{"id":8255,"date":"2025-11-07T04:04:09","date_gmt":"2025-11-07T04:04:09","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/07\/32454\/"},"modified":"2025-11-07T04:04:09","modified_gmt":"2025-11-07T04:04:09","slug":"32454","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/07\/32454\/","title":{"rendered":"Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary], (Wed, Nov 5th)"},"content":{"rendered":"\n
Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary], (Wed, Nov 5th)<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

[This is a Guest Diary by David Hammond, an ISC intern as part of the SANS.edu BACS<\/a> program]<\/p>\n

My last college credit on my way to earning a bachelor’s degree was an internship opportunity at the Internet Storm Center. A great opportunity, but one that required the care and feeding of a honeypot. The day it arrived I plugged the freshly imaged honeypot into my home router and happily went about my day. I didn\u2019t think too much about it until the first attack observation was due. You see, I travel often, but my honeypot does not. Furthermore, the administrative side of the honeypot was only accessible through the internal network. I wasn\u2019t about to implement a whole remote solution just to get access while on the road. Instead, I followed some very good advice. I started downloading regular backups of the honeypot logs on a Windows laptop I frequently had with me.<\/p>\n

The internship program encouraged us to at least initially review our honeypot logs with command line utilities, such as jq and all its flexibility with filtering. Combined with other standard Unix-like operating system tools, such as wc (word count), less, head, and cut, it was possible to extract exactly what I was looking for. I initially tried using more graphical tools but found I enjoy “living” in the command line better. When I first start looking at logs, I was not always sure of what I\u2019m looking for. Command line tools allow me to quickly look for outliers in the data. I can see what sticks out by negating everything that looks the same.\u00a0<\/p>\n

So, what\u2019s the trouble? None of these tools were available on my Windows laptop. Admittedly, most of what I mention above are available for Windows, but my ability to install software was restricted on this machine, and I knew that native alternatives existed. At the time I had several directories of JSON logs, and a long list of malware hash values corresponding to an attack I was interested in understanding better. Here\u2019s how a few lines of PowerShell can transform scattered honeypot logs into a clear picture of what really happened.<\/p>\n

First, let\u2019s start with the script in two parts. Here\u2019s the PowerShell array containing malware hash values:<\/p>\n

$hashes = @(
\n“00deea7003eef2f30f2c84d1497a42c1f375d802ddd17bde455d5fde2a63631f”,
\n“0131d2f87f9bc151fb2701a570585ed4db636440392a357a54b8b29f2ba842da”,
\n“01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b”,
\n“0291de841b47fe19557c2c999ae131cd571eb61782a109b9ef5b4a4944b6e76d”,
\n“02a95dae81a8dd3545ce370f8c0ee300beff428b959bd7cec2b35e8d1cd7024e”,
\n“062ba629c7b2b914b289c8da0573c179fe86f2cb1f70a31f9a1400d563c3042a”,
\n“0be1c3511c67ecb8421d0be951e858bb3169ac598d068bae3bc8451e883946cc”,
\n“0cbd5117413a0cab8b22f567b5ec5ec63c81b2f0f58e8e87146ecf7aace2ec71”,
\n“0d2d316bc4937a2608e8d9a3030a545973e739805c3449b466984b27598fcdec”,
\n“0d58ee0cd46d5908f31ba415f2e006c1bb0215b0ecdc27dd2b3afa74799e17bd”
\n)<\/span><\/p>\n

The $hashes = @( ) between quoted, comma-separated values, establishes a PowerShell array of strings which represents the hashes we want to search for. Now let\u2019s look at how we put this array to use.<\/p>\n

Get-ChildItem -Path “C:UsersDaveLogs” -Filter ‘cowrie.json.*’ -Recurse |
\nForEach-Object {
\n\u00a0 \u00a0 $jsonContent = Get-Content $_.FullName
\n\u00a0 \u00a0 write-output $_.FullName
\n\u00a0 \u00a0 foreach ($hash in $hashes) {
\n\u00a0 \u00a0 \u00a0 \u00a0 $searchResults = $null
\n\u00a0 \u00a0 \u00a0 \u00a0 $searchResults = $jsonContent | Select-String $hash
\n\u00a0 \u00a0 \u00a0 \u00a0 if (![string]::IsNullOrEmpty($searchResults)) {\u00a0
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 write-output $searchResults\u00a0
\n\u00a0 \u00a0 \u00a0 \u00a0 }
\n\u00a0 \u00a0 }
\n}<\/span><\/p>\n

