Category: PCAPs
-
Hunting Lazy OPSEC: Spotting Default C2 Certificates with DuckDB and Zeek
Threat actors love to reuse tools, and sometimes, they get lazy. Case in point: AsyncRAT and its notorious fork, DcRAT. These remote access trojans often ship with default, self-signed certificates. If the…
-
Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL
Hunting through raw Zeek logs just got a massive upgrade. If you’ve spent years in the SOC, you’ve likely built up a library of complex awk chains and grep commands to parse…
-
Analyzing QBot/QakBot Malware With Zeek
In this short article I’ll outline some analysis I performed on the QBot/QakBot malware family with Zeek. I took a look at the following PCAPs from this family of malware, hoping to…
-
A Gozi Banking Malware Detector – Zeek Roulette #3
I had talked about Gozi malware in our eCrimeBytes podcast here: Last Man From Gozi Banking Malware Group Sentenced To Three Years – eCrimeBytes Nibble #51 In my technical real life job…
-
Detecting Amadey Malware With Zeek – Zeek Roulette #2
For my Zeek Roulette #2 I picked a recently submitted sample off of ANY.Run that ended up being Amadey: https://app.any.run/tasks/31ba58da-30d1-4a08-940d-2412fc629221/ You can download the PCAP from the link above if you navigate…
-
Detecting njRAT/Bladabindi Malware With Zeek – Zeek Roulette #1
Welcome to the first edition of Zeek Roulette, where I pick a random Zeek topic and try to solve it! For this article I picked njRAT malware from Any.Run and tried to…
-
Zeek’s suspend_processing Quirk With PCAPs
In the comments of an earlier blog: … we found an interesting situation. Even when you call “suspend_processing” in zeek_init, like this: … Zeek will still process the first packet. The “new_connection”…
-
Industrial Control Systems (ICS) PCAP Resources For Zeek And Wireshark
In this video I walk through several resources to download ICS protocol PCAPs: