Thursday, May 2, 2019

Having Fun with CrackMapExec - Zeek (Bro) Analysis

Now that we have the crackmapexec attack, logs analysis and packet analysis done, let's see what we can learn via Zeek. I'm using Zeek 2.6.1 with its default configuration.

root@securitynik:~/cme# bro -v
bro version 2.6.1

First up, let's feed the packet capture file to Zeek

root@securitynik:~/cme# bro --readfile ../cme-scan.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log

Above, we see Zeek created 3 files. Let's look at the "conn.log" first. Specifically let's look at the timestamp (ts), UID, initator of the traffic (id.orig_h), initiator port (id.orig_p), responder IP (id.resp_h), the responder port (id.resp_p) and the duration fields

root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration < conn.log
ts     uid  id.orig_h id.orig_p id.resp_h id.resp_p duration
2019-04-07T23:12:37-0400 CjNvrv4gbVjWpr8wW7 10.0.0.100 50838  10.0.0.2  445  -
2019-04-07T23:12:37-0400 CcQqvc2R7wksUnwk67 10.0.0.100 39670  10.0.0.3  445  0.036872
2019-04-07T23:12:37-0400 CBhSgW3yY3pOSGPzIj 10.0.0.100 50874  10.0.0.103  445  0.021902
2019-04-07T23:12:40-0400 CwnIaTt7Cf7ETVqd1 10.0.0.100 34564  10.0.0.105  445  10.514551
2019-04-07T23:12:37-0400 CfVMe42XyttIu2aENc 10.0.0.2 3   10.0.0.100  2  -

From above, the immediate conclusion is that the host at 10.0.0.100 is communicating with these destination hosts all virtually at the same time around 23:08 on May 7, 2019. Additionally, we see the 4th record stands out to me because it is marked as having a duration of 10.5 seconds. This when compared to the others is significant. Let's see where else the UID "CwnIaTt7Cf7ETVqd1", which is associated with the 4th record may be found.


root@securitynik:~/cme# grep "CwnIaTt7Cf7ETVqd1" *.log
conn.log:1554693160.674207 CwnIaTt7Cf7ETVqd1 10.0.0.100 34564 10.0.0.105 445 tcp gssapi,smb,ntlm 10.514551 594 1016 RSTR - - 0 ShADdFar 10 1026 9 1460 -
ntlm.log:1554693160.689358 CwnIaTt7Cf7ETVqd1 10.0.0.100 34564 10.0.0.105 445 - - - SECNIK-2K19 SECNIK-2K19.securitynik.local - T

Looks like there is related activity in the "ntlm.log". As I know there is not much activity in this "ntlm.log" file, let's just poke directly into that log to see what we get.


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p domainname server_nb_computer_name server_dns_computer_name
2019-04-07T23:12:40-0400 CwnIaTt7Cf7ETVqd1 10.0.0.100 34564 10.0.0.105 445 - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-07T23:12:37-0400 CcQqvc2R7wksUnwk67 10.0.0.100 39670 10.0.0.3 445 - SECURITYNIK-SYS SECURITYNIK-SYS
2019-04-07T23:12:37-0400 CBhSgW3yY3pOSGPzIj 10.0.0.100 50874 10.0.0.103 445 - SECURITYNIK-WIN SECURITYNIK-WIN10

Let's move on to see what we get from Zeek as it relates to detecting the shares enumeration.


root@securitynik:~/cme# bro --readfile cme-enum-shares.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log  weird.log

root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration < conn.log
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration
2019-04-08T21:19:49-0400 CLsD7H3kX4egNGDela 10.0.0.100 52018 10.0.0.103 445 0.043698
2019-04-08T21:19:49-0400 CvsqTnSwr26xyKtb 10.0.0.100 35708 10.0.0.105 445 1.365110
2019-04-08T21:19:49-0400 CDSASQ2JrYCv1jsVEk 10.0.0.100 35716 10.0.0.105 445 1.225863
2019-04-08T21:19:49-0400 CQUAMD4duBkS7wmHSc 10.0.0.100 35710 10.0.0.105 445 1.340920
2019-04-08T21:19:49-0400 CxoLsk1HnbryEf2G8e 10.0.0.100 41024 10.0.0.3 445 1.245527
2019-04-08T21:19:50-0400 Cs28ja4K4xmf5DA4A7 10.0.0.100 52032 10.0.0.103 445 0.861895
2019-04-08T21:19:49-0400 C5Gqyk16xqfRTSO8U 10.0.0.100 52026 10.0.0.103 445 1.324494
2019-04-08T21:19:49-0400 CQCNqc3C2LGUQL6oUd 10.0.0.100 41016 10.0.0.3 445 0.118876

