo

When an IP Address is identified as "Interesting" it should be investigated further. A quick manner to do this is to look it upwards on VirusTotal. Go along in mind that if there are no detections for the IP Address, domain, or hash it does Not mean it is clean! It simply ways it isn't identified as malicious… nonetheless.

This is great for initial situational awareness only there is more to the story. Select the "Details" tab.

Note the country that this IP might reside in. Does this arrangement do business organisation in that country? Do they have admins operating from in that location? Is information technology merely an Admin using a VPN? The point is country code alone isn't damning fifty-fifty if it'due south accurate. The modern Internet is very flat. It is not unusual to run across legitimate traffic from all over the world – to inlcude "the usual suspects". That said, TOR Exit nodes are nigh always interesting. This may not be current or accurate! E'er try and validate with other tools. Give shodan.io a try for case. The details tab offers a lot of information. Have a look at what it has to offering and then scroll downward to the "Google Results" area of the Details page.

Well. Isn't that interesting?! This IP Address has been seen conducting RDP Creature Force attacks elsewhere! This is a fundamental piece of historical data. It helps confirm some of the primal pieces of our hypothesis and findings. Attackers like to practice the aforementioned dance move over and again. Keep this is mind when doing investigations. Sometimes the smallest piece of information about an artifact can break a example wide open by pushing you in a new management. These new directions can lead you to look in places you hadn't idea of notwithstanding.

The "Relations" tab is likewise a "must see". It'due south good for your situational sensation to understand the domains related to the IP Accost in question. Note the appointment!! IP Address and Domain relationships drift over time! What is truthful today may not have been during the incident (if you are late to the political party) or even a few weeks ago. Look the residual of the folio for things like prior instances of malware associated with that indicator.

Another great resources are open up source threat intel feeds. Understand these are partly crowd sourced and your mileage may vary on the accuracy of their claims. Become ahead and see what you tin can discover at Threat Miner and Threat Oversupply.

Who Went Where

Another approach to investigating PCAPs is to look at what internal systems were reaching out to remote systems. This works exceptionally well if you already accept some hosts, or protocols, identified as interesting. Nosotros tin can locate hosts initiating connections by searching for SYN flags. We can search for hosts reaching out to external hosts by narrowing this search to destinations not inside our network. These searches are washed using tcpdump and Berkley Bundle Filters.

Berkley Packet Filters seem challenging at outset but are in reality pretty easy to work with. BPF is used to select packets with particular flags. A great starting indicate on learning the tcpdump flag combinations is either SANS SEC503 or the manual for tcpdump.

human tcpdump

The homo page for this tool is a pocket-size volume on the matter and well worth the read if yous plan on really getting into network analysis.

Macros are congenital in combinations of BPF that can be called with keywords. In that location are some key macro'southward in tcpdump that tin exist used to select packets with things like particular networks or hosts. When testing BPF and macro combinations limit the results equally initial exam to ensure you are on the right track.

This initial glance is a decent start. Withal, if we wait for SYN flags specifically we tin speedily find out who in the network was reaching out to initiate a TCP connexion. To hunt SYN flags we demand to tell TCPdump to await at the 13th field of the TCP header and detect packets where the TCP flags are set up to 0x02 – which is BPF for the SYN flag. Recollect that handshake in the beginning?

tcpdump -nttttr case001.pcap 'src net 10.42.85.0/24 and not dst net 10.42.85.0/24 and tcp[13]=0x02'

You are at present looking at every SYN packet that left the network… about. In that location are ECN packets we are not taking into account.

ECN Flags

Explicit Congestion Notification flags volition break some of the magic of using the BPF filters to discover certain flags in the PCAP. An overly brief explanation is that certain Operating Systems will accept their TCP Stacks set up flake in the ECN $.25 area and we have to filter accordingly. In other words, just looking for the exact $.25 set in the TCP Flags portion of the header isn't through enough. Nosotros have to account for that past slightly changing the filter to: tcp[13]&0x3f=0x02. Now we tin see SYN flags sourced from the Domain Controller that cannot exist seen with tcp[13]&0x3f=0x02.

