Corelight’s introductory guide to
threat hunting with Zeek (Bro) logs.
Contents
Introduction........................................................................... 1
Network egress...................................................................... 1
Observations................................................................. 1
Prohibited protocols.................................................... 1
HTTP.............................................................................. 2
DNS................................................................................ 2
Encrypted sessions....................................................... 2
Hunting theories........................................................... 2
Server farm egress................................................................ 3
Observations................................................................. 3
Volume.......................................................................... 3
Suspect encrypted traffic............................................. 3
Files................................................................................ 3
DCOM............................................................................ 3
MS protocols................................................................. 3
Hunting theories........................................................... 3
Intra data center.................................................................... 4
Observations................................................................. 4
Prohibited protocols.................................................... 4
Authentication.............................................................. 4
File.................................................................................. 4
Misc................................................................................ 4
Hunting theories........................................................... 4
Intra workstation................................................................... 5
Prohibited protocols:................................................... 5
Authentication.............................................................. 5
File.................................................................................. 6
Misc................................................................................ 6
Introduction
If you’re considering or new to Corelight and Zeek
(formerly known as Bro), this guide will help you as part
of a proof of concept for an initial deployment. The guide
consists of analysts questions that help demonstrate
usage of the data Zeek provides, and the value of a
data-centric approach for Network Security Monitoring
(NSM). Questions are organized by the location of
instrumentation in the network. Additionally, several
threat hunting concepts are described to help deepen
knowledge, especially for teams new to the practice.
Network egress
Instrumenting the enterprise to monitor at network egress
points provides enhanced visibility for all communications
with external networks.
Observations
The following questions can lead to theories for hunting in
network egress data:
•• Are any prohibited protocols traversing the network?
This question can be used to verify existing perimeter
and host-based preventions.
•• Is there anything interesting in the HTTP transactions
traversing the network?
•• Which DNS servers are being, and have been, used?
•• What insight do you have into encrypted sessions
entering/leaving the network?
Prohibited protocols:
1. Are there, or have there been, any traditionally LAN-only
protocols traversing the egress? Are they using
non-standard ports?
a. SMB, DCE_RPC, SSH, RDP, kerberos, VNC
2. Are any file transfer protocols permitted or in use?
a. FTP, SCP, TFTP
3. Do any TLS transactions implement TLS v1.0
or 1.1? Which applications break if this is blocked?
4. Are there any SSL transactions (e.g., SSL v1, v2, or v3)?
Corelight’s introductory guide to threat hunting with Zeek (Bro) logs.

What applications break if this is blocked? DNS

5. Are there any new SSH sessions that do not match Do you have visibility into your enterprise DNS?
existing HASSH fingerprints? DNS traffic is often unfiltered. These queries will go
unchecked, bypassing all network security.
6. What volume of data is transferred via SSH?
1. What resolvers are in use at your network?
7. Are any common protocols using a non-standard port?
2. Does your network policy permit external DNS
8. Does prohibited software exist?
resolution? If so, does it restrict the servers available?
9. Are any industrial control system (ICS) devices
3. Are there any DNS queries not on port 53 or 5353?
communicating via the Internet?1
(DNS over TCP is becoming increasingly common and
General will be explicitly encouraged when the DNS over TCP
flag day occurs in 2020.)
1. Does the software visible on the network agree with
agent-based inventory? 4. Which types of DNS queries are being transmitted?
Are any of them exceedingly long?
2. Which host is most active on the network, with
which IP(s)? 5. Who are the top talkers? Are there any DNS
transactions that are long in duration?
3. What are the most commonly generated Zeek logs?
6. What are the top queries? What are the rare queries?
4. What is network utilization from midnight until 3 am?
7. How do you discover, or troubleshoot,
HTTP misconfigured host DNS?
1. What type of HTTP methods traverse the egress?
Encrypted sessions
a. Get, Post, Connect, Subscribe, Head, Notify, Put,
Pri, Options…. 1. Which TLS versions are in use?

2. What are the user_agents being used for HTTP 2. Are there any sessions with self-signed certificates or
transactions? Are any being spoofed? sessions that do not have a validation status of OK?

3. Do all HTTP transactions use DNS (i.e., are there any 3. Which ciphers are used for key exchanges?
HTTP connections to IP addresses as the URL?) 4. Are there known-bad JA3 or JA3S fingerprints?
4. Are any HTTP connections proxied? 5. Are there sessions with certificates issued by suspect CAs?
5. Is there any HTTP traffic not on port 80? Is there any 6. Are there any server names that are suspect,
traffic on port 80 that is not HTTP? or weak signing algorithms used?
6. Are any files exchanged with HTTP that have a 7. Are there certificates set to expire or that use
potentially dangerous mime_type? keys that are short?
7. What is the most commonly visited site or user agent?
Hunting theories
What is the most rarely visited?
1. A wave of DNS hijacking has affected dozens of
8. What can be learned from the HTTP session?
domains belonging to government, telecommunications,
a. 404 status returned with a large response_body_length
and internet infrastructure entities across the Middle
b. 500 status messages
East, North Africa, Europe, and North America.
This was identified by FireEye’s Mandiant IR and
Intelligence teams.2

