Many NIDS Events will let you know that a file has been downloaded to an asset. You may be researching a BAD IP event and you see related 'download' events that you need to research. Here are some examples.
- ET POLICY PDF With Embedded File;
- ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile;
- ET POLICY Binary Download Smaller than 1 MB Likely Hostile;
- ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection;
- ET CURRENT_EVENTS rechnung zip file download;
- ET INFO Microsoft Compact Office Document Format File Download;
- ET MALWARE UPX encrypted file download possible malware;
- Suricata ruleset contains a lot of rules which are created to detect the download of suspicious files and files with high security risk (e.g. executable files smaller than 1 MB)
You can see some of these with the following query: https://dsap.netwatcher.com/5Sqy7
Here are the basic steps to follow in your research:
- Download the session PCAP and extract the file of interest from it. There are multiple ways to do this and you can find them all in this great SANS article: https://www.sans.org/reading-room/whitepapers/forensics/extracting-files-network-packet-captures-36562
- Upload the extracted file to online file analyses tools:
- https://apkscan.nviso.be/report/show/c13c753c8e4f075cbf527527a88318dc for Android files (.apk extension)
- https://www.malwaretracker.com/index.php (PDF and common formats)
- Analyzing PDF Documents:
- https://blog.didierstevens.com/programs/pdf-tools/ - Very useful set of tools for PDF analyses.
- Analyzing Microsoft Office Documents:
- https://github.com/decalage2/oletools/wiki - oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.