Discover malicious network activity with ZEEK and RITA
Zeek, also known as Bro, is an open-source network security analysis framework. It provides a comprehensive platform for performing network traffic analysis, including capturing and analyzing network traffic, identifying security threats, and generating reports. Zeek is used by network administrators and security professionals to detect and respond to security incidents and to analyze network traffic for network performance and optimization.
RITA (Real Intelligence Threat Analytics) is an open-source tool used for network security analysis and threat detection. It collects, parses, and analyzes network traffic data, providing insight into network activity and allowing security professionals to detect and respond to security incidents. RITA provides real-time alerts and enables users to perform network forensics and incident response tasks. The tool is designed to be easy to install, use, and maintain, making it a popular choice for small- to medium-sized organizations.
Install ZEEK -> https://livehack101.com/en/install-zeek-step-by-step/
Install RITA -> https://github.com/activecm/rita
Test malicious .pcap file from real malware -> https://www.malware-traffic-analysis.net/2023/index.html
For my test i’m using 2023–01–18 — Google Ad → Fake Libre Office page → IcedID (Bokbot) → Cobalt Strike
— Fist step: zeek -Cr 2023–01–18-part-1-IcedID-traffic-carved-and-santized.pcap
— Second step: rita import . IcedID
Last step: rita html-report IcedID