1 ICS is a general term that includes: supervisory control and data acquisition (SCADA) and distributed control systems (DCS), industrial automation and control
systems (IACS), and programmable logic controllers (PLCs).
2 https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
2
Corelight’s introductory guide to threat hunting with Zeek (Bro) logs.
a. An emergency directive was issued by DHS CISA in
January 2019 for organizations hosting DNS (https://cyber.
dhs.gov/ed/19-01/) to mitigate this type of vulnerability.
Use this report as a guide to develop searches to look
historically through logs to determine if anyone in your
enterprise was affected by this attack.
2. Is any DNS tunneling present? Bad actors can exfiltrate all
types of sensitive data including financial records, social
security numbers, and intellectual property. The data
can be obfuscated using various techniques and then
transmitted to avoid detection (i.e., slow drip, IP spoofing,
domain generation algorithms (DGAs), and fast flux).
a. Exfiltration Over Alternative Protocol (T1048)
Server farm egress
Server farms are often where the most valuable data in
an organization resides. Instrumenting the enterprise to
have NSM at server farm egress points provides visibility
for internal and external network communications.
Observations
The following questions, plus those identified for
network egress, can lead to theories for hunting in
server farm egress data:
•• What volume of data is being transferred between
individual servers and client(s)?
•• Are any hosts starving servers for resources?
•• Is there any encrypted traffic that does not belong?
•• Is there a history of files transferred?
•• Is there any suspect DCOM or RPC traffic
between servers and hosts?
•• Which MS protocols are being used between
servers and internal hosts?
•• Are any prohibited protocols traversing the network?
•• What insight do you have into encrypted sessions
entering/leaving the network?
Volume
1. Which internal or external clients communicate
with servers most often?
a. Do communications happen at odd hours?
2. Which internal or external clients transfer
the most data to/from servers?
a. Which protocols are used?
b. Do communications happen at odd hours?
3. Are unknown protocols in use?
4. Are any hosts starving servers for resources?
Suspect encrypted traffic
1. Is there traffic to/from the server farm that does
not belong?
a. SSH, TLS using a certificate issued by an outside CA?
Files
1. Which files have been up/downloaded between servers
and clients?
2. Has the same file been transferred multiple times?
3. Is there a method to check all files against a watch list?
DCOM
1. Is there any DCE_RPC traffic between servers and
external devices?
2. Is there any suspect DCE_RPC traffic between servers
and internal devices?
a. Scheduled Tasks, PSExec, WMI
3. Are any shares being created and/or removed remotely?
MS protocols
1. Is there SMB traffic between servers and
external devices?
2. Is SMB traffic permitted between servers and
internal devices?
a. Which shares are accessed?
b. Who is performing the access, and when?
3. Are any hidden shares accessed by internal devices?
4. Are all shares actively used?
5. Is share enumeration occurring from internal or
external devices?
6. Is any Kerberos being used between internal or
external devices and servers?
Hunting theories
1. Look for odd Kerberos ticket traffic with the additional
Zeek package that extends the kerberos.log with auth_
ticket, new_ticket, client_cert, client_cert_sub, client_
cert_fuid, server_cert, server_cert_sub, server_cert_fuid.
a. Lateral Movement Pass the Ticket (T1097)
b. Credential Access Kerberoasting (T1208)
2. RDP sessions with odd keyboard layouts
a. Lateral Movement RDP (T1076)
3
Corelight’s introductory guide to threat hunting with Zeek (Bro) logs.
3. File analysis of type != extension
a. Defense Evasion, Execution Space after
Filename (T1151)
4. High volume of data transfer
a. Collection Data Staged (T1074)
Intra data center
Communication between devices within a data center
is often a security blind-spot. Data centers have a
heterogeneous mix of applications and operating systems
that are vulnerable to enumeration by adversaries
looking to discover devices and services to exploit. While
it is unlikely NSM will be present within a server rack,
it should be placed at demarcation points (i.e., switches
that aggregate top of rack traffic).
Observations
The following questions, plus earlier questions, can
lead to theories for intra data center hunting:
•• Are any prohibited protocols traversing the network?
•• Which users/hosts are authenticating?
•• Are there hosts that switch from producing data to
consuming it?
•• Are any unknown protocols in use?
•• Are you performing file extraction and analysis?
•• Why are two end points communicating?
•• Are any endpoints performing reconnaissance?
•• Which software applications are installed?
Is this in agreement with the enterprise inventory?
•• Are administrative tasks occurring from the user
area of the network?
•• Are any users connecting to hidden or
administrative shares?
•• Which user agents are in use?
Prohibited protocols
1. Are there, or have there been any protocols being used
within the data center that are prohibited? Are they
using non-standard ports?
