Hello, I've watched the entire thing and got a little out of it. But when you're looking at a pcap file using wireshark or any analysis program, how to you know what to look for? Because I was given a task to look for something suspicious at a pcap file using wireshark, and after 1 hour I achieved nothing. Any tips?
This is a good question. There are several approaches you could try. One is to see if you can validate any of the "implied bad" indicators, such as Suricata IDS alerts. Do they lead to signs of command and control traffic, indicating remote unauthorized use, for example? Another is to look for activity that is unauthorized for the system. For example, is there a valid reason for the system to be communicating to the sites it is visiting? Third, you can apply threat intelligence to the data set. Are there any "hits" for known C2 certificates, domains, IP addresses, etc.? Starting with Wireshark is generally difficult as the data is too granular. Start with Zeek data or Suricata IDS alerts if you have no idea where to begin. Finally, you can pivot to NSM data after getting a hit from EDR or other sources. Thanks for your question.
Know normal to find evil. Also used to get more details from another alert source, you don't necessarily need to start with Zeek. If you have an alert source from lets say anti-virus you can then look into the Zeek logs to see what happened before, and after the event.
In this scenario, "Mike calls the Help Desk and says his desktop computer is "acting weird" but he refuses to provide any details." In this case we just wanted to demonstrate the sorts of data Zeek could provide. Thanks for your comment.
This is a short question, but there is not a short answer. What aspect of malware do you want to detect? This is probably best answered in Slack join.slack.com/t/zeekorg/shared_invite/zt-1ev1nr7z4-rEVSsaIzYzFWpdgh2I6ZOg or Discourse community.zeek.org/
why wouldn't mike want to cooperate on this troubleshhot? other computers may be compromised? what kind of employee would refuse to cooperate in a forensic?
You could imagine that Mike didn't want to be bothered with the event. This happens a lot unfortunately! I've worked cases where the user told IT and security to leave them alone, even though their computer was actively compromised. 🤦♂️ Thanks for your question.
Mike might not be refusing to cooperate, he might not know. We get tickets like that all the time "something has changed, but I don't know what", "things are different but I don't know how", etc. The pretense of the video is just a good one to use. Even if Mike had information to give, he could miscommunicate or just be wrong. It's good to take in user information, but never trust it