DEV Community: AJ

Exploring Zeek: A Powerful Network Security Monitoring Tool

AJ — Sun, 26 Jan 2025 22:59:10 +0000

Zeek is a powerful and flexible network security monitoring tool used by analysts to process and analyze network traffic. It operates by inspecting network packets and generating logs that provide detailed insights into network events. This blog post will guide you through Zeek’s structure, its primary capabilities, and practical use cases.

The Layers of Zeek
Zeek has two main layers:

Event Engine
The Event Engine processes packets, breaking them into smaller components like source and destination addresses, protocol information, session details, and more. This is the foundational layer where data is prepared for deeper analysis.

Policy Script Interpreter
This layer uses Zeek scripts to describe event correlations. It allows analysts to define custom logic for event analysis and automate responses to specific network activities.

Here’s a potential draft for your blog post about Zeek. It adheres to your guidelines of being written in simple academic English, structured for DEV compatibility, and including code examples wrapped in appropriate formatting.

Exploring Zeek: A Powerful Network Security Monitoring Tool
Zeek is a powerful and flexible network security monitoring tool used by analysts to process and analyze network traffic. It operates by inspecting network packets and generating logs that provide detailed insights into network events. This blog post will guide you through Zeek’s structure, its primary capabilities, and practical use cases.

The Layers of Zeek
Zeek has two main layers:

Event Engine
The Event Engine processes packets, breaking them into smaller components like source and destination addresses, protocol information, session details, and more. This is the foundational layer where data is prepared for deeper analysis.

Policy Script Interpreter
This layer uses Zeek scripts to describe event correlations. It allows analysts to define custom logic for event analysis and automate responses to specific network activities.

Zeek Frameworks
Zeek comes with several extended frameworks to enhance functionality. Some of the key frameworks include:

File Analysis: Enables hashing and extraction of files from network traffic.
Signature Framework: Detects anomalies based on defined conditions.
Intelligence Framework: Processes threat intelligence feeds to identify suspicious activities.

Working with Zeek: Basic Commands

zeekctl status
zeekctl start
zeekctl stop

# Process a pcap file
zeek -C -r sample.pcap

# View saved logs
ls -l /opt/zeek/logs/

Explanation:
-C: Ignore checksum errors.
-r: Read and process a pcap file.

Zeek Signatures: Detecting Anomalies
Zeek’s signature framework allows you to define conditions to detect unusual network behavior. A signature comprises three components: ID, conditions, and actions.

Here’s an example of detecting cleartext password submission:

signature http-password {
    ip-proto == tcp
    dst-port == 80
    payload /.*password.*/
    event "Cleartext Password Found!"
}

To run a signature file:
zeek -C -r sample.pcap -s signature_file.zeek

Snort

AJ — Fri, 17 Jan 2025 22:08:55 +0000

Snort

Snort is set of predefined rules which is used mostly for IDS or IPS. It has 3 main operational modes

Packet Sniffing- Shows network traffic like Wireshark
Packet logging —> collects and logs network traffic into a file
Network intrusion detection —> Analyzes packets and matches traffic against signature

Intrusion detection system

Network intrusion detection system —> monitors traffic from different areas of the network and if a signature is identified an alert is made
Host based intrusion detection system —> Monitor traffic from a single endpoint device, basically investigating the traffic on a specific device and if a signature is identified an alert is created

ntrusion prevention system

Network intrusion prevention system —> monitor traffic and if a signature is identified the connection is terminated
Behavior based intrusion prevention system —> Same thing it monitors and terminates if an usual behavior is detected, the difference between NIP and BIP is behavior based requires training period which is known as baselining to learn normal traffic so it can differentiate between threats etc.
Wireless intrusion Prevention System —> monitors the traffic flow from of wireless network, if a signature is identified the connection is terminated
Host-based Intrusion Prevention System —> monitors and protects network on one single end point device, if a signature is identified the connection is terminated

Detection prevention techniques

Signature based
behavior based
Policy based

Yara

AJ — Sun, 12 Jan 2025 23:36:51 +0000

Yara

Yara rule is a way of identifying malware samples based on if it matches a condition we specified.

