Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in...
Transcript of Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in...
![Page 1: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/1.jpg)
Zeek your Windowz!Zeek European Workshop 2019
![Page 2: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/2.jpg)
How SSL works
![Page 3: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/3.jpg)
How SSL works
![Page 4: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/4.jpg)
How SSL works
![Page 5: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/5.jpg)
How SSL works
![Page 6: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/6.jpg)
How SSL works
![Page 7: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/7.jpg)
How SSL works
![Page 8: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/8.jpg)
Tools
TTPs
Artifacts
Domain Names
IP Addresses
Hash Values Har
der f
or th
reat
acto
rs to
chan
ge
Even
har
der t
o de
tect
![Page 9: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/9.jpg)
Default Metasploit SSL Cert in Brox509.log
certificate.issuer:
CN=hrzvox.gov,
O=bdlOFqMXlUfgoNQljMuRWgiJ,
L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,
ST=WI,
C=US
![Page 10: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/10.jpg)
Tools
TTPs
Artifacts
Domain Names
IP Addresses
Hash Values Har
der f
or th
reat
acto
rs to
chan
ge
Even
har
der t
o de
tect
![Page 11: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/11.jpg)
How SSL works
![Page 12: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/12.jpg)
First to the Key (2009)
![Page 13: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/13.jpg)
Lee Brotherston (Derbycon 2015)
![Page 14: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/14.jpg)
How SSL works
![Page 15: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/15.jpg)
How SSL works
![Page 16: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/16.jpg)
Microsoft Edge (Browser)
![Page 17: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/17.jpg)
Dridex Malware (Banking Trojan)
![Page 18: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/18.jpg)
Trickbot Malware (Banking Trojan)
![Page 19: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/19.jpg)
Microsoft Edge (Browser)
![Page 20: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/20.jpg)
Trickbot Malware (Banking Trojan)
![Page 21: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/21.jpg)
Fingerprinting TLS Clients
![Page 22: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/22.jpg)
Fingerprinting TLS - The JA3 Method
![Page 23: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/23.jpg)
Fingerprinting TLS - The JA3 Method
Version
771
![Page 24: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/24.jpg)
Fingerprinting TLS - The JA3 Method
Version,Ciphers
771,49172-157-156-61-53-47-10
![Page 25: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/25.jpg)
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions
771,49172-157-156-61-53-47-10,0-5-10-11-13
![Page 26: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/26.jpg)
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves
771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24
![Page 27: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/27.jpg)
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats
771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0
![Page 28: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/28.jpg)
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats
771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0
MD5 hash
![Page 29: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/29.jpg)
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats
771,49172-157-156-61-53-47-10,0-5-10-11-13,29-23-24,0
MD5 hash
JA3 = f4c4f050188e15839a6cd3af798b6c77
![Page 30: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/30.jpg)
Fingerprinting TLS - The JA3 Method
Version,Ciphers,Extensions,EllipticCurves,ECPointFormats
771,49172-157-156-61-53-47-10,,,
MD5 hash
JA3 = 4dd4fca5534245b13b641d54a7035851
![Page 31: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/31.jpg)
Fingerprinting TLS - The JA3 Method
771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0
JA3 = ce5f3254611a8c095a3d821d44539877
![Page 32: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/32.jpg)
JA3 on TLS 1.3
