Incident Response with Bro

-
IR with Bro
"Bro is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well"

 Let's have some fun with Bro! 

 Today we are digging into a PCAP that captured the angler malware.

 Angler was one of the leading exploit kits used by cybercriminals to distribute malware ranging from ransomware and banking Trojans to ad fraud. Like most other exploit kits, it focused on web-based vulnerabilities in the browsers and their plugins. Angler was one of the few exploit kits during its time that offered fileless infections, where malware never touches the disk and only resides in memory to avoid detection.  Angler has been inactive since June 2016 but still fun to look at.

$ mkdir working folder
$ CD into a new working folder

We have captured a PCAP with some unusual traffic. To begin our investigation will start by carving out some logs with Bro.

$ sudo bro -r /pcaps/angler-java.pcap
As you can see we have carved out the following logs from the provided PCAP.  conn.log  dns.log  files.log  http.log  irc.log  packet_filter.log  weird.log

First, let's start with the Connections Statistics  (conn.log)

We will begin by summarizing each TCP and UDP connection using native awk commands. 

$ awk 'NR > 4' < conn.log | sort -t$'\t' -k 9 -n
 

  Nothings really sticking yet. Let's look for all connections that last longer than 30s

$ awk 'NR > 4 && $9 > 30' conn.log

  Now we can break down by service type connections using bro-cut 

$ bro-cut service < conn.log | sort | uniq -c | sort -n


As you can see we are seeing traffic for DNS and http.

 Showing the top 10 destination ports

$ bro-cut id.resp_p < conn.log | sort | uniq -c | sort -rn | head -n 10


Next, we will move into the http.log file. HTTP Statistics  (http.log)

What are the distinct browsers? For this, we will use the user agent string.

$ bro-cut user_agent < http.log | sort -u


 Is the agent reaching out to any 'odd' sites? What are the five most commonly accessed websites?

$ bro-cut host < http.log | sort | uniq -c | sort -n | tail -n 5


  Using bro-cut we can also check any files that were passed in this event.

 View files from logs
$ cat files.log | bro-cut fuid, mime_type, filename, total_bytes, md5

 Next, let's extract the files from the PCAP

$ sudo bro -r /pcaps/your.pcap /opt/bro/share/bro/file-extraction/extract-all.bro
$ ls -la /nsm/bro/extracted


Now we can run a Quick AV Scan. We will use everyone's favorite AV scanner clamscam :) 

$ clamscan /nsm/bro/extracted/
 Having the hashes for each file will help further our investigation. 

$ sudo bro -r /pcaps/angler-java.pcap /opt/bro/share/bro/policy/frameworks/files/hash-all-files.bro

$ cat files.log
  Head over to virus total and do a little more research


Next, we will dig into the dns connections from this PCAP

 $ cat dns.log
 

These are a just a few ways Bro can make Incident Response much easier.

Comments

Post a Comment

Popular posts from this blog

Recon Automation with Sub Num Num

-
Image
I'd like to start things off with I am NOT a coder...  .. but I wrote a very simple script to help automate some of my Recon for Sub-domains. Doing this manually is a huge under taking and of course time consuming. This is just the beginning of the horribly named script "Sub Num Num" But what's it do? This script reaches out to cert.sh and certspotter checking for valid sub-domains - next it runs a quick  probe on (80,443) We are then left with valid targets to begin a deeper dive.(Directory brute forcing etc..) You can access the current code here..  https://github.com/atomixgray/subnumnum Installation  (note GoLang is needed for the httprobe) If you have git installed 1.) sudo git clone https://github.com/atomixgray/subnumnum.git 2.) chmod +x subnumnum.sh Lets do a quick hunt on gemini.yahoo.com (There is currently a public bounty on this Sub) Comments and suggestions are more than welcome!
Read more

Anomali STAXX and Hail a Taxii

-
Image
Today we are going to add a new feed to our Anomali Threat Server.   Called Hail a Taxii Anomali makes this process extremely easy. Login to your Anomali STAXX server Then click the setting tab in the upper right corner. This will bring you to the site where you can add your new Feed. As you can see I already have 3 feeds added - the default Limo, Alien Vault OTX, and IBM X-Force. Click on Add Site in the upper right. The Add New Site Window is launched. For the Description I've added "Hail A TAXII" and the Discovery location is simply the poll location for Hail A TAXII   "http://hailataxii.com/taxii-discovery-service"  Username: guest  Password: ***** Click on Add Site / Discover (depending on the version you're running) Once the Discover process is complete your left with several new Feeds to add to your arsenal I've enabled all the above Feeds and ran a quick Poll. As you can see below we have started to collect Intel "data&q
Read more

CyberArk Automation

-
Image
Tonight we are working on some CyberArk automation inside of VsCode.   The building and provisioning of safes can become cumbersome when you're enrolling several hundred users a week. With the help of an amazing PowerShell module by PSPETE  we can make quick work of this. Revision 1.0 of this script will do the following. 1.) Create Users Safe 2.) Add users network account to safe with customizable permissions 3.) Add a local CyberArk support account group with customizable permissions 4.) Add Vault Admin group for more support options with customizable permissions 5.) Add Users (new) Privileged account into their newly created safe. 6.) Run a Reconcile on the account to bring into CyberArk management. .   I will upload everything to  https://github.com/atomixgray/cyberark/  after a little more testing. Revision 2.0 will include an option for bulk uploading users via a CSV file.
Read more