This blog describes how to solve the Unit 42 Wireshark quiz for January 2023 with SELKS instead of Wireshark.
SELKS is a free, open-source, and turn-key Suricata network intrusion detection/protection system (IDS/IPS), network security monitoring (NSM), and threat hunting implementation created and maintained by Stamus Networks. SELKS has its own built-in Suricata management and Hunting GUI – Stamus Community Edition (Stamus CE), formerly referred to as Scirius Community Edition.
Thanks to the features in SELKS, we can gain valuable insights into monitoring network traffic. In this case, that information will be used for answering the Wireshark quiz questions. These quizes are generally meant to be solved using Wireshark, but we believe that SELKS is just as effective, if not more so. Solving the Unit 42 quiz will also demonstrate how SELKS – with the abundant network telemetry data produced by Suricata – can be used to improve our network visibility to detect and mitigate potential security risks in general.
Tools used: Suricata Threat Hunting Interface in SELKS
Reading The Quiz PCAP File With SELKS
Before we begin, we need to download and install SELKS. You can find more information on the requirements and installation process here.
In order to install SELKS, you simply need to run the following commands on a Linux OS that has support for docker:
git clone https://github.com/StamusNetworks/SELKS.git
docker-compose up -d
Once the containers are up and running, you should just point your browser to https://your_selks_IP_here/ or https://localhost/
If you chose to install Portainer during the installation, you must visit https://your.selks.IP.here:9443 to set portainer's admin password.
If there are any questions or if more information is needed, please consult our wiki or post a question on our Discord.
Next, we need to read the necessary PCAP file. In order to obtain it, you can visit the following Github repository.
The PCAP is in a ZIP archive and should be extracted. Use “infected” as a password in order to unlock the ZIP archive.
Finally, you need to copy the PCAP file on your SELKS installation and read it with the help of “readpcap.sh” script. This can be done with the following command:
sudo ./scripts/readpcap.sh filename.pcap
We will want to replace "filename.pcap" with the name of the PCAP file that will be analyzed.
Note that using the "readpcap.sh" script requires sudo privileges, and the analysis may take some time to complete depending on the size of the PCAP file and the complexity of the network traffic.
The “readpcap.sh” script will then automatically launch a series of commands and tools to analyze the PCAP file. This includes running Suricata – which processes the traffic – as well as Logstash and Elasticsearch. Once the analysis is complete, we can see the results by accessing SELKS, for example at https://your_selks_IP_here/, and navigating to the SELKS Hunting interface.
There are two possible paths that we will explore to solve the quiz questions:
One is via the Hunt interface, which is specifically designed to hunt on Suricata alerts and alert metadata. The GUI interface allows for building hunt queries. We can see the alerts metadata as well as the correlated network protocol logs, file transactions, and flows. We will explore that path this week.
The other path, which will be released on the Stamus Networks blog in the future, is via the purposely built SN-HUNT-1 Kibana dashboard using only non-alert data which includes only the network protocol, file transaction, flow, and anomaly logs produced by Suricata.
Answering the Quiz Questions with the SELKS Suricata Threat Hunting Interface: A Practical Example of Threat Analysis
To solve the quiz, we only need the hunting interface and the generated alert.
Let’s start by summarizing the quiz questions and start answering them one by one.
With the help of the powerful and user-friendly Suricata Threat Hunting interface, we can easily see the alert that was triggered when reading the PCAP file. Since the original timestamp of the PCAP is preserved when reading it, we have to set the time span (in the upper right hand corner) to “All” in order to see the generated alert.
Each alert has separate defined sections such as: signature, IP and basic information, enrichment, geoip, flow and signature metadata.
Furthermore, each alert in the GUI by default has available all correlated network protocol logs, flows, file transactions, and anomaly logs. This is thanks to suricata’s native “flow_id”.
The signatures section of the alert in SELKS provides more detailed information about the specific signature or rule that was triggered, including the name of the signature, the SID (signature id) number of the signature, its Category, and any additional information associated with the signature like its Severity or Revision. In this specific case, it gives us the following information:
- Signature: The name of the signature that has alerted, in this case: “ET MALWARE AgentTesla Exfil Via SMTP”
- SID: The Signature ID which uniquely identifies the specific Signature as 2030171
- Category: The category of the alert, which is “A Network Trojan was detected”
- Severity: The severity level of the alert, which is classified as “Severe”
- Revision: The revision number of the Signature, which is currently 1
The given information can be useful for identifying and analyzing potential threats associated with the AgentTesla malware family in order to develop an appropriate response and mitigate any risk. The severity level of “Severe” indicates that it is a potentially significant threat that requires immediate attention and action.
The information provided in the IP and basic information section indicates that a device with an IP address 192.168.1.27 and source port 51958 has communicated with a device with the IP address 184.108.40.206 and destination port 587 using the TCP protocol and SMTP application protocol. This information is an indication of email communication between the two devices.
The information in the Enrichment section shows the exact target IP and source IP of the alert as opposed to src_ip and dest_ip of the alert log. Specifically, it indicates that a device with the IP address of 220.127.116.11 and source port 587 has made an attack toward a device with the IP address of 192.168.1.27 (victim’s IP) and destination port 51958 using the same TCP protocol and SMTP application protocol. Both sets of information together provide more context about the communication, indicating that there was a two-way email communication happening between the devices with these specific IP addresses and ports. In SELKS, this information is really useful for identifying potential email-based threats, such as spam or phishing attempts, as in our case.
The information provided in the GeoIP section indicates that the alert is associated with a network connection that has been geolocated to the United States. SELKS uses GeoIP databases to identify the country of origin for network traffic. This information can be useful for identifying threats, as traffic from certain countries or regions may be more likely to be associated with malicious activity. In this case, the alert may be associated with network traffic originating from or going to the United States. Depending on the specifics of the alert and other available information, this could provide additional context for investigating the potential threat and taking appropriate action to mitigate any risk.
The Flow section gives even more valuable information for an alert. In general, it has the following fields:
- Flow ID: A unique identifier for the network flow associated with the alert, allowing to correlate any and all data – relevant network protocol, file transaction, flow logs, additional alerts, anomaly events, extracted files and pcap – together to that specific alert as part of the same flow.
- Flow start: The start time of the network flow associated with the alert
- Pkts to server: The number of packets transmitted from the Source IP to the Destination IP
- Bytes to server: The total number of bytes transmitted from the Source IP to the Destination IP
- Pkts to client: The number of packets transmitted from the Destination IP to the Source IP
- Bytes to client: The total number of bytes transmitted from the Destination IP to the Source IP
In this specific case, the flow data indicates that a network flow was identified with a unique identifier of 496530989200870 and it started at 2023-01-05T22:51:29.574359+0000.
During the flow, the Source IP has transmitted 17 packets and 2997 bytes to the Destination IP, while the Destination IP has transmitted 23 packets and 1800 bytes to the Source IP.
This information can be really useful for understanding the nature and scope of the network traffic associated with the alert and also for identifying potential sources or destinations of malicious activity.
The Signature metadata section gives us even more information about the nature of the alert, including the following:
- Former category: The previous category or classification of the alert. In this case, the alert was classified as Malware at some point in the past.
- Affected product: The affected product associated with the alert. In this case, the affected products are Windows XP Vista 7,8,10, as well as various server platforms running on 32-bit and 64-bit architectures.
- Attack target: The target of the attack associated with the alert. In this case, the attack is targeted at a Client endpoint (for example a laptop) in order to get the malware in and later use it
- Deployment: The location or deployment context of the alert. In this case, the alert is associated with perimeter-based network monitoring or protection
- Updated at: The date when the metadata for the alert was last updated. In this case, it is 2020-05-18
- Malware family: The family or type of malware associated with the alert. In this case, the malware family is identified as AgentTesla
- Severity: The severity of the alert signature. In this case, it is classified as Major
- Created at: The date when the signature for the alert was created. In this case, it was created on 2020-05-18
This metadata provides additional context and information about the alert and can be useful in assessing the potential threat posed by the activity and in developing an appropriate response. The metadata can also be used to help identify patterns and trends in malicious activity over time.