![Page 33: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/33.jpg)
JA3 on TLS 1.3
![Page 34: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/34.jpg)
No Server, No Problem
![Page 35: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/35.jpg)
Tools
TTPs
Artifacts
Domain Names
IP Addresses
Hash Values Har
der f
or th
reat
acto
rs to
chan
ge
Even
har
dere
r to
dete
ct
![Page 36: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/36.jpg)
JA3
https://github.com/salesforce/ja3
pip install pyja3bro-pkg install ja3
Created by:John AlthouseJeff AtkinsonJosh Atkins
Concept and Inspiration from:Lee Brotherston
![Page 37: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/37.jpg)
Fingerprinting for SSH Clients and ServersIdea and Concept by Ben Reardon
HASSH
![Page 38: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/38.jpg)
HASSH
![Page 39: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/39.jpg)
HASSH
![Page 40: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/40.jpg)
HASSH
![Page 41: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/41.jpg)
Fingerprinting SSH - The HASSH Method
![Page 42: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/42.jpg)
Fingerprinting SSH - The HASSH Method
KeyExchange;
[email protected],diffie-hellman-group-exchange-sha256;
![Page 43: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/43.jpg)
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;
![Page 44: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/44.jpg)
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;
![Page 45: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/45.jpg)
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;[email protected],zlib,none
![Page 46: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/46.jpg)
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;[email protected],zlib,none
MD5 hash
![Page 47: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/47.jpg)
Fingerprinting SSH - The HASSH Method
KeyExchange;Encryption;MessageAuth;Compression
[email protected],diffie-hellman-group-exchange-sha256;aes128-cbc,aes128-ctr;hmac-sha1,hmac-sha1–96;[email protected],zlib,none
MD5 hash
HASSH = 9c325a9bc631ff065307ccc05217c7da
![Page 48: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/48.jpg)
Fingerprinting SSH - The HASSH Method
[email protected],diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,[email protected],diffie-hellman-group15-sha256,[email protected],[email protected],diffie-hellman-group16-sha256,[email protected],[email protected],[email protected];aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256;hmac-sha1,hmac-sha1–96,hmac-md5,hmac-md5–96,hmac-sha2–256,hmac-sha2–512;[email protected],zlib,none
![Page 49: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/49.jpg)
Fingerprinting SSH - The HASSH Method
[email protected],diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,[email protected],diffie-hellman-group15-sha256,[email protected],[email protected],diffie-hellman-group16-sha256,[email protected],[email protected],[email protected];aes128-cbc,aes128-ctr,aes192-cbc,aes192-ctr,aes256-cbc,aes256-ctr,blowfish-cbc,blowfish-ctr,cast128-cbc,cast128-ctr,idea-cbc,idea-ctr,serpent128-cbc,serpent128-ctr,serpent192-cbc,serpent192-ctr,serpent256-cbc,serpent256-ctr,3des-cbc,3des-ctr,twofish128-cbc,twofish128-ctr,twofish192-cbc,twofish192-ctr,twofish256-cbc,twofish256-ctr,twofish-cbc,arcfour,arcfour128,arcfour256;hmac-sha1,hmac-sha1–96,hmac-md5,hmac-md5–96,hmac-sha2–256,hmac-sha2–512;[email protected],zlib,none
HASSH = 8a8ae540028bf433cd68356c1b9e8d5b
![Page 50: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/50.jpg)
HASSH
https://github.com/salesforce/hassh
https://engineering.salesforce.com/
Created by:Ben Reardon @benreardonAdel Karimi @0x4d31John Althouse @4A4133Jeff Atkinson /in/anNh
![Page 51: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/51.jpg)
Mapping JA3 to Client Application
https://github.com/salesforce/ja3/tree/master/lists
![Page 52: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/52.jpg)
Mapping JA3 to Client Application
![Page 53: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/53.jpg)
Mapping JA3 to Client Application
![Page 54: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/54.jpg)
Baseline your sandboxhttps://github.com/gbarford/testssl
Win10-socket: c12f54a3f91dc7bafd92cb59fe009a35
Win10-socket-SNI: 3b5074b1b5d032e5620f69f9f700ff0e
