Intrusion Detection With Zeek

Intrusion Detection Examples

Example 1: Detecting Beaconing Malware

Beaconing is a repetitive process used by malware to communicate with command and control (C2) servers. This behavior can often be detected by analyzing connection patterns in conn.log, identifying repetitive connections to the same IP, constant data size, or timing patterns. The following command uses Zeek to analyze a beaconing malware sample:

/usr/local/zeek/bin/zeek -C -r /home/htb-student/pcaps/psempire.pcap
cat conn.log

Inspecting conn.log reveals beaconing behavior (connections to 51.15.197.127:80 every 5 seconds) typical of PowerShell Empire.

Example 2: Detecting DNS Exfiltration

DNS exfiltration, which mimics normal traffic, can be identified by analyzing Zeek's files.log or dns.log for large data transfers or covert channels. dns.log may show unusual domains or subdomain patterns, as seen here:

/usr/local/zeek/bin/zeek -C -r /home/htb-student/pcaps/dnsexfil.pcapng
cat dns.log | /usr/local/zeek/bin/zeek-cut query | cut -d . -f1-7

Frequent subdomains like 456c54f2.blue.letsgohunt.online indicate potential DNS tunneling.

Example 3: Detecting TLS Exfiltration

TLS exfiltration may be detected by looking at high data transfer volumes between specific hosts. The conn.log file can be filtered and aggregated to identify unusual data sizes:

/usr/local/zeek/bin/zeek -C -r /home/htb-student/pcaps/tlsexfil.pcap
cat conn.log | /usr/local/zeek/bin/zeek-cut id.orig_h id.resp_h orig_bytes | \
sort | grep -v -e '^$' | grep -v '-' | datamash -g 1,2 sum 3 | sort -k 3 -rn | head -10

This shows ~270 MB of data sent to 192.168.151.181.

Example 4: Detecting PsExec Activity

PsExec is commonly used in remote administration and attacks. When transferred over SMB and executed via IPC, smb_files.log, dce_rpc.log, and smb_mapping.log can help identify this activity.

/usr/local/zeek/bin/zeek -C -r /home/htb-student/pcaps/psexec_add_user.pcap
cat smb_files.log
cat dce_rpc.log
cat smb_mapping.log

The logs display the transfer of PSEXESVC.exe and its execution, highlighting PsExec’s typical activity.

Commands and Tools Summary

• Zeek-cut: Extracts specified columns from Zeek logs.

• Sort: Orders log data for easier analysis.

• Grep: Filters log data.

• Datamash: Aggregates data, useful for summing and grouping fields.

Each command aids in refining and focusing the output, making suspicious patterns more apparent. Analyzing logs using tools like Wireshark or Zeek-cut allows detailed inspection of traffic.