From above, to me nothing stands out immediately. Let's once again peek into the "ntlm.log" file.


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-08T21:19:49-0400 CvsqTnSwr26xyKtb 10.0.0.100 35708 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-08T21:19:49-0400 CQUAMD4duBkS7wmHSc 10.0.0.100 35710 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-08T21:19:49-0400 CDSASQ2JrYCv1jsVEk 10.0.0.100 35716 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-08T21:19:49-0400 C5Gqyk16xqfRTSO8U 10.0.0.100 52026 10.0.0.103 445 securitynik SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-08T21:19:50-0400 Cs28ja4K4xmf5DA4A7 10.0.0.100 52032 10.0.0.103 445 securitynik SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-08T21:19:49-0400 CLsD7H3kX4egNGDela 10.0.0.100 52018 10.0.0.103 445 - - SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-08T21:19:50-0400 CxoLsk1HnbryEf2G8e 10.0.0.100 41024 10.0.0.3 445 saadia SECURITYNIK-SYS SECURITYNIK-SYS SECURITYNIK-SYS
2019-04-08T21:19:49-0400 CQCNqc3C2LGUQL6oUd 10.0.0.100 41016 10.0.0.3 445 - - SECURITYNIK-SYS SECURITYNIK-SYS


From above, what immediately stands out to me is the username "administrator". Anyhow, there is not another log for us to look at, we would only be able to correlate between the "conn.log" and "ntlm.log".

Moving on to the enumeration of the users:


root@securitynik:~/cme# bro --readfile cme-enum-users.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log

As before, let's take a look at the "conn.log" and then we will analyze the "ntlm.log".


root@securitynik:~/cme# bro-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p < conn.log 
2019-04-09T21:08:41-0400 CE9bTu12QILo9my5df 10.0.0.100 36656 10.0.0.105 445
2019-04-09T21:08:41-0400 C9UAC8ZQwUK5MwhJc 10.0.0.100 52972 10.0.0.103 445
2019-04-09T21:08:41-0400 CTrbie3OsppyPktT47 10.0.0.100 36662 10.0.0.105 445
2019-04-09T21:08:41-0400 CvR5xHfpQ1NQdYI57 10.0.0.100 41964 10.0.0.3 445
2019-04-09T21:08:41-0400 CgCTMu3kPdQD1Irzcd 10.0.0.100 52962 10.0.0.103 445
2019-04-09T21:08:41-0400 C7SzpR2UMcJY3gFgu4 10.0.0.100 52980 10.0.0.103 445
2019-04-09T21:08:41-0400 CAQyS13AgNypXSffs7 10.0.0.100 36660 10.0.0.105 445
2019-04-09T21:08:41-0400 CfuNcC34YIeYHlaiLk 10.0.0.100 52978 10.0.0.103 445
2019-04-09T21:08:41-0400 Cbwwz61zxTVZAytGHe 10.0.0.100 36652 10.0.0.105 445
2019-04-09T21:08:41-0400 CyJGuxj0AILgAELsd 10.0.0.100 41960 10.0.0.3 445

From above there is not much conclusions for us to draw once again, other than the fact that this communication are all happening around the same time. 