Win10-powershell: fc54e0d16d9764783542f0146a98b300
Win10-powershell-SNI: 54328bd36c14bd82ddaa0c04b25ed9ad
Win10-iexplore: be6155e945a3e59a1dd0841b86f6c945
Win10-iexplore-SNI: 10ee8d30a5d01c042afd7b2b205facc4
Win2016-socket: 043c543b63b895881d9abfbc320cb863
Win2016-socket-SNI: 7c410ce832e848a3321432c9a82e972b
Win2016-powershell: 17b69de9188f4c205a00fe5ae9c1151f
Win2016-powershell-SNI: 235a856727c14dba889ddee0a38dd2f2
Win2016-iexplore: 4f2e9c50db9bd107439136bd24740c0d
Win2016-iexplore-SNI: f88610704d61a237aa9e5e0849573998
![Page 55: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/55.jpg)
Over TLS
File Exfil Detection
Original Concept by Bob Rotsted
https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework
![Page 56: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/56.jpg)
Normal Outbound Traffic
![Page 57: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/57.jpg)
File Transfer Outbound
![Page 58: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/58.jpg)
Threshold Byte Count and Byte Rate
![Page 59: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/59.jpg)
Exfil Detection from the WireSource IP: 10.1.2.3Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 …Destination Port: 443Service: HTTPSDestination Certificate: CN=*.dropbox.com ...Certificate Valid: TrueFiles Transferred: 512TotalBytes Transferred: 2,048MB
![Page 60: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/60.jpg)
Exfil Detection from the WireSource IP: 10.1.2.3Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 …Destination Port: 443Service: HTTPSDestination Certificate: CN=*.dropbox.com ...Certificate Valid: TrueFiles Transferred: 512TotalBytes Transferred: 2,048MBJA3: fa030dbcb2e3c7141d3c2803780ee8dbJA3ClientApplication: Dropbox
![Page 61: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/61.jpg)
Exfil Detection from the WireSource IP: 10.1.2.3Destination IPs: 50.1.2.3, 50.1.2.4, 50.1.2.5 …Destination Port: 443Service: HTTPSDestination Certificate: CN=*.dropbox.com ...Certificate Valid: TrueFiles Transferred: 512TotalBytes Transferred: 2,048MBJA3: fc54e0d16d9764783542f0146a98b300JA3ClientApplication: Powershell
![Page 62: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/62.jpg)
Caution
![Page 63: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/63.jpg)
Client Hello Tooling
Sergey Frolov & Eric WustrowUniversity of Colorado Boulder
The use of TLS in Censorship Circumventionhttps://tlsfingerprint.io/static/frolov2019.pdf
![Page 64: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/64.jpg)
Client Hello Tooling
https://github.com/arlolra/meek/blob/master/READMEmeek is a blocking-resistant pluggable transport for Tor. It encodes adata stream as a sequence of HTTPS requests and responses. Requests are reflected through a hard-to-block third-party web server in order toavoid talking directly to a Tor bridge. HTTPS encryption hidesfingerprintable byte patterns in Tor traffic.
![Page 65: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/65.jpg)
Client Hello Tooling
https://github.com/arlolra/meek/blob/master/READMEmeek is a blocking-resistant pluggable transport for Tor. It encodes adata stream as a sequence of HTTPS requests and responses. Requests are reflected through a hard-to-block third-party web server in order toavoid talking directly to a Tor bridge. HTTPS encryption hidesfingerprintable byte patterns in Tor traffic.
![Page 66: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/66.jpg)
Client Hello Tooling
![Page 67: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/67.jpg)
Client Hello ToolinguTLS - https://github.com/refraction-networking/utls/README.md
![Page 68: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/68.jpg)
UTLS in actionfunc reverse(connectString string, fingerprint []byte) { config := &tls.Config{InsecureSkipVerify: true} dialConn, err := tls.Dial("tcp",connectString, config) if err != nil { fmt.Printf("net.Dail() failed: %+v\n", err) return } // Define which ClientHelloID you want here. conn := tls.UClient(dialConn, config, tls.HelloGolang) defer conn.Close() interactiveShell(conn)}
![Page 69: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/69.jpg)
Client Hello Tooling
![Page 70: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/70.jpg)
Client Hello Tooling
![Page 71: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/71.jpg)
We can do better...