Now let’s go back to answering the questions from the Wireshark Quiz.
Thanks to the information in the Flow section of our alert, we can easily answer the first question from the quiz: When did the malicious traffic start in UTC? And the answer to it is that is started at 2023-01-05T22:51:29.574359+0000
The next question is: What is the victim’s IP address? To answer this, we can check the IP and basic information section of the alert, which gives us the answer. Under “Source IP” we can see the victim’s IP address and it is 192.168.1.27.
The third question in the quiz is: What is the victim’s MAC address? Prior to answering this question, we need to clarify that in order to get such information in our events/logs, we first need to enable logging of the ether source and destination mac addresses. To do this, we should simply enable the “ethernet: yes” option in the “selks-addin.yaml” configuration file of SELKS. It can be found under: “SELKS/docker/containers-data/suricata/etc/selks6-addin.yaml”
In order to find the answer, we can simply use the information provided in the related events of the generated alert.
In Suricata - every event log has its own event type. For example, alerts are: “event_type”:”alert” , “event_type”:”dns” , “event_type”:”tls”, “event_type”:”ftp” , “event_type”:”http” , “event_type”:”mqtt” , “event_type”:”fileinfo” and so on. Each network protocol log is generated regardless of whether there is an alert or not and contains information about a specific event that occurred on the network.
In Suricata, alert related events are other network events or activities that are associated with a particular alert, correlated as we mentioned above by “flow_id”. They can provide additional context about the alert and help us understand the scope and impact of the security incident. In our case, we have related Anomaly, Flow, and SMTP events.
By looking at the json of the Related SMTP, we can easily find the answer And see that the victim’s MAC address is "bc:ea:fa:22:74:fb".
Now let’s find out the answer to the remaining questions from the quiz:
- What is the victim’s Windows host name?
- What is the victim’s Windows user account name?
- How much RAM does the victim’s host have?
- What type of CPU is used by the victim’s host?
- What is the public IP address of the victim’s host?
- What type of account login data was stolen by the malware?
In this case, we can find the relevant information with just a glance at the payload_printable section of the alert. In Suricata, the payload_printable section contains the printable content of the packet payload that triggered the alert. The payload is the part of the network packet that contains the actual data being transmitted, such as the content of an email or a web page.
The payload printable section also shows the printable characters in the payload, which can be useful in identifying the type of traffic that triggered the alert.
In our case, the payload printable section contains the printable characters in the payload of the email message, which appears to be sent from "marketing@transgear[.]in" to "zaritkt@arhitektondizajn[.]com". The payload appears to contain URLs and application information, which suggests that this email may be part of a phishing campaign aimed at stealing sensitive information from the recipient. It also contains credentials encoded with base64, which can be decoded easily into plain text using the Cyberchef tool that is integrated with the SELKS implementation.
Moreover, the payload printable offers answers to all of the remaining questions from the quiz:
- The victim’s Windows host name is “DESKTOP-WIN11PC”
- The victim’s Windows user account name is “windows11user”
- The victim’s host has 32165.83 or 32GB of RAM
- The victim’s CPU is Intel(R) Core(TM) i5-13600K
- The public IP address of the victim’s host is 18.104.22.168
- The type of account login data that was stolen is email and web accounts and credentials for those
But the content of the Payload printable is not limited to only answering the questions from the quiz. It not only includes information about the user, computer, CPU, and RAM, but also on the OS, IP addresses, several URLs, and login credentials for different services.
Overall, this payload contains really sensitive information that could be used to compromise the recipient’s accounts, making it a security threat.