Yara identifies malware based on binary and texual patterns in files which they usually contain hexa decimal and strings

Yara usually consist of the following

Meta —> This section stored information related to author, description of the rule,, date, reference
String —> stores the specific texts we are looking for in a file
Condition —> the condition to be met to flag the file

Conditions example:

rule example_rule{

    meta: 
    author="A_J"
    desc="Simple rule"

    strings:
    $hello_word= "Hello worrld" nocase

    condition:
    $hello_word and filesize <20kb

    }

Cyber skill chain

AJ — Fri, 10 Jan 2025 22:53:56 +0000

Cyber kill chain

this framework is designed to identify and prevent network intrusions By learning what attackers need to do in order to achieve their goals.

Reconnaissance

Reconnaissance is discovering and collecting information on the system and the victim
OSINT (Open-Source Intelligence) also falls under reconnaissance. collecting every available piece of information on the company and its employees, such as the company's size, email addresses, phone numbers from publicly available resources to determine the best target for the attack.

Weaponization

After a successful reconnaissance stage, "Megatron" would work on crafting a "weapon of destruction”

In the Weaponization phase, the attacker would:

Create an infected Microsoft Office document containing a malicious macro or VBA (Visual Basic for Applications) scripts. If you want to learn about macro and VBA, please refer to the article "Intro to Macros and VBA For Script Kiddies" by TrustedSec.
An attacker can create a malicious payload or a very sophisticated worm, implant it on the USB drives, and then distribute them in public. An example of the virus.
An attacker would choose Command and Control (C2) techniques for executing the commands on the victim's machine or deliver more payloads. You can read more about the C2 techniques on MITRE ATT&CK.
An attacker would select a backdoor implant (the way to access the computer system, which includes bypassing the security mechanisms).

Delivery

The Delivery phase is when "Megatron" decides to choose the method for transmitting the payload or the malware. He has plenty of options to choose from:

• Phishing email: after conducting the reconnaissance and determining the targets for the attack, the malicious actor would craft a malicious email that would target either a specific person (spearphishing attack) or multiple people in the company. The email would contain a payload or malware. For example, "Megatron" would learn that Nancy from the Sales department at company A would constantly like the posts on LinkedIn from Scott, a Service Delivery Manager at company B. He would give it a second guess that they both communicate with each other over work emails. "Megatron" would craft an email using Scott's First Name and Last Name, making the domain look similar to the company Scott is working at. An attacker would then send a fake "Invoice" email to Nancy, which contains the payload.

Distributing infected USB drives in public places like coffee shops, parking lots, or on the street. By putting the company logo on the usb

Watering hole attack. A watering hole attack is a targeted attack designed to aim at a specific group of people by compromising the website they are usually visiting and then redirecting them to the malicious website of an attacker's choice. The attacker would look for a known vulnerability for the website and try to exploit it. The attacker would encourage the victims to visit the website by sending "harmless" emails pointing out the malicious URL to make the attack work more efficiently. After visiting the website, the victim would unintentionally download malware or a malicious application to their computer.

drive-by download where users are tricked to download unintended programs

Explotation

These are examples of how an attacker carries out exploitation:

The victim triggers the exploit by opening the email attachment or clicking on a malicious link.
Using a zero-day exploit.
Exploit software, hardware, or even human vulnerabilities.
An attacker triggers the exploit for server-based vulnerabilities.

Installation persistent backdoor.

The persistence can be achieved through:

Installing a web shell on the webserver. A web shell is a malicious script written in web development programming languages such as ASP, PHP, or JSP used by an attacker to maintain access to the compromised system. Because of the web shell simplicity and file formatting (.php, .asp, .aspx, .jsp, etc.) can be difficult to detect and might be classified as benign. You may check out this great article released by Microsoft on various web shell attacks.
Installing a backdoor on the victim's machine. For example, the attacker can use Meterpreter to install a backdoor on the victim's machine. Meterpreter is a Metasploit Framework payload that gives an interactive shell from which an attacker can interact with the victim's machine remotely and execute the malicious code.
Creating or modifying Windows services. ***This technique is known as T1543.003 on MITRE ATT&CK (MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-world scenarios). An attacker can create or modify the Windows services to execute the malicious scripts or payloads regularly as a part of the persistence. An attacker can use the tools like sc.exe* (sc.exe lets you Create, Start, Stop, Query, or Delete any Windows Service) and Reg to modify service configurations. The attacker can also masquerade the malicious payload by using a service name that is known to be related to the Operating System or legitimate software.
Adding the entry to the "run keys" for the malicious payload in the Registry or the Startup Folder. By doing that, the payload will execute each time the user logs in on the computer. According to MITRE ATT&CK, there is a startup folder location for individual user accounts and a system-wide startup folder that will be checked no matter what user account logs in.

