Detection Capabilities and Extensions

Hi everyone!

I’m working on a project, and would like the tap the collective expertise and knowledge of the community.

I’m seeking to use Zeek to detect certain behaviors, listed below.

My questions are as follows:

(1) Is Zeek capable of detecting this behavior?

(2) Are there, to the best of your knowledge, any additional scripts I could run to extend Zeek’s abilities in this regard?

(3) Are there any recommendations on how to test that these attacks can be detected?

(4) Are there any recommendations for other attacks or scripts we should add besides the default?

Your thoughts and advice are most appreciated. Thanks in advance for your time and assistance!


  • OpenDNS DNSCrypt

  • Session Traversal Utilities for NAT (STUN Binding Request)

  • Internal Host Retrieving External IP Address (ifconfig. me)

  • GNU/Linux APT User-Agent Outbound likely related to package management

  • Common 0a0a0a0a Heap Spray String

  • EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

  • Observed SSL Cert (IP Lookup - ipify .org)

  • Delivery & Attack — Malicious website — Phishing activity

Exploitation & Installation

— Sandworm - CVE-2014-4114

  • KuaiZip Adware CnC Checkin


  • Sipvicious User-Agent Detected (friendly-scanner)

  • Sipvicious Scan


  • SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement

  • SMB2 NT Create AndX Request For a .bat File

  • SMB2 NT Create AndX Request For an Executable File


  • Outgoing Basic Auth Base64 HTTP Password detected unencrypted

  • Http Client Body contains passphrase= in cleartext

  • Served Attached HTTP

  • PE EXE or DLL Windows file download HTTP


  • Skype User-Agent detected

  • TeamViewer Dyngate User-Agent


  • Potential SSH Scan OUTBOUND

  • MS Remote Desktop Request RDP

  • RDP connection confirm

Environmental Awareness

— Configuration Changed — Cisco Device

— Desktop Software - Chat Client — IRC

— Desktop Software - BitCoin — BitCoin client

— Network Anomaly - Protocol on Unexpected Port — HTTP on HTTPS

— Confidential Data - Password in Cleartext — HTTP

Reconnaissance & Probing

— Portscan — Nmap

— Service discovery — SIPvicious VOIP tool

— Service discovery — Microsoft Remote Desktop

System Compromise

— C&C Communication — SSL Certificate

— Trojan infection — BlackCarat

— Worm infection — Internal Host scanning

— Trojan infection — Commonly Abused File Sharing Site Domain

— Suspicious Behaviour — Suspicious user-agent detected

Vulnerable/Outdated Version

  • Java 1.6.x Detected

  • Java 1.7.x Detected

  • Java 1.8.x Detected

  • Flash Version M1

  • Flash Version M2

Android Device Connectivity Check

  • Android Device (KitKat OS)

  • Android Device (Marshmallow OS)

Kindest Regards,

Brett J. Warrick