a. SMB, HTTP, SSH, RDP, NTLM, FTP, VNC
2. Are there any TLS transactions that implement TLS v1.0
or 1.1? Which applications break if this is blocked?
3. Are there any SSL transactions (e.g., SSL v1, v2, or v3)?
Which applications break if this is blocked?
4. Are there any common protocols using a
non-standard port?
5. Is there prohibited software? Does the software visible
on the network agree with agent-based inventory?
Authentication
1. Which authentication methods are used?
2. Are there high numbers of failures?
3. SSH failures (see “How Zeek can provide insights despite
encrypted communications” for additional questions)
4. Do you see oddities in the Kerberos authentication?
a. Ciphers used, keys reused on different client
5. Are there any new SSH sessions that do not match
existing HASSH fingerprints?
Volume
1. What volume of data is transferred via SSH and
among which workstations?
2. Are there hosts with a changing producer to consumer
ratio (PCR)?
3. Are there unknown protocols?
4. Are there hosts communicating to new hosts
within the data center?
5. Why are hosts communicating?
6. Are one or more workstations probing,
looking for services?
File
1. Which files have been uploaded/downloaded
between servers?
2. Has the same file been transferred multiple times?
4
Corelight’s introductory guide to threat hunting with Zeek (Bro) logs.
Misc.
1. Are shares being created and/or removed remotely?
2. Are all shares actively being used?
3. Are there new hidden shares?
4. Is remote administration occuring?
If so, from which workstations?
5. Is there another data center egress?
6. What user agents are being used?
Are any being spoofed?
Intra workstation
A second blind spot is communication among host device
workstations within an enterprise. Enterprises often have
a heterogeneous mix of devices and operating systems
that are vulnerable to reconnaissance by adversaries
looking for users, devices, and services to exploit. While
it is unlikely NSM will be present between all host devices,
it should be placed at demarcation points (NSM installed
at distribution switches for each floor of a building or at
the entire building).
Observations
The following questions, plus earlier questions, can lead
to theories for intra workstation hunting:
•• Are any prohibited protocols traversing the network?
•• Which users/hosts are authenticating?
•• Are there hosts that switch from producing data to
consuming it?
•• Are any unknown protocols in use?
•• Are you performing file extraction and analysis?
•• Why are two end points communicating?
•• Are any endpoints performing reconnaissance?
•• Which software applications are installed?
Is this in agreement with the enterprise inventory?
•• Are administrative tasks occurring from the user area of
the network?
•• Are any users connecting to hidden or
administrative shares?
•• Which user agents are in use?
Prohibited protocols
1. Are there, or have there been any protocols being used
within the data center that are prohibited? Are they
using non-standard ports?
a. SMB, HTTP, SSH, RDP, NTLM, FTP
2. Are there any TLS transactions that implement TLS v1.0 or
v1.1? Which applications break if this is blocked?
3. Are there any SSL transactions (e.g., SSL v1, v2, or v3)?
Which applications break if this is blocked?
4. Are any common protocols using a non-standard port?
5. Is there prohibited software? Does the software visible on
the network agree with agent-based inventory?
Authentication
1. Which authentication methods are being used?
2. Do you see a high number of failures?
3. SSH failures (see “How Zeek can provide insights despite
encrypted communications” for additional questions)
4. Do you see oddities in the Kerberos authentication?
a. Ciphers used, keys reused on different client
5. Are there any new SSH sessions that do not match
existing HASSH fingerprints?
Volume
1. What volume of data is transferred via SSH
Among which workstations?
2. Are there hosts that have the PCR changing?
3. Are there unknown protocols?
4. Are there hosts communicating to new hosts
within the data center?
5. Why are hosts communicating?
6. Are one or more workstations probing,
looking for services?
5
Files
1. Which files have been up/downloaded between servers?
2. Has the same file been transferred multiple times?

Misc.
1. Are shares being created and/or removed remotely?
2. Are all shares actively being used?
3. Are there new hidden shares?
4. Is remote administration occurring?
From which workstations?
5. Is there another data center egress?
6. What user agents are being used?
Are any being spoofed?

Corelight delivers the most powerful network security monitoring

(NSM) solutions that help large organizations defend themselves by Contact us
transforming network traffic into rich logs, extracted files, and security
insights. Corelight makes a family of virtual, cloud and physical sensors
For more information or
that take the pain out of deploying open-source Zeek and make it
to schedule an evaluation:
faster and enterprise-ready. Corelight’s customers include Fortune
500 companies, government agencies, and research universities.
info@corelight.com
888-547-9497
We make the world’s networks safer.
510-281-0760

CORELIGHT, INC. | INFO@CORELIGHT.COM | WP008-HUNTINTRO-V1.0-US

corelight.com
All rights reserved. © Copyright 2019 Corelight, Inc.