Analyzing PCAP with Zeek - HTB Sherlocks - KnockKnock

00:00 - Going over the Scenario 01:30 - Talking about why I’m using Zeek and running it in a docker 05:20 - Showing a Corelight Zeek Cheat Sheet, which is tremendously helpful 08:00 - Showing Zeek-Cut on the x509 log, then looking at the SSL Log 11:50 - Looking for a single IP that sent multiple SSH Banners 13:20 - Creating an alias for zeek-grek (alias zeek-grep=’grep -e “^#“ -e’), which lets us easily filter logs 17:00 - Looking at the HTTP Log, discovering a wget downloading ransomware 21:10 - Looking at the FTP Log, and showing the passwords are hidden. Editing the Zeek Config to unmask the password 24:30 - Editing the FTP Logged commands to add PASS so we see failed logins too 34:10 - Using the DNS Log to see that our attacker was likely using Amazon EC2 36:15 - Looking at how many connections each IP made, discovering our attacker doing a port scan using date -d @epoch to convert to human readable time 42:30 - Editing our zeek config to also extrac