cheat sheet -> https://github.com/corelight/zeek-cheatsheets/blob/master/Corelight-Zeek-Cheatsheets-3.0.4.pdf ### Setting up zeek

docker pull zeek/zeek:latest       

docker run -v $(pwd):/mnt -i zeek/zeek sh

Enumeration

zeek -C -r Capture.pcap local

![[Pasted image 20231213132310.png]]

cat ssh.log | zeek-cut client | sort -u

![[Pasted image 20231213174443.png]]

cat ssh.log | zeek-cut id.orig_h | sort | uniq -c | sort -n | sort -u 

![[Pasted image 20231213175212.png]]

Setting zeek-grep

alias zeek-grep='grep -e "^#" -e'^C

![[Pasted image 20231213175244.png]]

HTTP logs

less -S http.log  | zeek-cut user_agent | sort | uniq -c | sort -n

![[Pasted image 20231213180206.png]]

wget looks phisy.

cat http.log | zeek-grep Wget | zeek-cut id.orig_h id.resp_h uri user_agent

root@53ef41d5da39:/mnt# cat http.log | zeek-grep Wget | zeek-cut id.orig_h id.resp_h uri user_agent172.31.39.46    13.233.179.35   /PKCampaign/Targets/Forela/Ransomware2_server.zip       Wget/1.21.2

less -S http.log  | zeek-cut user_agent | sort | uniq -c | sort -n

![[Pasted image 20231213180206.png]]

wget looks phisy.

cat http.log | zeek-grep Wget | zeek-cut id.orig_h id.resp_h uri user_agent

root@53ef41d5da39:/mnt# cat http.log | zeek-grep Wget | zeek-cut id.orig_h id.resp_h uri user_agent172.31.39.46    13.233.179.35   /PKCampaign/Targets/Forela/Ransomware2_server.zip       Wget/1.21.2

http://13.233.179.35/PKCampaign/Targets/Forela/Ransomware2_server.zip

FTP log

less -S ftp.log 

![[Pasted image 20231213182143.png]]

in zeek if we have any field related to password zeek won’t show it. ![[Pasted image 20231213182251.png]]

Editting /usr/local/zeek/share/zeek/base/protocols/ftp/main.zeek:

deleted the password line which had <hiddedn> term written in the script and then again i ran

zeek -C -r Capture.pcap local

![[Pasted image 20231213182639.png]]

now we can see the passwords.

root@53ef41d5da39:/mnt# cat ftp.log | zeek-cut user password | sort | uniq -c | sort -n
      6 tony.shephard   Summer2023!
     41 abdullah.yasin  XhlhGame_90HJLDASxfd&hoooad

another edit in the ftp/main.zeek to see the wrong passwords used by attacker

![[Pasted image 20231213190959.png]]

Password spray

cat ftp.log | zeek-cut user password | sort | uniq -c | sort -n

![[Pasted image 20231213191255.png]] not we can see the password spray

Attackers’ IP

cat ftp.log | zeek-cut id.orig_h | sort | uniq -c | sort -n   

![[Pasted image 20231213191508.png]]

3.109.209.43
120.78.199.189

root@53ef41d5da39:/mnt# grep 120.78.199.189 *.log | awk -F: '{print $1}' | sort -n | uniq -c
    932 conn.log
    930 ftp.log

root@53ef41d5da39:/mnt# grep 3.109.209.43 *.log | awk -F: '{print $1}' | sort -n | uniq -c
  65641 conn.log
      3 dns.log
     34 files.log
    191 ftp.log
      2 ssh.log

IP’s of interest

3.109.209.43 120.78.199.189

cat dns.log | zeek-grep 3.109.209.43 | zeek-cut id.orig_h id.resp_h query
172.31.39.46    172.31.0.2      43.209.109.3.in-addr.arpa
172.31.39.46    172.31.0.2      ec2-3-109-209-43.ap-south-1.compute.amazonaws.com
172.31.39.46    172.31.0.2      ec2-3-109-209-43.ap-south-1.compute.amazonaws.com

Q2 -> time when attacker started the attack

cat conn.log | zeek-cut id.orig_h | sort | uniq -c | sort -n

![[Pasted image 20231213230938.png]] 3.109.209.43 made the most connection to the target.

cat conn.log | zeek-grep 3.109.209.43 | zeek-cut ts id.orig_h id.resp_p | tail -1
1679397942.571299       3.109.209.43    22

date -d @1679397942.571299
Tue Mar 21 11:25:42 UTC 2023

Making changes to local.zeek to extract files.