Let’s walk through the execution of the script. The first statement, Get-ChildItem<\/span>, recurses every folder in the specified path (C:UsersDaveLogs<\/span>) and passes along all filenames that match the filter argument. Each filename is passed through the “pipe” (|) directly into the first ForEach-Object statement. You can see what\u2019s passed by observing the output of the write-output $_.FullName<\/span> line. The $_<\/span> is a variable designation which represents whatever is passed through the pipe. In this case, we know what kind of data to expect (a filename) so we can access it\u2019s attribute, “FullName”. This tells us the specific JSON log file currently being searched.<\/p>\n

Now let\u2019s get into the meat of the script. The main body of the script contains two nested For-Loops. The outer loop begins with the first “ForEach-Object<\/span>” block of code. The inner loop is described by the lowercase “foreach” block. We already know the name of the JSON log we\u2019ll be searching next, so the next line, $jsonContent = Get-Content $_.FullName<\/span> sets that up to happen. It takes the content of the first filename passed to $_<\/strong> though the pipe, reads the contents of that filename, and stores the text in a variable named $jsonContent<\/span>. Now we\u2019ve got our first log to search, all we have to do is run through the list of hash values to search for! This takes us to the point of the script where we reach the inner-loop. The foreach inner-loop is similar to the outer loop with the exception of how it processes data. The statement, foreach ($hash in $hashes)<\/span> takes each hash value found in the $hashes<\/span> array and puts a copy of it into $hash before executing the code block it contains.\u00a0<\/p>\n

When the inner-loop runs it does three things. First, $searchResults = $null<\/span> empties the value of the $searchResults variable. This is also called “initializing” the variable, and it\u2019s a good practice whenever you’re working with loops that re-use the same variable names. Second, with the variable clear and ready to accept new values, the next line accomplishes a few things.<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 $searchResults = $jsonContent | Select-String $hash<\/span><\/p>\n

Starting to the right of the equals sign, we\u2019re passing the JSON log text $jsonContent<\/span> into the command “Select-String<\/span>” while also passing Select-String<\/span> a single argument, $hash<\/span>.\u00a0 Remember earlier when the lowercase foreach loop started, it takes each value found in the $hashes array and (one at a time) places their values into $hash before executing the block of code below it. So we\u2019re passing the text in $jsonContent<\/span> through another pipe to Select-String<\/span>, which takes that text and searches for the value $hash<\/span> within the contents of $jsonContent<\/span>. The results of Search-String<\/span> are then stored in the variable named $searchResults<\/span>.<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 if (![string]::IsNullOrEmpty($searchResults)) {\u00a0
\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 write-output $searchResults\u00a0
\n\u00a0 \u00a0 \u00a0 \u00a0 }<\/span><\/p>\n

Third and finally, we have an if statement to determine whether the prior Select-String<\/span> produced any results. If it found the $hash value it was looking for, the $searchResults<\/span> variable will contain data. If not, it will remain empty ($null<\/span>). The if statement makes that determination and prints the $searchResults it found. Note the ! at the beginning of the statement which tells it to evaluate as, “if not empty.”<\/p>\n

\"\"<\/p>\n

While compact in size, this script introduces the PowerShell newcomer to a variety of useful functions: traversing files and folders, retrieving text, searching text, and nested loops are all sophisticated techniques. If you save this script, you can adapt it in many ways whenever a quick solution is needed. Understanding the tools that are available to us in any environment and having practice adapting those tools to our circumstances makes us all better cybersecurity professionals.<\/p>\n

[1] https:\/\/www.sans.edu\/cyber-security-programs\/bachelors-degree\/<\/p>\n

———–
\nGuy Bruneau IPSS Inc.<\/a>
\nMy GitHub Page<\/a>
\nTwitter: GuyBruneau<\/a>
\ngbruneau at isc dot sans dot edu<\/p>\n

(c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n

\t

\n
<\/BR><\/p>\n

\t

\n
<\/BR>
\nGo to isc.sans.edu<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary], (Wed, Nov 5th) [This is a Guest Diary by David Hammond, an ISC intern as part of the SANS.edu BACS program] My last college credit on my way to earning a bachelor’s degree was an internship opportunity at the Internet Storm Center. A […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-8255","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8255"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8255"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8255\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}