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration < conn.log
ts uid id.orig_h id.orig_p id.resp_h id.resp_p duration
2019-04-09T21:08:41-0400 CDHlVp2TZn98Xqjt7g 10.0.0.100 36656 10.0.0.105 445 1.522323
2019-04-09T21:08:41-0400 C8FXLa3K9LLkRLzZva 10.0.0.100 36662 10.0.0.105 445 1.280663
2019-04-09T21:08:41-0400 C65WCnrH8cvDtgb93 10.0.0.100 52972 10.0.0.103 445 1.491506
2019-04-09T21:08:41-0400 CDGfFq4OSyP93Yxmlc 10.0.0.100 52962 10.0.0.103 445 0.053613
2019-04-09T21:08:41-0400 CPseIk1gv1hDfBkUNa 10.0.0.100 36660 10.0.0.105 445 1.325062
2019-04-09T21:08:41-0400 CY43UY3p9ETx00EaLc 10.0.0.100 52980 10.0.0.103 445 0.618712
2019-04-09T21:08:41-0400 CDTWQD1PTtpNjBPs33 10.0.0.100 36652 10.0.0.105 445 1.541821
2019-04-09T21:08:41-0400 Cx2ckqUMuchuVZBn5 10.0.0.100 41964 10.0.0.3 445 1.491122
2019-04-09T21:08:41-0400 Cuf18x1OI85olS2il8 10.0.0.100 41960 10.0.0.3 445 0.042531
2019-04-09T21:08:41-0400 Casvg779QdFvZycg 10.0.0.100 52978 10.0.0.103 445 1.178591

Similar to the previous analysis, nothing really stands out here to me that causes me to worry. Let's move on the "ntlm.log"


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-09T21:08:41-0400 CDTWQD1PTtpNjBPs33 10.0.0.100 36652 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-09T21:08:41-0400 CDHlVp2TZn98Xqjt7g 10.0.0.100 36656 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-09T21:08:41-0400 CPseIk1gv1hDfBkUNa 10.0.0.100 36660 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-09T21:08:41-0400 C65WCnrH8cvDtgb93 10.0.0.100 52972 10.0.0.103 445 administrator SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-09T21:08:41-0400 Casvg779QdFvZycg 10.0.0.100 52978 10.0.0.103 445 administrator SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-09T21:08:41-0400 CY43UY3p9ETx00EaLc 10.0.0.100 52980 10.0.0.103 445 administrator SECURITYNIK-WIN SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-09T21:08:42-0400 C8FXLa3K9LLkRLzZva 10.0.0.100 36662 10.0.0.105 445 administrator SECURITYNIK SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-09T21:08:41-0400 CDGfFq4OSyP93Yxmlc 10.0.0.100 52962 10.0.0.103 445 - - SECURITYNIK-WIN SECURITYNIK-WIN10
2019-04-09T21:08:41-0400 Cx2ckqUMuchuVZBn5 10.0.0.100 41964 10.0.0.3 445 administrator SECURITYNIK-SYS SECURITYNIK-SYS SECURITYNIK-SYS
2019-04-09T21:08:41-0400 Cuf18x1OI85olS2il8 10.0.0.100 41960 10.0.0.3 445 - - SECURITYNIK-SYS SECURITYNIK-SYS

Whereas previously we saw 3 different usernames, in this log we see all the activity is using the username "administrator". With more data, this maybe something we can dig into more. However, with no additional Zeek logs, there is only so much to analyze.

Let's now see what bro will find about the password policy enumeration


root@securitynik:~/cme# bro --readfile cme-pass-pol.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log  reporter.log  weird.log

As can be seeen above, the only log of importance which was created is the "conn.log". Let's peak into it to see what we got.


root@securitynik:~/cme# bro-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log
2019-04-17T11:10:20-0400 CT0fARjKtm01wxvxf 10.0.0.100 52488 10.0.0.105 445 -
2019-04-17T11:10:20-0400 CIN1L14hrIc7chcTL4 10.0.0.100 52490 10.0.0.105 445 -
2019-04-17T11:10:21-0400 Co4bTt4p30bUxmSODh 10.0.0.100 52492 10.0.0.105 445 -
2019-04-17T11:10:21-0400 CLkUtG4EcfqBVcZwd9 10.0.0.100 52494 10.0.0.105 445 -
2019-04-17T11:10:21-0400 CgjL5S2dyVXChVJz02 10.0.0.100 52494 10.0.0.105 445 smb,gssapi,ntlm
2019-04-17T11:10:21-0400 CfFHtB1GOafL7T2D 10.0.0.100 52492 10.0.0.105 445 smb,gssapi,ntlm
2019-04-17T11:10:20-0400 Chtw4S3EyTA0qD0Lo4 10.0.0.100 52490 10.0.0.105 445 smb,gssapi,ntlm
2019-04-17T11:10:20-0400 CJqxjr44ziVWhXniXd 10.0.0.100 52488 10.0.0.105 445 smb,gssapi,ntlm

