The Zeek-Cut Cheat Sheet

As an extension to an earlier post on Analysing PCAPs with Bro/Zeek, I found myself last week thinking, wouldn’t it be efficient for me to keep a cheat sheet of commands I can use each time PCAP analysis is required? Well, here it is, future me, and anyone else who may find it useful. Logs analysed in this article include conn, dns, http, files, smb, rdp, and ftp.

Zeek logging and fields: Corelight-Bro-Cheetsheets-2.6.pdf
Read in PCAP: zeek -Cr example.pcap

  • conn.log

Find connections that originate from the IP you’re interested in:

cat conn.log | zeek-cut -d ts id.orig_h id.resp_h id.resp_p proto conn_state duration | awk ‘$2 == “x.x.x.x”’ > source_conn.txt

Find connections that are destined for the IP you’re interested in:

cat conn.log | zeek-cut -d ts id.orig_h id.resp_h id.resp_p proto conn_state duration | awk ‘$3 == “x.x.x.x”’ > dest_conn.txt

Identify unique IP’s that have communicated with your address of interest for further analysis:

cat source/dest_conn.txt | awk ‘{print $2}’ | sort | uniq -c | sort -n
adding “| wc -l” to the end of this command will provide the number of unique IP addresses that have established connections with the IP of interest

Discover services used in network traffic (ftp, rdp, smb, ssh, ssl, kerberos etc.), eliminating dns and blank entries due to the noise:

cat conn.log | zeek-cut -d ts id.orig_h id.resp_h service | awk ‘{if($4 != “dns” && $4 != “-”) print $1,$2,$3,$4}’

Services list: cat conn.log | zeek-cut service | grep -v “-” | sort | uniq -c | sort -n

Top 5 statistics:

Most talkative hosts (originator): cat conn.log | zeek-cut id.orig_h | sort | uniq -c | sort -n | tail -n 5

IP’s that receive most traffic: cat conn.log | zeek-cut id.resp_h | sort | uniq -c | sort -n | tail -n 5

Longest durations: cat conn.log | zeek-cut id.orig_h id.resp_h duration | sort -k 3 -rn | head -5

Destination ports: cat conn.log | zeek-cut id.resp_p| sort | uniq -c | sort -n | tail -n 5

  • dns.log

To identify C2 communication, beacons, and other malicious DNS queries, remove normal internet and internal company related traffic (note: be careful what you’re eliminating as C2’s have been established using common services like Twitter, Microsoft Teams, GitHub etc.).

cat dns.log | zeek-cut -d ts id.orig_h id.resp_h query | grep -Ev ‘(microsoft|akamai|google|windowsupdate|msft|apple|comanyname)’
> dns_queries.txt

You can use the above command to filter out DNS answers as well, by replacing ‘query’ in the zeek-cut statement with ‘answers’.

For unique domains that have been queried via DNS:

cat dns_queries.txt | awk ‘{print $4}’ | sort | uniq -c | sort -n

Extract IP addresses that have been queried (credit to Brian for the awk statement):

cat dnstuff.txt | awk ‘{print $4}’ | awk ‘{match($0,/[0–9]+\.[0–9]+\.[0–9]+\.[0–9]+/); ip = substr($0,RSTART,RLENGTH); print ip}’ | sed '/^$/d’

  • http.log

Generic clean up of the log:

cat http.log | zeek-cut -d ts id.orig_h id.resp_h method status_code host uri referrer | grep -Ev ‘(microsoft|akamai|google|windowsupdate
|msft|apple|companyname)’ > http_visits.txt

Threat hunting queries could include:

Suspicious user agent strings: cat http.log | zeek-cut user_agent | sort -u

POST requests and data transmission: cat http.log | zeek-cut -d ts method host uri request_body_len | awk ‘$2 == “POST”’ | awk ‘{print $1,$2,$3$4,$5,$6}’
Change the first awk statement for GET and CONNECT methods.

Filenames from phishing downloads or exfil: cat http.log | zeek-cut -d ts method host orig_filenames resp_filenames | awk ‘{if ($2 == “POST” || $2 == “GET”) print $1,$2,$3,$4,$5}’ | less

Compare the host domain to the referrer site for potential drive-by attacks:
cat http.log | zeek-cut method host referrer | awk ‘$3 != “-”’

Mime types will indicate the types of files uploaded or downloaded:
cat http.log | zeek-cut orig_mime_types | sort -u
cat http.log | zeek-cut resp_mime_types | sort -u

  • files.log

Files.log captures the files that have been uploaded or retrieved from a networked source. The following query is to extract the filenames, type, and source of the file by protocol, and eliminates x509 certificates due to its noise:

cat files.log | zeek-cut -d ts tx_hosts rx_hosts source mime_type filename | grep -v ‘x509’ | awk ‘$6 != “-”’

Quick way to list filenames and their extensions:

cat files.log | zeek-cut filename | grep -v “-”

  • SMB

SMB is a commonly used for enumeration, adversary file transfers, and other malicious activities.

cat smb_files.log | zeek-cut -d ts id.orig_h id.resp_h action path name

Looking at the created and accessed times of resources that were accessed via SMB:

cat smb_files.log | zeek-cut -d times.created times.accessed name

The smb_mapping.log file provides a more detailed look into SMB resources, with ‘path’ being the name of the tree, and ‘service’ is the type of resource (disk, printer, named pipe). This is handy to determine if the adversary has created any new named pipes as part of their campaign:

cat smb_mapping.log | zeek-cut -d ts path service native_file_system share_type

  • rdp.log

Analyse login attempts via RDP, where the ‘cookie’ is generally the username, client_name is the hostname, and result will tell you if it was a successful connection or not.

cat rdp.log | zeek-cut -d ts id.orig_h id.resp_h result cookie client_name

For successful connections:

cat rdp.log | zeek-cut -d ts id.orig_h id.resp_h result cookie client_name| awk ‘$4 == “Success”’

  • ftp.log

Analyse FTP commands, credentials, and file operations including read, deletes etc.

cat ftp.log | zeek-cut -d ts id.orig_h id.resp_h user password command arg mime_type file_size reply_msg

Quick wins, and finding pivot points:

Devices accessed: cat ftp.log | awk ‘{print $5}’ | sort -u
Files accessed: cat ftp.log | zeek-cut arg | awk ‘$1 != “-”
Commands executed: cat ftp.log | zeek-cut command | sort -u
Users associated with FTP activity: cat ftp.log | zeek-cut user | sort -u

I’ll add more as I go along, but for now, that’s it! Happy hunting.

--

--

--

Your one and only source into the scandalous life of a DFIR consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What I am reading today — 19 Aug 2021

Cloudbric Progress Report (11/7 ~ 11/20)

Real Vision Essential ⋆ 06 Months Warranty

Introducing ANGRYPUPPY

{UPDATE} Defense Legend Hack Free Resources Generator

Only 5 hours left to get some ALM token before Listing

RHEL/CentOS 7 Fix for Let’s Encrypt Change

[hsb] Presents: OtterCTF 2018 — Memory Forensics Write-Up

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
darkdefender

darkdefender

Your one and only source into the scandalous life of a DFIR consultant.

More from Medium

VulnHub’s SkyTower: A Walkthrough

3. Crocodile — Beginner/Learning Box

HTB Sizzle Machine Walkthrough.

Blocky HTB Walkthrough