Command & Control (C2)

The most common C2 channels used by adversaries nowadays:

The protocols HTTP on port 80 and HTTPS on port 443 - this type of beaconing blends the malicious traffic with the legitimate traffic and can help the attacker evade firewalls.
DNS (Domain Name Server). The infected machine makes constant DNS requests to the DNS server that belongs to an attacker, this type of C2 communication is also known as DNS Tunneling.

Actions on Objectives (Exfiltration)

After going through six phases of the attack, "Megatron" can finally achieve his goals, which means taking action on the original objectives. With hands-on keyboard access, the attacker can achieve the following:

Collect the credentials from users.
Perform privilege escalation (gaining elevated access like domain administrator access from a workstation by exploiting the misconfiguration).
Internal reconnaissance (for example, an attacker gets to interact with internal software to find its vulnerabilities).
Lateral movement through the company's environment.
Collect and exfiltrate sensitive data.
Deleting the backups and shadow copies. Shadow Copy is a Microsoft technology that can create backup copies, snapshots of computer files, or volumes.
Overwrite or corrupt data.

Pyramid Of Pain

AJ — Thu, 09 Jan 2025 21:47:28 +0000

Pyramid of pain

Pyramid of pain is about determining the level of difficulty it will cause for an attacker to change the indication associated with them and their group

The pyramid is at the top indicates the most difficult part to change and lowest is the easiet.

Hashes

Hashes is a way of authenticating the legitimate of file, message etc. It takes one input and generates a fixed sized hash value. A hash algorthim is considered to be not secure if 2 files can have same hash value.

If the attacker tries to use a known malware the hash of the malware can be compared against already known malware hashes in a database to detect if its malicious.

Tools you can use to do hash lookups:

VirusTotal
MetaDefender Cloud - OPSWAT

Powershell script to get file hash
Get-FileHash .\Filename.txt -Algorthim MD5

Ip address are used to uniquely identify devices connect to a network in order to receive and send information over the network. In the pyramid of pain, ip addresses are indicated with color green. From defense prespective you can block, deny, drop requests from certain ip addresses but this wont work on experienced attacker they can just change to a new ip address.

Websites to find harmful ip adresses

https://app.any.run/submissions

Domain names

Domain Names can be thought as simply mapping an IP address to a string of text

many DNS providers have a very low standards and they provide APIs which makes it even easier for an attacker to change the domain.

Punycode is a way of converting words that cannot be written in ASCII, into a Unicode ASCII encoding.

Url shortening links:

bit.ly
goo.gl
ow.ly
s.id

Network Artifacts (Yellow zone)

A network artifact can be a user-agent string, C2 information, or URI patterns followed by the HTTP POST requests.

Network artifacts can be detected in Wireshark PCAPs (file that contains the packet data of a network) by using a network protocol analyzer such as TShark or exploring IDS (Intrusion Detection System) logging from a source such as Snort.

If you can detect the custom User Agent strings that the attacker is using, you might be able to block them, creating more obstacles and making their attempt to compromise the network more annoying.

Tools (challengin)

Attacker usually use utlities such as:

Malicious macro documents for spear phishing attempts
A backdoor that can be used to establish C2
Any custom .exe and .dll files, payloads, password crackers

TTPS (Tough)

TTPs stands for Tactics, Techniques & Procedures. This includes the whole MITRE ATT&CK Matrix, which means all the steps taken by an attacker to achieve their goal, starting from phishing attempts to persistence and data exfiltration.

DEV Community: AJ

Exploring Zeek: A Powerful Network Security Monitoring Tool

Snort

Snort

Intrusion detection system

ntrusion prevention system

Detection prevention techniques

Yara

Yara

Cyber skill chain

Cyber kill chain

Reconnaissance

Weaponization

Delivery

Explotation

Installation **persistent backdoor.**

Command & Control (C2)

Actions on Objectives (Exfiltration)

Pyramid Of Pain

Installation persistent backdoor.