/usr/local/zeek/share/zeek/site/local.zeek

root@53ef41d5da39:/usr/local/zeek/share/zeek# find . | grep extract
./base/files/extract
./base/files/extract/main.zeek
./base/files/extract/__load__.zeek
./policy/protocols/http/var-extraction-uri.zeek
./policy/protocols/http/var-extraction-cookies.zeek
./policy/frameworks/intel/seen/smtp-url-extraction.zeek
./policy/frameworks/files/extract-all-files.zeek
./policy/tuning/defaults/extracted_file_limits.zeek

added this line to local.zeek ![[Pasted image 20231214003923.png]]

also copied local.zeek to custom.zeek

cp local.zeek custom.zeek

zeek -C -r Capture.pcap custom

![[Pasted image 20231214004205.png]]

now we have folder -> extract_files

cat http.log | zeek-grep Wget | less -S

![[Pasted image 20231214004523.png]]

ls extract_files/ | grep FM4a5p1MGD3XkvhPU7

extract-1679398954.413587-HTTP-FM4a5p1MGD3XkvhPU7

![[Pasted image 20231214004747.png]]

the file was 100M, may thats the reason my unzip failed

but running 7z l on the file i was able to get the ransomeware name -> gonnacry

7z l extract-1679398954.413587-HTTP-FM4a5p1MGD3XkvhPU7

![[Pasted image 20231214005044.png]]

Finding more file uids via ftp.log

cat ftp.log  | zeek-grep RETR| zeek-cut command arg fuid

![[Pasted image 20231214005925.png]]

1. .backup ->

cat *FgMmRQ11qkbBo3KqNd*
[options]
      UseSyslog

[FTP-INTERNAL]
      sequence    = 29999,50234,45087
      seq_timeout = 5
      command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 24456 -j ACCEPT
      tcpflags    = syn


# Creds for the other backup server abdullah.yasin:XhlhGame_90HJLDASxfd&hoooad

2. fetch.sh

cat *FFyvQZ69UFh3EsEbj* 
#!/bin/bash

# Define variables
DB_HOST="3.13.65.234"
DB_PORT="3306"
DB_USER="tony.shephard"
DB_PASSWORD="GameOfthronesRocks7865!"
DB_NAME="Internal_Tasks"
QUERY="SELECT * FROM Tasks;"

# Execute query and store result in a variable
RESULT=$(mysql -h $DB_HOST -P $DB_PORT -u $DB_USER -p$DB_PASSWORD $DB_NAME -e "$QUERY")

# Print the result
echo "$RESULT"

3. .archive.sql ![[Pasted image 20231214010831.png]]

4. reminder.txt

 cat *FMuQD02uu7Nf3AdPpi*
 I am so stupid and dump, i keep forgetting about Forela CEO Happy grunwald visiting Pakistan to start the buisness operations here.I have so many tasks to complete so there are no problems once the Forela Office opens here in Lahore. I am writing this note and placing it on all my remote servers where i login almost daily, just so i dont make a fool of myself and get the urgent tasks done.He is to arrive in my city on 8 march 2023 :))i am finally so happy that we are getting a physical office opening here.
 

5. /etc/passwd ![[Pasted image 20231214012427.png]]

6. ./Tasks to get Done.docx ![[Pasted image 20231214015725.png]]

7. .reminder.

A reminder to clean up the github repo. Some sensitive data could have been leaked from there

Creds

abdullah.yasin:XhlhGame_90HJLDASxfd&hoooad
tony.shephard   Summer2023!
abdullah.yasin  XhlhGame_90HJLDASxfd&hoooad
tony.shephard:GameOfthronesRocks7865!
abdullah:yiobkod0986Y[adij@IKBDS

 grep 24456 *.log | less -S

![[Pasted image 20231214011831.png]]

date -d @1679396372.918302
Tue Mar 21 10:59:32 UTC 2023

Port running critical service

root@53ef41d5da39:/mnt# cat ftp.log  | zeek-grep RETR| zeek-cut id.resp_p command arg fuid 
21      RETR    ftp://172.31.39.46/./.backup    FgMmRQ11qkbBo3KqNd
21      RETR    ftp://172.31.39.46/./fetch.sh   FFyvQZ69UFh3EsEbj
24456   RETR    ftp://172.31.39.46/./.archived.sql      Fjikrz1twh8YRR8H34
24456   RETR    ftp://172.31.39.46/./Tasks to get Done.docx     FYD8L514rIoyQiOZZ3

24456

finding UTC time for above.

![[Pasted image 20231214014051.png]]

date -d @1679396330.288134
Tue Mar 21 10:58:50 UTC 2023

finding UTC when attacker got access to critical service

cat ftp.log | zeek-grep 3.109.209.43 | grep abdul | less -S

![[Pasted image 20231214014757.png]] login-successful time

date -d @1679396401.595583
Tue Mar 21 11:00:01 UTC 2023

OSINT to get ssh password

clues -> ![[Pasted image 20231214020337.png]] Forela.

and .reminder file ->

A reminder to clean up the github repo. Some sensitive data could have been leaked from there

https://github.com/forela-finance/forela-dev/

In the commit’s i found the password -> ![[Pasted image 20231214020525.png]]

YHUIhnollouhdnoamjndlyvbl398782bapd

![[Pasted image 20231214020601.png]]