Abhijith Rao

Mar 28, 2020

5 min read

BRO/ZEEK — The Modern Watchtower

Network traffic is always noisy. But sometimes it whispers too. So, why not pay a very close attention when it whispers “BRO” 🦊

Fennec Fox

This blog talks solely about well-known Network Security Monitoring (NSM) Tool — ZEEK (formerly known as BRO). Being an open-source platform, Zeek is the perfect choice as it is very powerful in passive monitoring and detecting well-known APT-style Techniques, Tactics, Procedures (TTPs). The tool’s capability can be statistically elevated by ingesting openly available third-party scripts and alerts can be configured for the same in traditional/Next-Gen SIEM solutions. For this, Zeek supports Package Manager. Having package manager configured in the Zeek central node, the scripts management becomes very handy for the effective administration.

Coming back to the package manager features, like I said above, there are multiple third-party scripts available in its repository. But the catch is, we need to identify which package suits to our environment and fulfill the requirements. For the demonstrations purpose, I will walk through the BZAR project (Bro/Zeek ATT&CK-based Analytics and Reporting) and show how it is effective in detecting Lateral Movements.

Let us look into brief Anatomy of BZAR before heading into the demonstration –

BZAR scripts are developed by MITRE Corp. and currently supports the detection of adversarial Lateral Movement activities inside the network. As the attackers are known for abusing SMB protocol for reconnaissance activity since decades, it has become the prime vector of Lateral Movements. Currently, the project utilizes inbuilt Zeek/BRO — SMB and DCE-RPC protocol analyzers and capable of extracting files from the packets for the enhanced analysis. The detection potency is really high as it uses complex analytics using the combination of SMB actions followed by RPC calls. So, when it fine-tuned right, generated alerts yield the exact Lateral Movement activity.

For the demonstration purpose, I have relayed the available PCAP file from here and the below is the list of BZAR scripts used for the detections.

BZAR scripts

As highlighted, the main function in package performs the correlation between SMB and DCE-RPC and present the outputs as needed.

Below are the alerts generated by Zeek Notices and interestingly it has captured the exact sequential adversarial movement when we look closely on the triggered alerts.

Zeek Notices

The sequential triggers as follows -

  1. The PSEXEC has attempted to write using SMB Tree Connect on ADMIN$ (ADMIN$ is nothing but a symbolic link to the path C:\Windows)
  2. Saves the copy of the executable file on the target machine.
  3. RPC is invoked for the process creation — svcctl:CreateServiceWOW64W
  4. Another RPC is invoked for process initiation — svcctl::StartServiceW

So, the detection is the combination of SMB actions and RPC calls.

Kudos to MITRE guys for their fantastic work 🎉

Now, let us look the Alert background -

Since there are multiple metadata in the logs, I have chosen raw logs to show which is easy to highlight in the screenshots.

Zeek comes with outstanding in-built protocol-specific filters to parse most of logs/packets from the wire. It has prevailing dissection capability though.

In our scenario, for the zeek notices to trigger, it is very essential that the following logs get generated inside the log’s directory. They are -

  • smb_mapping.log
  • smb_files.log
  • dce_rpc.log

The 3 important logs which I mentioned above looks like this –

  1. smb_mapping logs are generated after the parsing SMB Tree connect information from captured SMB traffic.
smb_mapping.log

2. Next comes — smb_files logs where we can see SMB Actions like OPEN, WRITE, DELETE actions have been executed over file share network which is very obvious logs we see generally in SIEM.

smb_files.log

3. Last but not the least — dce_rpc logs. This is where the actual RPC communications kick started using named pipes. In this scenario, tool opted svcctl named pipe.

The svcctl interface is one of the well-know MSRPC which is used to manage Windows services via the SCM (Service Control Manager). Likewise, Zeek currently supports detections on usage of multiple PIPEs as well, such as — IwbemServices, atsvc, ItaskSchedulerService, lsarpc, samr, srvsvc, wkssvc

dce_rpc.log

And, That’s the wrap! 🎬

Happy Blue Teaming.

https://docs.zeek.org/en/current/index.html

https://packages.zeek.org

https://github.com/401trg/detections/tree/master/pcaps