Category: Zeek

  • Detect Gozi Banking Malware With Zeek!

    Join the Old Grizzled FBI Agent to hear how to detect the Gozi Banking Malware Family with Zeek! Corelight Blog: https://corelight.com/blog/gozi-banking-malware Transcript: 00:00:10:47 – 00:00:41:11Old Grizzled FBI AgentHi there. This is your…

  • Detecting AsyncRAT Malware C2 With Zeek And Suricata

    Please join the “Old Grizzled FBI Agent” to hear how you can detect the AsyncRAT malware family with Suricata and Zeek! Corelight blog: https://corelight.com/blog/newsroom/news/hunt-of-the-month-detecting-async-rat-malware Zeek: https://zeek.org/ Source code: https://github.com/corelight/zeek-asyncrat-detector Transcript: 00:00:00:10 –…

  • Zeek Log Format Cheat Sheet

    Sometimes you want to quickly know the format of a Zeek log file. Check out this web page that links to all the native Zeek log record definitions: https://docs.zeek.org/en/master/script-reference/log-files.html Clicking on “Conn:Info”…

  • Analyzing QBot/QakBot Malware With Zeek

    In this short article I’ll outline some analysis I performed on the QBot/QakBot malware family with Zeek. I took a look at the following PCAPs from this family of malware, hoping to…

  • A Gozi Banking Malware Detector – Zeek Roulette #3

    I had talked about Gozi malware in our eCrimeBytes podcast here: Last Man From Gozi Banking Malware Group Sentenced To Three Years – eCrimeBytes Nibble #51 In my technical real life job…

  • Detecting Amadey Malware With Zeek – Zeek Roulette #2

    For my Zeek Roulette #2 I picked a recently submitted sample off of ANY.Run that ended up being Amadey: https://app.any.run/tasks/31ba58da-30d1-4a08-940d-2412fc629221/ You can download the PCAP from the link above if you navigate…

  • njRAT/Bladabindi Zeek Detector Update – Zeek Roulette #1 Part 2

    This is an update to: Detecting njRAT/Bladabindi Malware With Zeek – Zeek Roulette #1 I have been running this detector on a live network for a while and I’ve seen 2 (rare)…

  • Detecting njRAT/Bladabindi Malware With Zeek – Zeek Roulette #1

    Welcome to the first edition of Zeek Roulette, where I pick a random Zeek topic and try to solve it! For this article I picked njRAT malware from Any.Run and tried to…

  • Zeek Clustering How-To Video

    I put together a Zeek clustering video over at Youtube (https://youtu.be/g-QvpYHgh1c). You can get to the slides through: https://docs.google.com/presentation/d/1HHHF4-FNhoSuy-YPMOWka3EGvfOW7CJAFeS9VHxBg_E/edit?usp=sharing The source code is available at: https://github.com/corelight/CVE-2022-24491

  • Using Zeek Signatures To Detect CVEs

    I put a video together (https://www.youtube.com/watch?v=PcXjkUt3rZA) discussing a method I have used to detect CVEs using just Zeek signatures: https://docs.zeek.org/en/master/frameworks/signatures.html This method is useful when trying to detect a CVE exploit in…