Apparently the above is not much for us to celebrate or have a party for. Let's see what the "ntlm.log" file has to offer


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-17T11:10:20-0400 CJqxjr44ziVWhXniXd 10.0.0.100 52488 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-17T11:10:20-0400 Chtw4S3EyTA0qD0Lo4 10.0.0.100 52490 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-17T11:10:21-0400 CfFHtB1GOafL7T2D 10.0.0.100 52492 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-17T11:10:21-0400 CgjL5S2dyVXChVJz02 10.0.0.100 52494 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local


Well similarly to the previous entries above, there is not much more for us to correlate with.

Let's now see what the communication looks like when crackmapexec runs a powershell command.


root@securitynik:~/cme# bro --readfile cme-powershell.pcap 
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log  reporter.log  weird.log

Looking at the connection log we see:


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p service < conn.log
ts uid id.orig_h id.orig_p id.resp_h id.resp_p service
2019-04-18T04:32:43-0400 C4i28G49xYh3RgkUbk 10.0.0.100 53492 10.0.0.105 445 -
2019-04-18T04:32:43-0400 CbDALpm71nEf5WN99 10.0.0.100 53494 10.0.0.105 445 -
2019-04-18T04:32:43-0400 Czx60F4xYofLMUpac 10.0.0.100 53496 10.0.0.105 445 -
2019-04-18T04:32:43-0400 CC2Zuq3Lh1qJpt4jO1 10.0.0.100 33962 10.0.0.105 135 -
2019-04-18T04:32:43-0400 CL7Bw42tDtZRMUSafb 10.0.0.100 37794 10.0.0.105 49666 -
2019-04-18T04:32:43-0400 C25qjC29efnwRR6B0j 10.0.0.100 33962 10.0.0.105 135 dce_rpc,ntlm
2019-04-18T04:32:43-0400 Ca5Xb049R1iQXNZP25 10.0.0.100 53496 10.0.0.105 445 gssapi,ntlm,smb
2019-04-18T04:32:43-0400 Ci2xjs2FpCPzEALQg2 10.0.0.100 53492 10.0.0.105 445 gssapi,ntlm,smb
2019-04-18T04:32:43-0400 CYZqa7DXxkMdfqmI4 10.0.0.100 53494 10.0.0.105 445 gssapi,ntlm,smb
2019-04-18T04:32:43-0400 CYmG7f1Ms7ioIwXGxk 10.0.0.105 49666 10.0.0.100 37794 dce_rpc,ntlm
2019-04-18T04:32:12-0400 C4dmGj2zkDyNYyKxOb 10.0.0.3 56736 239.255.255.250 1900 -

Looking at the ntlm.log we see ..


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-18T04:32:43-0400 Ci2xjs2FpCPzEALQg2 10.0.0.100 53492 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T04:32:43-0400 CYZqa7DXxkMdfqmI4 10.0.0.100 53494 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T04:32:43-0400 Ca5Xb049R1iQXNZP25 10.0.0.100 53496 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T04:32:43-0400 C25qjC29efnwRR6B0j 10.0.0.100 33962 10.0.0.105 135 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T04:32:43-0400 CYmG7f1Ms7ioIwXGxk 10.0.0.105 49666 10.0.0.100 37794 - - SECNIK-2K19 SECNIK-2K19.securitynik.local


What I find interesting, is that in this case there is no username being shown as in the previous example. Anyhow, at this point there is nothing else for us to correlate with.

