NerisBot Lab
First, let's see the available indexes.
| eventcount summarize=false index=*
| table index

#OR
From Settings -> Indexes.

Next, let's see the sourcetypes that we have.
| metadata type=sourcetypes

Q1) Can you identify the IP address from which the initial unauthorized access originated?
index=* sourcetype=suricata
| stats values(dest_ip) values(http.hostname) values(http.url) by src_ip

Answer: 195.88.191.59
Q2) What is the domain name of the attacker server?

Answer: nocomcom.com
Q3) What is the IP address of the system that was targeted in this breach?

Answer: 147.32.84.165
Q4) Identify all the unique files downloaded to the compromised host. How many of these files could potentially be malicious?

Answer: 5
Q5) What is the sha256 hash of the malicious file disguised as a txt file?
index=* sourcetype=zeek:files tx_hosts="195.88.191.59"
| join left=L right=R where L.seen_bytes=R.bytes
[search index=* sourcetype=suricata src_ip=147.32.84.165 dest_ip=195.88.191.59 url=* ]
| table L.md5, L.sha1, R.url

Let's search by the sha1 on Virustotal to get the sha256.

Answer: 6fbc4d506f4d4e0a64ca09fd826408d3103c1a258c370553583a07a4cb9a6530
Last updated