detecting-lateral-movement-with-zeek

star 599

Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote service execution, and anomalous internal connections.

xalgord By xalgord schedule Updated 6/6/2026
play_arrow Run Skill in Manus View GitHub

name: detecting-lateral-movement-with-zeek description: 'Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote service execution, and anomalous internal connections.

' domain: cybersecurity subdomain: network-security tags:

  • zeek
  • lateral-movement
  • smb
  • dce-rpc
  • ntlm-spray
  • network-forensics version: '1.0' author: mahipal license: Apache-2.0 nist_csf:
  • PR.IR-01
  • DE.CM-01
  • ID.AM-03
  • PR.DS-02

Detecting Lateral Movement with Zeek

Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts.

When to Use

  • Hunting for lateral movement after an initial compromise indicator is found on one endpoint
  • Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network
  • Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC$)
  • Detecting remote service execution via DCE/RPC (PsExec, schtasks, WMI lateral patterns)
  • Building alerting rules for internal network anomalies in a Zeek-based NSMP deployment
  • Performing post-incident timeline reconstruction using Zeek logs as a network-level evidence source

Do not use as a standalone detection mechanism. Zeek sees network traffic only; combine with endpoint telemetry (Sysmon, EDR) for full visibility. Encrypted SMB3 traffic may limit Zeek's visibility into file-level details.

Detection Gaps & Validation

  • SMB3 encryption blinds file-level logs: with SMB3 encryption negotiated, smb_files.log/smb_mapping.log lose path and filename detail, so admin-share write rules silently miss. Fall back to conn.log 445 volume/asymmetry between internal hosts and flag the encrypted SMB sessions themselves rather than concluding "no lateral movement."
  • WMI/DCOM and WinRM evade the svcctl signature: PsExec hits svcctl, but WMIExec uses IWbemServices over 135+ephemeral DCOM and WinRM rides 5985/5986 (often as HTTP/SOAP). Grep dce_rpc.log for IWbemServices/IRemUnknown2 and watch WinRM ports, not just svcctl/atsvc.
  • Kerberos (Pass-the-Ticket/overpass) leaves no NTLM trail: the NTLM-spray script won't fire when attackers use Kerberos. Add kerberos.log checks for anomalous TGS requests, encryption downgrade (etype RC4/0x17), and one account requesting tickets for many SPNs/hosts.
  • Spray threshold is evasion-prone: spray_threshold=3 over 5min misses slow spraying across hours. Widen the &create_expire window and track distinct id.resp_h per username over a longer epoch; tune up to cut FPs from vuln scanners/SCCM.
  • Validate detections fire: in a lab run PsExec and confirm the chain — smb_files.log SMB::FILE_WRITE of the service binary, then dce_rpc.log svcctl CreateServiceW, then a notice.log Admin_Share_Access/NTLM_Account_Spray. Cross-check with Sysmon EID 1 on the target. No notice means the analyzer isn't loaded or the SPAN misses the internal VLAN.
  • FP tuning: exclude legitimate admin jump hosts, SCCM/patch servers, and backup agents that touch admin shares and many hosts by design before alerting.

Prerequisites

  • Zeek 6.0+ deployed on a network tap or SPAN port monitoring internal VLAN traffic
  • Zeek SMB analyzer enabled (loaded by default: @load base/protocols/smb)
  • Zeek DCE/RPC analyzer enabled (@load base/protocols/dce-rpc)
  • Zeek Kerberos analyzer enabled (@load base/protocols/krb)
  • Python 3.8+ (standard library only)
  • Access to Zeek log directory (default: /opt/zeek/logs/current/)
  • Familiarity with Zeek TSV log format (fields separated by \t, header lines prefixed with #)

Workflow

Step 1: Verify Zeek Log Collection

Confirm that Zeek is producing the required log files for lateral movement detection:

# Check that all required analyzers are producing logs
ls -la /opt/zeek/logs/current/conn.log
ls -la /opt/zeek/logs/current/smb_mapping.log
ls -la /opt/zeek/logs/current/smb_files.log
ls -la /opt/zeek/logs/current/dce_rpc.log
ls -la /opt/zeek/logs/current/kerberos.log
ls -la /opt/zeek/logs/current/ntlm.log

# Quick field check on conn.log
zeek-cut id.orig_h id.resp_h id.resp_p proto service < /opt/zeek/logs/current/conn.log | head -20

Step 2: Parse conn.log for Internal Lateral Patterns

Identify connections between internal hosts on lateral-movement-associated ports:

# Extract SMB connections (port 445) between internal hosts
zeek-cut ts id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes \
  < /opt/zeek/logs/current/conn.log \
  | awk '$5 == 445 && $7 == "smb"'

# Extract DCE/RPC connections (port 135)
zeek-cut ts id.orig_h id.resp_h id.resp_p service \
  < /opt/zeek/logs/current/conn.log \
  | awk '$4 == 135'