Let's wrap this up by now looking to see what bro provides us with when we provide Zeek the pcap associated with the execution of a remote program. In this case "ncat.exe".


root@securitynik:~/cme# bro --readfile cme-ncat.pcap
root@securitynik:~/cme# ls *.log
conn.log  ntlm.log  packet_filter.log  reporter.log  weird.log


Let's take a look at the conn.log file


root@securitynik:~/cme# bro-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration < conn.log 
2019-04-18T23:05:33-0400 C0Casf2VeL577K74qk 10.0.0.100 57948 10.0.0.105 445 tcp - -
2019-04-18T23:05:33-0400 CuwHqr4mVIMRzgUth4 10.0.0.100 57950 10.0.0.105 445 tcp - -
2019-04-18T23:05:33-0400 CtqyKz1eoOzoQgGEG6 10.0.0.100 57952 10.0.0.105 445 tcp - -
2019-04-18T23:05:33-0400 Cwaqh53GrL1rn5f304 10.0.0.100 60342 10.0.0.105 135 tcp - -
2019-04-18T23:05:33-0400 CPHI0w4Ri0Df01Gug2 10.0.0.100 43388 10.0.0.105 49666 tcp - -
2019-04-18T23:05:33-0400 CAD9fo1xfxXPla2Wn2 10.0.0.105 49666 10.0.0.100 43388 tcp dce_rpc,ntlm 3.012401
2019-04-18T23:05:36-0400 CDx2941eRrmxWipQK9 10.0.0.105 50602 10.0.0.100 443 tcp - 0.144933
2019-04-18T23:05:33-0400 CbVXzF2OWiOED64yvb 10.0.0.100 57952 10.0.0.105 445 tcp smb,gssapi,ntlm 19.982751
2019-04-18T23:05:33-0400 CX4uc32KRN2MVEZI5a 10.0.0.100 60342 10.0.0.105 135 tcp dce_rpc,ntlm 19.943066
2019-04-18T23:05:53-0400 CTMorz2v9B31jQio2j 10.0.0.100 43388 10.0.0.105 49666 tcp - 0.001947
2019-04-18T23:05:33-0400 CYCCkxVoiEZiyU6Ih 10.0.0.100 57948 10.0.0.105 445 tcp smb,gssapi,ntlm 20.044038
2019-04-18T23:05:33-0400 CmEnbE1FCGYbB5gMV 10.0.0.100 57950 10.0.0.105 445 tcp smb,gssapi,ntlm 20.021675
2019-04-18T23:05:56-0400 CymFsuDGc1MuGq0p7 10.0.0.105 50602 10.0.0.100 443 tcp - 12.295573

Let's once again look at the "ntlm.log" and see what we get.


root@securitynik:~/cme# bro-cut -c -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name < ntlm.log 
ts uid id.orig_h id.orig_p id.resp_h id.resp_p username domainname server_nb_computer_name server_dns_computer_name
2019-04-18T23:05:33-0400 CYCCkxVoiEZiyU6Ih 10.0.0.100 57948 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T23:05:33-0400 CmEnbE1FCGYbB5gMV 10.0.0.100 57950 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T23:05:33-0400 CbVXzF2OWiOED64yvb 10.0.0.100 57952 10.0.0.105 445 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T23:05:33-0400 CAD9fo1xfxXPla2Wn2 10.0.0.105 49666 10.0.0.100 43388 - - SECNIK-2K19 SECNIK-2K19.securitynik.local
2019-04-18T23:05:33-0400 CX4uc32KRN2MVEZI5a 10.0.0.100 60342 10.0.0.105 135 - - SECNIK-2K19 SECNIK-2K19.securitynik.local

While we have some information there, there is not much for us to correlate.

Ok. That's it for this series.


Refereces:
https://www.zeek.org/
https://www.zeek.org/documentation/faq.html#why-isnt-zeek-producing-the-logs-i-expect-a-note-a
https://stackoverflow.com/questions/36859896/bro-doesnt-log-outgoing-http-requests

Posts in this series:
Having Fun with CrackMapExec
Having Fun with CrackMapExec - Log Analysis
Having Fun with CrackMapExec - Packet Analysis - CrackMapExec
Having Fun with CrackMapExec - Zeek (Bro) Analysis
Having Fun with CrackMapExec - Snort IDS/IPS Analysis

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)