Network Forensics with Brim (zui)

Brim and Zui are powerful tools for analyzing large-scale network traffic, especially when working with Zeek logs. They allow you to search and filter data efficiently with commands or queries tailored to your investigation needs. Below, I provide commands and approaches for each section from above, tailored for Brim/Zui.

filter protocals

_path==http
_path==ssh
_path==ssh
_path==telnet
_path==files
_path==conne
_path==icmp
_path==smb2
_path==smb
_path==ftp
_path==kerberos
_path==ldap

IP Filters

_path=conn id.orig_h=192.168.1.1 or id.resp_h=192.168.1.1 : To capture all traffic from or to a specific IP
_path=conn id.orig_h= :  Source IP 
_path=conn id.resp_h= : Destination IP

Port-Based Filters

_path=http id.resp_p=80 : HTTP Traffic (Port 80) 
_path=http id.resp_p=443 :  HTTPS Traffic (Port 443)
_path=dns id.resp_p=53   : DNS Traffic (Port 53)

Filter for HTTP Requests

_path=http host="example.com"
_path=http | count() by id.resp_h
_path == "http" : his shows HTTP requests and responses, where the commands might be sent
_path == "http"  method == "POST" 
_path=http method=GET
_path == "http" and status_code == 200
_path=http body~"ifconfig" 
_path=http user_agent~"curl" or user_agent~"wget"
_path=http uri~".jar" 
_path=http uri~".zip"
_path == "files" : If scripts were uploaded or downloaded
_path=http body~"cmd="
_path=http body~"login"
_path=http | where method="POST" or method="PUT"
_path=http | where host contains "malicious-domain.com" or id.resp_h=192.168.1.100
_path=http | where user_agent contains "MaliciousAgent" : Find HTTP requests with abnormal User-Agent strings
_path=http | where uri contains "../" or uri contains "UNION" : Monitor HTTP requests with special characters
_path=http | where body contains "password" : Search for specific content in HTTP payloads
_path=http | where frame contains "Basic "

DNS Traffic Filter

_path == "dns" 
_path=dns | where query contains ".onion" or query contains "suspiciousdomain"
_path=dns query="example.com"
dns.resp.ip == "<suspected_ip>"

Searching for File Uploads

_path=ftp | where command="STOR" or command="RETR" : Monitor FTP file uploads/downloads
_path=http | where uri contains ".exe" or uri contains ".zip" : Identify file downloads with dangerous extensions

Kerberos Traffic

_path=kerberos | where msg_type=10 or msg_type=12 : Track Kerberos TGT and TGS Requests
_path=kerberos | where error_code exists : Filter Suspicious Kerberos Errors
_path=kerberos | where Ticket.expiry_time < Ticket.start_time :  Kerberos Golden Ticket Indicators

LDAP Traffic

_path=ldap
_path=ldap | where filter contains "(objectclass=user)" : Look for queries involving user objects

Filters

_path=="http" "resolvecyber.xyz"  | cut host, uri, method, user_agent
_path=="http" "<replace domain>" id.resp_p==<replace port> | cut ts, host, id.resp_p, uri | sort ts :To get all HTTP requests related to the malicious C2 traffic

PreviousNetwork Forensics with wireshark

Last updated 1 year ago

hashtagfilter protocals

hashtagIP Filters

hashtagPort-Based Filters

hashtagFilter for HTTP Requests

hashtagDNS Traffic Filter

hashtagSearching for File Uploads

hashtagKerberos Traffic

hashtagLDAP Traffic

hashtagFilters