h05am10
  • Write-ups
    • CyberDefenders
      • Threat Hunting
        • ShadowRoast
        • T1110-003
        • Kerberoasted
        • REvil
      • Network Forensics
        • T1594
        • BlueSky Ransomware
        • Tomcat Takeover
Powered by GitBook
On this page
  • Scenario
  • Incident Walkthrough
  1. Write-ups
  2. CyberDefenders
  3. Network Forensics

T1594

PreviousNetwork ForensicsNextBlueSky Ransomware

Last updated 6 months ago

Scenario

Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.

Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Trusted Relationship or Phishing).

Incident Walkthrough

We have Zeek logs, and we will use ZUI to investigate this incident.

ZUI (Zeek User Interface) is a web-based interface designed for visualizing and analyzing Zeek (formerly Bro) logs. It provides users with intuitive tools for querying, filtering, and displaying network traffic data, helping analysts to identify patterns, anomalies, and security incidents effectively.

First, let's gather what type of logs we have.

Q1- Loading Zeek logs in Brim Security. How many HTTP requests are there?

Answer: 3667

We started to check which IP performed the most requests to the web server shop.cyberdefenders.corp to begin our investigation.

The IP address with the most requests is 165.18.197.227 , so we will begin the investigation with it.

Upon further investigation, we found that this IP performed directory brute-forcing due to the low time between each request and the different directories accessed.

He managed to access 1,483 pages with a status code of 200.

Q2- What is the domain of the targeted website?

Answer: shop.cyberdefenders.corp
Q4- How many web pages the attacker was able to access?

Answer: 1483

I checked the User-Agent and the requests to identify the tool he was using, but that didn't yield any results. So, I examined the DNS requests, which revealed that he was using Burp Suite

Burp Suite is a popular integrated platform for performing security testing of web applications. It provides a range of tools, including an intercepting proxy, web crawler, scanner, and intruder, allowing security professionals to analyze web application security vulnerabilities, manipulate requests, and automate attacks. Burp Suite is widely used by penetration testers and security researchers to identify and exploit weaknesses in web applications.

Q3- What is the tool used by the attacker to crawl the website?

Answer: burp suite

The attacker didn't do much beyond reconnaissance and discovery.

To answer the question about the browser the attacker used, we can check the User-Agent.

Q5- What is the browser used by the attacker? (Format: Browser_Name Version)

Answer: firefox 78

To determine how many bytes the attacker sent, we can check the connection logs and look for the sum of orig_bytes.

Q6- How many bytes are sent by the attacker?

Answer: 1380285

I hope you enjoyed :)