![Page 72: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/72.jpg)
Bro-OSQuerySteffen Haashttps://github.com/bro/bro-osquery
Monitor Changes to Host systemsUses a customized binaryQueries are scheduled every minute
https://svs.informatik.uni-hamburg.de/publications/2018/2018-05-31-Haas-QueryCon-Bro-Osquery.pdf
![Page 73: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/73.jpg)
Bro-OSQueryGoal:
Map Linux processes to JA3
Logs Needed:● Zeek JA3 ssl.log● OSQuery socket_events
![Page 74: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/74.jpg)
Bro-OSQuery
Socket_events
SELECT action, pid, path, family, protocol, local_address, remote_address, local_port, remote_port, time, success FROM socket_events
{ "action": "added", "columns": {
"time": "1527895541", "success": "1", "remote_port": "443", "action": "connect", "auid": "1000", "family": "2","local_address": "", "local_port": "0","path": "/usr/bin/curl","pid": "30220", "remote_address": "212.13.197.231"
}, "unixTime": 1527895545, "hostIdentifier": "vagrant", "name": "socket_events" }
![Page 75: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/75.jpg)
Bro-OSQuery
![Page 76: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/76.jpg)
Bro-OSQueryWarning
Read The Docs….
“(socket) table is not automatically enabled when process_events are enabled because it can introduce considerable load on the system.”
![Page 77: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/77.jpg)
Bro-OSQuery
Only able to implement on Linux & OSX.
Due to dependencies of CAF and Broker being compiled
![Page 78: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/78.jpg)
Introduction to Broker
![Page 79: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/79.jpg)
Broker Demo
Ping / Ponghttps://docs.zeek.org/projects/broker/en/stable/python.html#exchanging-bro-events
![Page 80: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/80.jpg)
How can we monitor Windows Hosts?
![Page 81: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/81.jpg)
Integrate Windows Sysmon into Zeek
Bro-Sysmon
![Page 82: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/82.jpg)
Bro-SysmonGoal:
Map Windows processes to JA3
Logs Needed:● Zeek JA3 ssl.log● Sysmon Event ID 3: Network Connection
![Page 83: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/83.jpg)
Bro-SysmonSysmon Event ID 3:
Network Connection
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" /> <EventID>3</EventID> <Version>5</Version> <Level>4</Level> <Task>3</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2017-04-28T22:12:23.657698300Z" /> <EventRecordID>10953</EventRecordID> <Correlation /> <Execution ProcessID="3216" ThreadID="3976" /> <Channel>Microsoft-Windows-Sysmon/Operational</Channel> <Computer>rfsH.lab.local</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="UtcTime">2017-04-28 22:12:22.557</Data> <Data Name="ProcessGuid">{A23EAE89-BD28-5903-0000-00102F345D00}</Data> <Data Name="ProcessId">13220</Data> <Data Name="Image">C:\Program Files (x86)\Google\Chrome\Application\chrome.exe</Data> <Data Name="User">LAB\rsmith</Data> <Data Name="Protocol">tcp</Data> <Data Name="Initiated">true</Data> <Data Name="SourceIsIpv6">false</Data> <Data Name="SourceIp">192.168.1.250</Data> <Data Name="SourceHostname">rfsH.lab.local</Data> <Data Name="SourcePort">3328</Data> <Data Name="SourcePortName"> </Data> <Data Name="DestinationIsIpv6">false</Data> <Data Name="DestinationIp">104.130.229.150</Data> <Data Name="DestinationHostname"> </Data> <Data Name="DestinationPort">443</Data> <Data Name="DestinationPortName">https</Data> </EventData></Event>
![Page 84: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/84.jpg)
Bro-Sysmon
![Page 85: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/85.jpg)
Bro-Sysmon
![Page 86: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/86.jpg)
Bro-Sysmon
![Page 87: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/87.jpg)
