Reconnaissance phase¶
Reconnaissance is an attempt to discover and collect information about a target. It could be knowledge about the system in use, the web application, employees or location, etc.
Start the analysis by examining any reconnaissance attempt against the webserver imreallynotbatman.com.
index=botsv1 imreallynotbatman.com sourcetype=stream:http
Questions¶
index=botsv1 imreallynotbatman.com src_ip="40.80.148.42" sourcetype=suricata "alert.category"="Attempted Administrator Privilege Gain"
One suricata alert highlighted the CVE value associated with the attack attempt. What is the CVE value?
Add alert fields and use:
index=botsv1 imreallynotbatman.com src_ip="40.80.148.42" sourcetype=suricata "alert.category"="Attempted Administrator Privilege Gain"
|
|---|
|
See CVE-2014-6271 Detail, basically, ShellShock.
What is the CMS our web server is using?
index=botsv1 imreallynotbatman.com sourcetype=stream:http
|
|---|
|
What is the web scanner the attacker used to perform the scanning attempts?
|
|---|
|
What is the IP address of the server imreallynotbatman.com?
|
|---|
|
Last update:
2025-05-12 14:39