BRO/ZEEK — The Modern Watchtower

5 min readMar 28, 2020

Network traffic is always noisy. But sometimes it whispers too. So, why not pay a very close attention when it whispers “BRO” 🦊

This blog talks solely about well-known Network Security Monitoring (NSM) Tool — ZEEK (formerly known as BRO). Being an open-source platform, Zeek is the perfect choice as it is very powerful in passive monitoring and detecting well-known APT-style Techniques, Tactics, Procedures (TTPs). The tool’s capability can be statistically elevated by ingesting openly available third-party scripts and alerts can be configured for the same in traditional/Next-Gen SIEM solutions. For this, Zeek supports Package Manager. Having package manager configured in the Zeek central node, the scripts management becomes very handy for the effective administration.

Background: Zeek is highly considerable Open-Source Network Security Monitoring Tool which is written in C++. The objective of the project development was not for the active network defense rather it focused on the passive detection and can be utilized for Security Orchestration. In simpler words, it cannot take any automatic actions on the observed attacks, but it can trigger the real time security alerts in Log Management/SIEM solutions which facilitates immediate Incident Response procedures.

Coming back to the package manager features, like I said above, there are multiple third-party scripts available in its repository. But the catch is, we need to identify which package suits to our environment and fulfill the requirements. For the demonstrations purpose, I will walk through the BZAR project (Bro/Zeek ATT&CK-based Analytics and Reporting) and show how it is effective in detecting Lateral Movements.

Let us look into brief Anatomy of BZAR before heading into the demonstration –

BZAR scripts are developed by MITRE Corp. and currently supports the detection of adversarial Lateral Movement activities inside the network. As the attackers are known for abusing SMB protocol for reconnaissance activity since decades, it has become the prime vector of Lateral Movements. Currently, the project utilizes inbuilt Zeek/BRO — SMB and DCE-RPC protocol analyzers and capable of extracting files from the packets for the enhanced analysis. The detection potency is really high as it uses complex analytics using the combination of SMB actions followed by RPC calls. So, when it fine-tuned right, generated alerts yield the exact Lateral Movement activity.

For the demonstration purpose, I have relayed the available PCAP file from here and the below is the list of BZAR scripts used for the detections.

As highlighted, the main function in package performs the correlation between SMB and DCE-RPC and present the outputs as needed.

The PCAP used for testing is very straight-forward Red Team technique — Attacker has used PSEXEC and succeeded in user creation over the popped remote shell. Generally, APT likes these kind of similar techniques using PSEXEC as detection rates over Virustotal is very low.

Interesting right? Now let us understand how these activities can be bring into the limelight without relying on VT detection rates and pin it down?
After all, what does this Wireshark capture have in it? Let us relay this PCAP through Zeek to see how it parses and generates the results?

Below are the alerts generated by Zeek Notices and interestingly it has captured the exact sequential adversarial movement when we look closely on the triggered alerts.

The sequential triggers as follows -

The PSEXEC has attempted to write using SMB Tree Connect on ADMIN$ (ADMIN$ is nothing but a symbolic link to the path C:\Windows)
Saves the copy of the executable file on the target machine.
RPC is invoked for the process creation — svcctl:CreateServiceWOW64W
Another RPC is invoked for process initiation — svcctl::StartServiceW

So, the detection is the combination of SMB actions and RPC calls.

Kudos to MITRE guys for their fantastic work 🎉

Now, let us look the Alert background -

Since there are multiple metadata in the logs, I have chosen raw logs to show which is easy to highlight in the screenshots.

Zeek comes with outstanding in-built protocol-specific filters to parse most of logs/packets from the wire. It has prevailing dissection capability though.

In our scenario, for the zeek notices to trigger, it is very essential that the following logs get generated inside the log’s directory. They are -

smb_mapping.log
smb_files.log
dce_rpc.log

The 3 important logs which I mentioned above looks like this –

smb_mapping logs are generated after the parsing SMB Tree connect information from captured SMB traffic.

2. Next comes — smb_files logs where we can see SMB Actions like OPEN, WRITE, DELETE actions have been executed over file share network which is very obvious logs we see generally in SIEM.

3. Last but not the least — dce_rpc logs. This is where the actual RPC communications kick started using named pipes. In this scenario, tool opted svcctl named pipe.

The svcctl interface is one of the well-know MSRPC which is used to manage Windows services via the SCM (Service Control Manager). Likewise, Zeek currently supports detections on usage of multiple PIPEs as well, such as — IwbemServices, atsvc, ItaskSchedulerService, lsarpc, samr, srvsvc, wkssvc