Bro-Sysmon
![Page 88: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/88.jpg)
Bro-Sysmon
![Page 89: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/89.jpg)
Windows SysmonInstall, configure and get Results:
Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Event ID 11: FileCreate
Event ID 12: RegistryEvent (Object create and delete)
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 15: FileCreateStreamHash
Event ID 17: PipeEvent (Pipe Created)
Event ID 18: PipeEvent (Pipe Connected)
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Event ID 255: Error
![Page 90: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/90.jpg)
Windows Sysmon
Warning - can be very noisy
Example Logging levels:https://github.com/salesforce/bro-sysmon/blob/master/sysmon-verbose.xml
6347 - 60s of idle time28083 - 300s of idle time
Swiftonsecurity! - https://github.com/SwiftOnSecurity/sysmon-config2268 - 60s of idle time11492 - 300s of idle time 35% -40%
![Page 91: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/91.jpg)
Windows SysmonCreate your own filter! Filter events based on Event ID name Use conditionals to include or exclude
<NetworkConnect onmatch="exclude"> <Image condition="contains">iexplore.exe</Image> </NetworkConnect>
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Danger!Legitimate processes are routinely used by threats - do not blindly exclude them. Additionally, be mindful of process-hollowing / imitation.
![Page 92: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/92.jpg)
Install WinLogBeat & Configure
winlogbeat.event_logs:
- name: Microsoft-Windows-Sysmon/Operational
output.logstash:
# The Logstash hosts
hosts: ["192.168.200.1:9000"]
WinLogBeats
![Page 93: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/93.jpg)
Running Command line
- Testing Config
.\winlogbeat.exe test config -c .\winlogbeat.yml -e
- Running in foreground
.\winlogbeat.exe -c .\winlogbeat.yml
Install service
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1
WinLogBeats
![Page 94: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/94.jpg)
LogstashConfigure/etc/logstash/conf.d/winlogbeat_receiver.conf
input { beats { port => 9000 }}
output { file { path => "/home/logstash/bro-sysmon/WindowsSysmon.json" }}
Start ServiceSystemctl start logstash
![Page 95: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/95.jpg)
Python & Broker BindingsEstablish connection with Zeek
import brokerep = broker.Endpoint()ep.peer("127.0.0.1", 9999)
Parse JSON object
Send to function to parse JSON event data
create Zeek event
![Page 96: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/96.jpg)
Python & Broker BindingsSysmon ID3: Network Connection message = broker.bro.Event( 'sysmon_networkConnection', winevt.get('computer_name').encode('ascii','ignore'), evt_data.get('ProcessId','None').encode('ascii','ignore'), evt_data.get('Protocol','None').encode('ascii','ignore'), evt_data.get('SourceIp','None').encode('ascii','ignore'), evt_data.get('SourcePort','None').encode('ascii','ignore'), evt_data.get('DestinationIp','None').encode('ascii','ignore'), evt_data.get('DestinationPort','None').encode('ascii','ignore'), evt_data.get('Image','None').encode('ascii','ignore'), return message
![Page 97: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/97.jpg)
Bro EventsEvents are received by Broker and raised to script land
event sysmon_networkConnection(computerName: string, processId: string, proto: string, srcip: string, srcprt: string, dstip: string, dstprt: string, procImage: string)
Default scripts output to filesystem
![Page 98: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/98.jpg)
fingerprint_mapping
![Page 99: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/99.jpg)
Fingerprint_mappingsysmon/__load__.bro
@load ./fingerprint_mapping
sysmon/fingerprint_mapping/__load__.bro@load ./trackNewPid.bro@load ./trackNewConns.bro@load ./mapJA3_Proc.bro#@load ./mapHASSH.bro