Below is the actual JSON log of the generated alert:
"pkt_src": "stream (flow timeout)",
"payload_printable": "EHLO DESKTOP-WIN11PC\r\nAUTH login bWFya2V0aW5nQHRyYW5zZ2Vhci5pbg==\r\nTUBzc3cwcmQjNjIx\r\nMAIL FROM:<email@example.com>\r\nRCPT TO:<firstname.lastname@example.org>\r\nDATA\r\nMIME-Version: 1.0\r\nFrom: email@example.com\r\nTo: firstname.lastname@example.org\r\nDate: 5 Jan 2023 22:51:31 +0000\r\nSubject: PW_windows11user/DESKTOP-WIN11PC\r\nContent-Type: text/html; charset=us-ascii\r\nContent-Transfer-Encoding: quoted-printable\r\n\r\nTime: 01/05/2023 22:51:26<br>User Name: windows11user<br>Computer=\r\n Name: DESKTOP-WIN11PC<br>OSFullName: Microsoft Windows 11 Pro<br=\r\n>CPU: Intel(R) Core(TM) i5-13600K CPU @ 5.10GHz<br>RAM: 32165.83 =\r\nMB<br>IP Address: 22.214.171.124<br><hr>URL:imap://mail.windows11u=\r\nsers.com<br>=0D=0AUsername:email@example.com<br>=0D=0APass=\r\nword:EBj%U7-p@q4NW<br>=0D=0AApplication:Thunderbird<br>=0D=0A<hr>=\r\n=0D=0AURL:smtp://mail.windows11users.com<br>=0D=0AUsername:admin@=\r\nwindows11users.com<br>=0D=0APassword:EBj%U7-p@q4NW<br>=0D=0AApplicat=\r\nion:Thunderbird<br>=0D=0A<hr>=0D=0AURL:webmail.windows11users.com=\r\n<br>=0D=0AUsername:firstname.lastname@example.org<br>=0D=0APassword:EBj=\r\n%U7-p@q4NW<br>=0D=0AApplication:Edge Chromium<br>=0D=0A<hr>=0D=0AURL=\r\n:https://login.us.coca-cola.com/<br>=0D=0AUsername:admin@windows1=\r\n1users.com<br>=0D=0APassword:Zp61-7$r#J_iLpCYV&jKr<br>=0D=0AAppli=\r\ncation:Edge Chromium<br>=0D=0A<hr>=0D=0AURL:https://www.linkedin.=\r\ncom/<br>=0D=0AUsername:email@example.com<br>=0D=0APassword=\r\n:TqQPvG#0g%$ga_q51<br>=0D=0AApplication:Edge Chromium<br>=0D=0A<h=\r\nr>=0D=0AURL:https://www.amazon.com/ap/signin<br>=0D=0AUsername:ad=\r\firstname.lastname@example.org<br>=0D=0APassword:3Fo76#PTf4P$Im!9mkLso69e=\r\nT<br>=0D=0AApplication:Edge Chromium<br>=0D=0A<hr>=0D=0AURL:https=\r\n://www.target.com/login<br>=0D=0AUsername:windows11user<br>=0D=0APas=\r\nsword:c$Kl3wO!e#i7A&!L2<br>=0D=0AApplication:Edge Chromium<br>=0D=0A=\r\n<hr>=0D=0AURL:https://myaccount.nytimes.com/auth/login<br>=0D=0AU=\r\nsername:email@example.com<br>=0D=0APassword:u*N21Or650yBps=\r\np45awSa<br>=0D=0AApplication:Edge Chromium<br>=0D=0A<hr>=0D=0A\r\n\r\n.\r\nQUIT\r\n",
"signature": "ET MALWARE AgentTesla Exfil Via SMTP",
"category": "A Network Trojan was detected"
"country_name": "United States",
In this blog, we have presented one approach to solving the Unit 42 Wireshark quiz for January 2023. By examining the traffic captured in the PCAP file and with the help of the powerful SELKS implementation, we have identified the attributes of the compromised Windows host and the data targeted by the malware. Thus, we have answered all of the questions from the quiz by simply opening and looking through the hunting interface with the data provided by Suricata
Given the ease of solving the quiz with SELKS it is worth mentioning that SELKS provides organizations and security analysts with a powerful network security solution that can help them detect and prevent potential threats in real-time, maintain network performance, and save costs on expensive commercial solutions.
Subscribe to the Stamus Networks blog to be updated when we release part 2 of this series, in which we will demonstrate how to solve the quiz using the SN-Hunt-1 dashboard on Kibana.