NerisBot Lab

First, let's see the available indexes.

| eventcount summarize=false index=* 
| table index

#OR

From Settings -> Indexes.

Next, let's see the sourcetypes that we have.

| metadata type=sourcetypes

Q1) Can you identify the IP address from which the initial unauthorized access originated?

index=* sourcetype=suricata
| stats values(dest_ip) values(http.hostname) values(http.url) by src_ip

Answer: 195.88.191.59

Q2) What is the domain name of the attacker server?

Answer: nocomcom.com

Q3) What is the IP address of the system that was targeted in this breach?

Answer: 147.32.84.165

Q4) Identify all the unique files downloaded to the compromised host. How many of these files could potentially be malicious?

Answer: 5

Q5) What is the sha256 hash of the malicious file disguised as a txt file?

index=* sourcetype=zeek:files tx_hosts="195.88.191.59" 
| join left=L right=R where L.seen_bytes=R.bytes
    [search index=* sourcetype=suricata src_ip=147.32.84.165 dest_ip=195.88.191.59 url=* ]
| table L.md5, L.sha1, R.url

Let's search by the sha1 on Virustotal to get the sha256.

Answer: 6fbc4d506f4d4e0a64ca09fd826408d3103c1a258c370553583a07a4cb9a6530

Last updated