detecting-lateral-movement-with-zeek

Featured

Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote service execution, and anomalous internal connections.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Lateral Movement with Zeek Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts. ## When to Use - Hunting for lateral movement after an initial compromise indicator is found on one endpoint - Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network - Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC$) - Detecting remote service execution via DCE/RPC (PsExec, schtasks, WMI lateral patterns) - Building alerting rules for internal network anomalies in a Zeek-based NSMP deployment - Performing post-incident timeline reconstruction using Zeek logs as a network-level evidence source **Do not use** as a standalone detection mechanism. Zeek sees network traffic only; combine with endpoint telemetry (Sysmon, EDR) for full visibility. Encrypted SMB3 traffic may limit Zeek's visibility into file-level details. ## Prerequisites - Zeek 6.0+ deployed on a network tap or SPAN port monitoring internal VLAN traffic - Zeek SMB analyzer enabled (loaded by default: `@load base/protocols/smb`) - Zeek DCE/RPC analyzer enabled (`@load base/protocols/dce-rpc`) - Zeek Kerberos analyzer enabled (`@load base/protocols/krb`) - Python 3.8+ (standard library only) - Access to Zeek log directory (defau...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-network-anomalies-with-zeek

Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate structured logs, detect anomalous behavior, and create custom detection scripts for threat hunting and incident response.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-lateral-movement-in-network

Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows, SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems.

12,642 Updated today
mukul975
AI & Automation Featured

performing-network-traffic-analysis-with-zeek

Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-exfiltration-over-dns-with-zeek

Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns

12,642 Updated today
mukul975
AI & Automation Featured

detecting-lateral-movement-with-splunk

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

12,642 Updated today
mukul975