T1594 Lab

Q1) Loading Zeek logs in Brim Security. How many HTTP requests are there?

-> open all the files in Zui.

-> Right click and choose Count by field

Answer: 3667

Q2) What is the domain of the targeted website?

_path=="http" | count() by host

Answer: shop.cyberdefenders.corp

Q3) What is the tool used by the attacker to crawl the website?

count() by id.orig_h

Attacker IP with most requests: 165.18.197.227

id.orig_h==165.18.197.227 | _path=="dns"

Answer: Burp Suite

Q4) How many web pages the attacker was able to access?

id.orig_h==165.18.197.227 | _path=="http" | count() by status_code

Answer: 1483

Q5) What is the browser used by the attacker? (Format: Browser_Name Version)

id.orig_h==165.18.197.227 | _path=="http" | count() by user_agent

Answer: Firefox 78

Q6) How many bytes are sent by the attacker?

id.orig_h==165.18.197.227 | _path=="conn" | sum(orig_bytes)  

Answer: 1380285

Last updated