00:00 - Going over the Scenario
01:30 - Talking about why I'm using Zeek and running it in a docker
05:20 - Showing a Corelight Zeek Cheat Sheet, which is tremendously helpful
08:00 - Showing Zeek-Cut on the x509 log, then looking at the SSL Log
11:50 - Looking for a single IP that sent multiple SSH Banners
13:20 - Creating an alias for zeek-grek (alias zeek-grep='grep -e "^#" -e'), which lets us easily filter logs
17:00 - Looking at the HTTP Log, discovering a wget downloading ransomware
21:10 - Looking at the FTP Log, and showing the passwords are hidden. Editing the Zeek Config to unmask the password
24:30 - Editing the FTP Logged commands to add PASS so we see failed logins too
34:10 - Using the DNS Log to see that our attacker was likely using Amazon EC2
36:15 - Looking at how many connections each IP made, discovering our attacker doing a port scan using date -d @epoch to convert to human readable time
42:30 - Editing our zeek config to also extract_files, then looking at the ransomware download
53:15 - Looking at the files downloaded over FTP
1:07:00 - Start answering the questions. Doing some Grep Fu to see all the open ports during initial recon
1:18:10 - Finding when the port knock happened
Support the originator by clicking the read the rest link below.
