Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.
Protocols such as SMB use NTLM for authentication and provide insight into whether authentication attempts have succeeded. A substantial number of invalid authentication attempts from a single host should be a cause for concern. Zeek can monitor NTLM authentication attempts to identify excessive login attempts, a large percentage of failures, or abnormal login patterns. Zeek will extract the username and result (success/failure) of each attempt. This information is stored in the ntlm.log file. Similarly, Zeek can monitor SSH connection attempts to report a suspiciously high number of authentication failures, using the ssh.log file.
Detect hosts that are doing password guessing attacks and/or password bruteforcing over SSH.
Corelight Sensors run the Zeek NSM, which includes an event-driven scripting language that provides the primary means for an organization to extend and customize Corelight Sensors. The scripts alert Corelight Sensors about pre-defined events then capture information about that connection and trigger a function. For example, the ssl.log file is generated by a script that walks the entire certificate chain and issues notifications if any of the steps along the certificate chain are invalid.
Developed by MITRE for organizations that have deployed the Zeek / Bro Network Security Monitor, these scripts utilize selected protocol analyzers (SMB and DCE-RPC) and the File Analysis Framework to uncover a range of Execution, Persistence, Lateral Movement, Defensive Evasion, Credential Access—and in particular Discovery—techniques. Learn more at GitHub.
Tune into this prerecorded (runtime 1 hour) webcast to hear from world-class security operators Richard Bejtlich and James Schweitzer as they dig into the MITRE framework and review concrete, step-by-step eamples of how you can use Zeek to significantly improve your visibility into and defenses against Lateral Movement (TA0008), Data Exfiltration (TA0010), and Command and Control (C2) (TA0011) tactics. Watch.