Linux-Fu and TCPdump

Using the Linux commands: cutting,awk,sort,uniq and BPF Filters can you decide things similar:

• Which internal hosts achieve out to remote systems?
• Can y'all determine a list of remote servers that our internal hosts reached out to?
• Which remote machines connected to our local machines?
• How many times?
• How many times did internal hosts reach out to remote systems?

---

SPOILERS Alee

---

It is far easier to experiment with just a few packets. Limit the count to a small amount when testing. When you are washed testing remove the count limit.

Examples of Exploring the PCAP from Command Line Only

Frequency Analysis of Internal Machines Initiating Outbound Connections

tcpdump -nttttr case001.pcap 'tcp[thirteen]&0x3f=0x02 and src net ten.42.85.0/24 and not dst cyberspace ten.42.85.0/24'|awk '{print $4}'|cutting -d '.' -f1-4|sort -north|uniq -c|sort -nr

Don't simply cut and paste this and move on. Learn the command shown in a higher place. This powerful combination of Linux commands can be rearranged to answer many more questions about what happened on the network.

Tin can you lot get these answers on your ain?

Remote Systems Contacted by Our Internal Systems by Frequency

Connections Initiated to Our Internal Systems From the Outside by Frequency

RDP Yous Say?!

We also noticed that there was some RDP in these packets. Let's get situational sensation around RDP events.

tcpdump -nttttr case001.pcap 'tcp port 3389' will dump out every RDP parcel in the PCAP- and so long as it used the standard RDP port of TCP 3389. Remember to command for source and destination networks to respond questions accordingly.

Did we meet any RDP from the outside? We already know this from the Snort Alerts. However, every bit a point of learning lets see it in tcpdump.

tcpdump -nttttr case001.pcap 'tcp port 3389 and (dst net x.42.85.0/24 and non src cyberspace ten.42.85.0/24)' -c5

Were there any RDP sessions between internal hosts?

tcpdump -nttttr case001.pcap 'tcp port 3389 and (src internet x.42.85.0/24 and dst net 10.42.85.0/24)' -c15

What is this data telling yous? Look at the handshakes. Treat [Sew] like [S].

PCAP Carving Interesting Packets

Searching a PCAP is like shooting fish in a barrel when you take a starting point. Looking for evil is faster when you have indicators to chase for. You take seen how to notice indicators in the PCAP; or you could have found them elsewhere in the case. Either manner, at this indicate you should accept 194.61.24.102 on the "whiteboard o' doom"- or where e'er y'all are tracking the enemy. The procedure may await like this:

1. Search the PCAP for the Indicator 194.61.24.102
2. Carve out all packets where this host is present into a smaller PCAP
3. If this resultant PCAP is small enough open information technology in something similar Wireshark.
4. If the PCAP is still hundreds of megabytes effort etching it with multiple indicators. This doesn't apply to this case but it could easily happen in the existent world.
5. Utilize secondary tools to look for files that flew on the wire like Wireshark, Network miner etc.
6. Continue scoping the incident by finding other internal hosts talking to the antagonist

The following walk-through is ane example of roughly following this template. Every case is dissimilar. Learn the tool. Sympathize the goal. Don't learn clickology. Exist a hacker!

TCPdump Carving

Tcpdump can be used to easily 'carve' out packets with our suspect system from the larger PCAP. You should exist running this from a directory containing the PCAP from the case in the /cases folder. You're not still using the Desktop are you????

tcpdump -nr 'host 194.61.24.102' -w /tmp/host194.cap
mv !$ .

This will carve out packets where the interesting host appears and write it to a cap file in the tmp directory. Tcpdump prefers to write to world writable directory. These settings tin can exist over-ridden with some work. However, the easy button is to write to /tmp and move information technology over with mv. Detect the !$ shortcut?