![Page 100: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/100.jpg)
Bro-Sysmon
![Page 101: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/101.jpg)
Bro-SysmonSysmon-Broker.py Bro
| |
| ------ Establish Peering ------> |
| <----- Establish Peering ------- |
| <----- Subscirbe /sysmon ------- |
| |
Receive Sysmon JSON --> | |
| |
| -- Parse JSON |
| -- Build Event |
| ------ Publish to /sysmon ------> |
| | --> Bro Scipt to Log
| |
| | --> Bro Script Build Map JA3 to Application
![Page 102: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/102.jpg)
Bro-Sysmon
ProblemsRace conditions of event typesDistributed environmentsEats up your memory in large deployments
![Page 103: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/103.jpg)
But wait, there’s more
![Page 104: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/104.jpg)
Install WinLogBeat & Configure
Winlogbeat.event_logs:
- name: Application
- name: Security
- name: System
- name: Microsoft-Windows-Sysmon/Operational
output.logstash:
# The Logstash hosts
hosts: ["192.168.200.1:9000"]
WinLogBeats
![Page 105: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/105.jpg)
Current handler message = broker.bro.Event( 'WindowsEvent', str(winevt.get('computer_name')), str(winevt.get('log_name')), int(winevt.get('event_id')), str(winevt.get('opcode')), str(winevt.get('task', 'None')), str(winevt.get('message', 'None')), str(winevt.get('event_data', 'None')), )
WinLogBeats
![Page 106: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/106.jpg)
Current Bro Event event WindowsEvent(computerName: string,
log_name: string, event_id: int, task: string, opcode: string, message: string, event_data: string)
TODO: Extend to handle in more detail.
WinLogBeats
![Page 107: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/107.jpg)
Demo or it didn’t happen
![Page 108: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/108.jpg)
Accurately Map JA3 to Client Application
for YOUR environment
![Page 109: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/109.jpg)
Mapping JA3 to Client Application
![Page 110: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/110.jpg)
Mapping JA3 to Client Application
"""search index=Bro_SSL DestinationPort=443 JA3!=null JA3Ciphers!=null ConnectionEstablished=true
![Page 111: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/111.jpg)
Mapping JA3 to Client Application
"""search index=Bro_SSL DestinationPort=443 JA3!=null JA3Ciphers!=null ConnectionEstablished=true
search index=lots-o-logs sourcetype=OSQuery LogType=procs_on_internet Outcome=added
SourcePort!=0 DestinationAddr!=0 IPSource!=0 DestinationPort=443 Protocol=6
ClientApplication!=null
![Page 112: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/112.jpg)
Mapping JA3 to Client Application
"""search index=Bro_SSL DestinationPort=443 JA3!=null JA3Ciphers!=null ConnectionEstablished=true
| join SourcePort, DestinationPort, SourceAddr, DestinationAddr max=1 type=inner
[
search index=lots-o-logs sourcetype=OSQuery LogType=procs_on_internet Outcome=added
SourcePort!=0 DestinationAddr!=0 IPSource!=0 DestinationPort=443 Protocol=6
ClientApplication!=null
| fields IPSource,SourcePort,DestionationAddr,DestinationPort,ClientApplication
]
| fields JA3, JA3Ciphers, ClientApplication
| stats values(ClientApplication) by JA3"""
![Page 113: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/113.jpg)
![Page 114: Zeek European Workshop 2019 Zeek your Windowz! · 2019. 5. 3. · Default Metasploit SSL Cert in Bro x509.log certificate.issuer: CN=hrzvox.gov, O=bdlOFqMXlUfgoNQljMuRWgiJ, L=ZTIhjQVsJEuQIlSgScdegcLSLJVRE,](https://reader036.fdocuments.us/reader036/viewer/2022081505/5fe66ad8c8c985423f01e127/html5/thumbnails/114.jpg)
https://github.com/salesforce/bro-sysmonhttps://github.com/salesforce/ja3
https://github.com/salesforce/hassh
Jeff Atkinsonneslogf<at>gmail<dot>com@4a7361in/anNh