# Extract WinRM connections (port 5985/5986)
zeek-cut ts id.orig_h id.resp_h id.resp_p service \
  < /opt/zeek/logs/current/conn.log \
  | awk '$4 == 5985 || $4 == 5986'

Step 3: Analyze SMB Admin Share Access

Detect access to administrative shares (C$, ADMIN$, IPC$) which is the primary vector for tools like PsExec:

# Check smb_mapping.log for admin share access
zeek-cut ts id.orig_h id.resp_h path share_type \
  < /opt/zeek/logs/current/smb_mapping.log \
  | grep -iE '(C\$|ADMIN\$|IPC\$)'

# Check smb_files.log for file writes to admin shares
zeek-cut ts id.orig_h id.resp_h action path name size \
  < /opt/zeek/logs/current/smb_files.log \
  | grep -i 'SMB::FILE_WRITE'

Deploy the following Zeek script to generate notice.log alerts on admin share access:

@load base/protocols/smb
@load base/frameworks/notice

redef enum Notice::Type += {
    Admin_Share_Access
};

event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) {
    if ( /\$/ in path )
        NOTICE([$note=Admin_Share_Access,
                $msg=fmt("Admin share access: %s -> %s (%s)", c$id$orig_h, c$id$resp_h, path),
                $conn=c]);
}

Step 4: Detect DCE/RPC Remote Service Operations

Monitor for remote service creation and scheduled task registration via DCE/RPC:

# Look for service control manager operations (PsExec pattern)
zeek-cut ts id.orig_h id.resp_h endpoint operation \
  < /opt/zeek/logs/current/dce_rpc.log \
  | grep -iE '(svcctl|atsvc|ITaskSchedulerService)'

Step 5: Detect NTLM Account Spray

Analyze ntlm.log for authentication anomalies indicating credential reuse. Zeek's ntlm.log does not expose password hashes, so this detection identifies a single account authenticating to many hosts in a short window — the network signature of credential spraying tools like CrackMapExec:

# Extract NTLM authentications
zeek-cut ts id.orig_h id.resp_h username domainname server_nb_computer_name success \
  < /opt/zeek/logs/current/ntlm.log

# Failed NTLM authentications (brute force or credential testing)
zeek-cut ts id.orig_h id.resp_h username success \
  < /opt/zeek/logs/current/ntlm.log \
  | awk '$5 == "F"'

# Sort by timestamp for timeline analysis
zeek-cut ts id.orig_h id.resp_h username success \
  < /opt/zeek/logs/current/ntlm.log \
  | sort -k1,1

Deploy the following Zeek script to generate notice.log alerts when a single account touches more hosts than the threshold in a rolling window:

@load base/protocols/ntlm
@load base/frameworks/notice

redef enum Notice::Type += {
    NTLM_Account_Spray
};

global ntlm_tracker: table[string] of set[addr] &create_expire=5min;
const spray_threshold = 3 &redef;

event ntlm_log(rec: NTLM::Info) {
    if ( ! rec?$username || rec$username == "-" )
        return;
    if ( rec$username !in ntlm_tracker )
        ntlm_tracker[rec$username] = set();
    add ntlm_tracker[rec$username][rec$id$resp_h];
    if ( |ntlm_tracker[rec$username]| >= spray_threshold )
        NOTICE([$note=NTLM_Account_Spray,
                $msg=fmt("NTLM account spray: %s -> %d hosts", rec$username, |ntlm_tracker[rec$username]|),
                $sub=rec$username,
                $conn=rec$id]);
}

Step 6: Run the Automated Analysis Agent

Use the provided agent.py for comprehensive lateral movement detection:

python3 agent.py /opt/zeek/logs/current/
python3 agent.py /opt/zeek/logs/2026-03-18/  # Analyze a specific date

Verification

  • Confirm conn.log captures internal SMB (port 445) and DCE/RPC (port 135) connections with correct field parsing
  • Verify smb_mapping.log correctly logs admin share paths (C$, ADMIN$, IPC$)
  • Test with a known PsExec execution in a lab: expect to see SMB FILE_WRITE of the service binary followed by DCE/RPC svcctl CreateService
  • Validate NTLM log parsing by performing a test authentication and confirming username, domain, and success fields are captured; verify the NTLM Account Spray Zeek script generates a notice.log entry when the spray threshold is exceeded
  • Cross-reference Zeek alerts with Sysmon Event ID 1 (Process Creation) on the target host to confirm end-to-end detection
  • Verify the agent correctly handles both TSV and JSON Zeek log formats
Install via CLI
npx skills add https://github.com/xalgord/xalgorix --skill detecting-lateral-movement-with-zeek
Repository Details
star Stars 599
call_split Forks 104
navigation Branch main
article Path SKILL.md
More from Creator
xalgord
xalgord Explore all skills →