Notice the reduction in the data! This grooming PCAP was kept small on purpose. This carving technique becomes far more important with PCAP's that are GIG's or several hundred Megs! Run capinfos on both and notation the differences.

Wireshark and File Etching

Once you have a smaller PCAP we are gear up for a more focused await with Wireshark. Wireshark will easily handle the 189 MB Example PCAP. However, this is all near learning and practicing. Carve it down, and then open it from the command line. It is tempting to run Wireshark as root. Don't do information technology. It's a bad habit and unsafe. Simply open a new terminal or drop out of sudo for a moment.

get out
wireshark host194.cap &

Exit the root prompt. Utilise Wireshark to open our PCAP focusing on host 194.61.24.102 and run it in the background (of the prompt). A Wireshark window should open and load the PCAP.

Searching for Keywords in PCAPs with Wireshark

Wireshark makes searching for items of interest in the traffic piece of cake. To search for keywords in the buried in the traffic that you lot are interested in yous can get-go with a strings search in the bytes. This is an constructive way to look for previously discovered IOC'due south or other items of interest.

Press CTRL+F to bring up the search bar.

1. Select 'Cord'
2. Select 'Packet Bytes'
3. Input interesting string
4. Click 'Find'

Gaining Situational Sensation

A bang-up identify to commencement looking into a PCAP is the Statistics Card.

The Protocol Bureaucracy, Conversations, Endpoints and I/O graph are good starting points for getting your situational awareness.

As an example, permit's look at the Endpoints carte du jour option.

Allow'south close this and take a look at the traffic.

Using the Wireshark display filter ip.addr==10.42.85.115 we can isolate the packets in this PCAP to the internal host of our network. Knowing nosotros are already looking at a PCAP that only contains packets involving 194.61.24.102 nosotros know we are looking at a chat between the suspect remote host and the internal host. Look at the opening volley of traffic. See the TCP Handshake followed by an HTTP request? Selecting the packet where the HTTP Asking occurred we tin discover out if the host went to a domain or direct to an IP Address. This is an important distinction in network analysis. Wireshark interpolates the data and presents its belief in what the host had requested. This interpolated information is known every bit 'Proficient' data. It is information non establish directly in the Packets, but rather it is derived from the data. Information like this is indicated by [ and ]. We can tell this host went direct to an IP Address. This is interesting since most normal user traffic doesn't behave that way. Practise you blazon IP Addresses into spider web browsers normally?

Let'due south follow the stream to see what these two organization exchanged. Right Click the HTTP Request Packet, Select Follow, and and so select the Follow HTTP or Follow TCP options.

Examine the findings.

Nosotros run into iii interesting items. An internal host reached out to a remote suspect host and downloaded a suspicious file from a Python Simple HTTP Server; a common attack technique. Together these paint a bad picture show. Note this is a common PenTesting play a trick on and more skilled attackers are likely not going to be as obvious with a Python Simple HTTP Server. That said, downloading malware over HTTP in 2020 is even so a thing.

The adjacent footstep is to audit this file. We need to carve it out of the PCAP. There is a quick win for this using Wireshark.

Save the file to the same directory where the PCAP for the example is located. This makes it easy to remember this file was extracted from the PCAP. Stay organized! Remember that Wireshark is running as a regular user. Chances are the cases binder you are working in is owed by root. Simply save this file to a new folder in the the /tmp directory, and then move it to /cases/szechuan/pcap.

File Inspection and Triage

A peachy starting betoken to check if a file is malicious is to ship the hash of information technology to VirusTotal. Sending the hash is a good showtime because some advanced attackers volition be watching VirusTotal for their own malware. If information technology is something special they cooked upwardly for you they volition know they are burned when you submit the file. When they know they are burned they may commencement irresolute their behavior, speed up their assail, or brainstorm removing all the testify. Send the hash, not the file.

sha256sum coreupdater.exe

Copy the hash into VirusTotal.

