Zeek has 15+ frameworks that help analysts to discover the different events of interest.


Ensure you are in the right directory to find the pcap file and accompanying files: Desktop/Exercise-Files/TASK-8

Investigate the case1.pcap file with intelligence-demo.zeek script.

zeek -C -r case1.pcap intelligence-demo.zeek

Investigate the intel.log file. Look at the second finding, where was the intel info found?

ubuntu@ip-10-10-218-60:~/Desktop/Exercise-Files/TASK-8$ cat intel.log
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	intel
#open	2022-11-29-01-10-33
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
#types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
1561667898.779213	CB7PV32LkE7FysWa7k	53770	53	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	TASK-8-Demo	-	-	-
1561667898.911759	CVNbG83FLsjLKgtbhi	49162	80	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	TASK-8-Demo	-	-	-
#close	2022-11-29-01-10-33

Investigate the http.log file. What is the name of the downloaded .exe file?

ubuntu@ip-10-10-218-60:~/Desktop/Exercise-Files/TASK-8$ cat http.log | zeek-cut uri

Investigate the case1.pcap file with hash-demo.zeek script. Investigate the files.log file.

zeek -C -r case1.pcap hash-demo.zeek

What is the MD5 hash of the downloaded .exe file?

ubuntu@ip-10-10-218-60:~/Desktop/Exercise-Files/TASK-8$ cat files.log | zeek-cut md5
cc28e40b46237ab6d5282199ef78c464  <=

Investigate the case1.pcap file with file-extract-demo.zeek script.

zeek -C -r case1.pcap /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek

Investigate the extract_files folder. Review the contents of the text file. What is written in the file?

ubuntu@ip-10-10-218-60:~/Desktop/Exercise-Files/TASK-8/extract_files$ file * | nl
     1	extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja:  ASCII text, with no line terminators
     2	extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3:  Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jun 27 18:24:00 2019, Last Saved Time/Date: Thu Jun 27 18:24:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
     3	extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl: PE32 executable (GUI) Intel 80386, for MS Windows
ubuntu@ip-10-10-218-60:~/Desktop/Exercise-Files/TASK-8/extract_files$ cat extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja
Microsoft NCSI