Analyzing PCAP with Zeek HTB Sherlocks Knock Knock

00:00 Going over the Scenario 01:30 Talking about why I m using Zeek and running it in a docker 05:20 Showing a Corelight Zeek Cheat Sheet, which is tremendously helpful 08:00 Showing ZeekCut on the x509 log, then looking at the SSL Log 11:50 Looking for a single IP that sent multiple SSH Banners 13:20 Creating an alias for zeekgrek (alias zeekgrep grep e , e ), which lets us easily filter logs 17:00 Looking at the HTTP Log, discovering a wget downloading ransomware 21:10 Looking at the FTP Log, and showing the passwords are hidden. Editing the Zeek Config to unmask the password 24:30 Editing the FTP Logged commands to add PASS so we see failed logins too 34:10 Using the DNS Log to see that our attacker was likely using Amazon EC2 36:15 Looking at how many connections each IP made, discovering our attacker doing a port scan using date d epoch to convert to human readable time 42:30 Editing our zeek config to also extrac