To simulate finding unknown malware a single graphic symbol will be changed. Even if VirusTotal reports the file as malware you should go on examining the file to ensure you aren't missing anything.

No findings? No problem. Let's utilize some SIFT and REMnux pre-installed tools to investigate further.

CAPA

FireEye is always putting out bang-up tools for the manufacture to use in the fight against evil. Ane of the about recent additions is Capa. Simply run Capa against the file to try and proceeds an agreement of what this suspect file might be capable of.

Interesting! The executable is using obfuscation to attempt to hibernate information. Moreover, it is using XOR! These are known techniques the bad guys use to featherbed network defenses and make life harder on investigators. We take some tricks upwardly our sleeves too. Allow's keep going.

FLOSS

FLOSS is notwithstanding another FireEye tool in our arsenal. Information technology does an infrequent job of trying to cut through obfuscation and return meaningful strings. We are hoping some of these strings will reveal IOC'south similar IP Addresses and Domain Names the malware will phone call dwelling house to.

Floss wasn't able to retrieve the IOC's nosotros were hoping for (if they are there). However, there are still interesting findings. The discussion PAYLOAD: should make the hairs on an investigators neck stand up up. We also see some indicators this executable may be importing the functions demand to do process injection! This is non definitive. It's just an indicator that when combined with everything else we are starting to go an idea this executable intends to do evil.

Clam Av

Update clamscan and allow it have a crack at it as well.

freshclam
clamscan -five coreupdater.exe

Naught this fourth dimension around.

Sandbox Detonation

It looks similar static assay of this file is not giving us any quick wins. At this point a junior analyst needs to send the file to a reverse engineer, or detonate the file in a sandbox. Up until this indicate nosotros take been conducting static analysis. The next phase is to see the file really run and do what it is designed to do. This is called dynamic analysis. Executables that are obfuscated must de-obfuscate themselves to run. "Malware tin can hibernate but information technology has to run". Systems designed to detonate malware and safely observe its behavior are called sandboxes. Advanced adversaries use malware that is aware of sandboxes and will non detonate if it detects, or suspects, information technology is "sandboxed".

A quick piece of cake option are online sandboxes. Exist careful. Some adversaries watch these public sandboxes for when their malware is detonated there and will act appropriately (see above). For this exercise nosotros volition apply i of the many free online sandboxes, any.run.

Once logged in you can search for the hash to see if someone had previously detonated this malware. If nothing is institute y'all tin submit the file.

When you go to submit this file it doesn't run! Hmmm. Could it exist this is a 64-bit file? Did you notice that it only supports 32-bit?

Let'due south try another Sandbox, Joe Sandbox.

Discover even Joe tries to warn you that you are about to tip your hand to the Globe that you found this malware.

Once you confirm the payload detonation information technology volition take a few minutes. However, the results are worth the wait.

WHAM! Nosotros have successfully uncovered the secrets of coreupdater.exe. When the IOC tab is selected we notice a new IOC to add to the Board 'o Doom: 203.78.103.109.

Nosotros now know we are dealing with a malicious Trojan that is part of the Metasploit toolkit and it'due south calling back to 203.78.103.109, a server likely residing in Thailand.

An amazing feature Joe Sandbox offers gratuitous users is a total report generated on the Malware for you lot! Grab a copy.

Select the PDF Report.

Read through information technology until you lot find the MITRE ATT&CK portion of the study.

This is also known as a "Cross Walk". The MITRE ATT&CK Matrix is one of the all-time resources to hit the manufacture in the past decade. It deserves its ain post. For now, sympathise that this is here and is one of the easiest means to understand the capabilities and intent of an adversaries malware. Take a look through the report. It'south pretty epic for no coin, and 5 minutes of waiting for it to detonate.

Back to the PCAP!

We take new data! The new IP address added to the "Doom Board"! We need to investigate this new finding! Knowing at least one piece of malware communicates with 203.78.103.109 we can apply this information to meet which systems successfully reached out to the Command and Control (C2) platform for this adversary. You know how to exercise this! Look at at previous commands with tcpdump. Knowing 10.42.85.115 is the internal host audit the PCAP with tcpdump and use your new establish skills.

Examing the first 5 packets of the case001.pcap file what practise we run across here? What is significant about the time stamps and the flags? What does the P flag mean? What other tool can nosotros employ to empathize the systems in our network that had conversations with this malicious host?

In the terminate nosotros can say for sure that x.42.85.115 reached out to a known malicious IP and started communicating with it. Before you lot movement on, ensure you lot empathize how nosotros are able to say that definitively here.

PCAP Analysis with Security Onion

Overview

Security Onion is nigh to retire. It is existence replaced by Hybrid Hunter (aka Security Onion 2). For this reason a full write-up currently would be a flake of sour investment. However, empathize the Security Onion OS equally a stand alone Virtual Machine is an absolute beast of a PCAP Analysis station. For now, sympathise that it is a great option to explore on your own.

Guides

The official documentation is fantastic. In the Table of Contents you will run across selections for building it in VMware or VirtualBox.

Build Notes

When you build the VM ensure you have two virtual network cards installed.

Importing the PCAP

To import the pcap, download it, then import it with sudo so-import-pcap case001.cap.

General Thought

Security Onion allows the annotator to easily notice anomalies by seeing alerts in the Sguild client. From here they can easily excerpt malicious files and gather intelligence.

Further Updates

In the future this postal service volition get an update when Hybrid Hunter is officially released and I accept had fourth dimension to learn the new system.

Conclusion

We started off by reducing the noise and running an open source Intrusion Detection Arrangement (IDS), Snort, confronting the case001.pcap. This highlighted the fauna forcefulness activity from 194.61.24.102. TCPdump was used to explore activity between internal hosts and external hosts in improver to internal RDP communications. Nosotros farther reduced the data by carving out the packets that contained communication with this host from the larger case001.pcap. By analyzing this smaller PCAP nosotros discovered that both the Domain Controller and the Desktop machine were probable compromised. We likewise easily carved the doubtable file, coreupdater.exe, from the PCAP which was downloaded to both hosts. This suspected malware was examined with static analysis. Little information was obtained with static assay. Dynamic assay with a sandbox was used adjacent.
Using Joe Sandbox the file was confirmed to exist malware calling dorsum to 203.78.103.109. This malware was explicitly identified as being from the Metasploit family unit; significant this is meterpreter. To summarize, it appears that the adversary animate being forced RDP to gain admission to the Domain Controller. Next they RDP'd to the user automobile and downloaded the same malware to infect that machine as well. We tin assume the malware successfully executed because we tin see traffic to the Command and Command Platform from both machines. This information is key to directing other teams. For example, the firewall squad should begin inspecting traffic to telescopic out which hosts in the Enterprise are infected with this malware. Armed with a solid set of IOC's nosotros are now set up to pivot to other artifacts in the case.

IOC's to Take Away and Pin with

We don't know if we will find the IOC's in side by side moves listed below, just they are great pin points to outset with things like keyword searches etc.

To Disk: Filename coreupdater.exe, and malicious IP's 203.78.103.109, 194.61.24.102.

To Retentivity: Malicious filename: coreupdater.exe and malicious IP Addresses of 203.78.103.109, 194.61.24.102.

To Autoruns: coreupdater.exe

Things to Study or Try Next

• TCP Protocols in depth
• UDP Protocols in depth
• TCP/UDP Headers
• TShark

This was but an intro to the deep well of knowledge that is Network Analysis. If you enjoyed it, use materials at the beginning of this post to continue studying!

Choose Your Next Motion

I want to wait at the Memory!

I desire to look at the AutoRuns (Coming soon)

Likewise, I want to expect at the Disk Image and Timelines (Coming soon)

Don't forget to leave any thoughts or questions you take on PCAP Analysis in the comments.

DOWNLOAD HERE

Posted by: kunzcomforse.blogspot.com

Share this post