{"id":3877,"date":"2026-04-14T13:32:01","date_gmt":"2026-04-14T17:32:01","guid":{"rendered":"https:\/\/drkeithjones.com\/?p=3877"},"modified":"2026-04-22T11:48:41","modified_gmt":"2026-04-22T15:48:41","slug":"beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql","status":"publish","type":"post","link":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/","title":{"rendered":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Hunting through raw Zeek logs just got a massive upgrade.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019ve spent years in the SOC, you\u2019ve likely built up a library of complex <code>awk<\/code> chains and <code>grep<\/code> commands to parse Zeek data. It works, but it\u2019s brittle and hard to read. I recently used <strong>DuckDB<\/strong> and the <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/ynadji\/zeek-duckdb\">zeek-duckdb extension<\/a> to analyze a malware sample, and the difference is night and day. Instead of wrestling with syntax, I was able to run blazing-fast SQL queries against raw logs directly in my terminal.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Power of the Join<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The real magic happens when you treat your logs like relational data. By joining <code>conn.log<\/code> and <code>http.log<\/code> on the shared connection <code>uid<\/code>, you instantly combine <strong>application-layer context<\/strong> with <strong>network-layer ground truth.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this hunt, I was looking for data exfiltration patterns. While a standard web log might show you a successful <code>GET<\/code> request, joining it with the connection log allows you to see exactly how many bytes left the network during that specific session.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The &#8220;Aha!&#8221; Moment<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">I wrote a query to sort by <code>orig_bytes DESC<\/code> to surface the largest data transfers. While this specific sample didn&#8217;t show massive exfiltration, stacking the data this way made an anomaly glaringly obvious: <strong>a request to <code>icanhazip.com<\/code> with a <code>NULL<\/code> User-Agent.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Legitimate services usually send User-Agents. Seeing a missing one hitting an external IP discovery site is textbook automated malware. The script is mapping its new victim network before beaconing out to C2. I found this in seconds with zero infrastructure setup.<\/p>\n\n\n\n<pre style=\"white-space: pre; overflow-x: auto; font-family: monospace; font-size: 12px; background: #fdfdfd; padding: 20px; border: 1px solid #ddd; line-height: 1.5;\">\nkeith.jones@Keiths-MacBook-Pro duckdb % duckdb\nDuckDB v1.5.1 (Variegata)\nEnter \".help\" for usage hints.\nmemory D load zeek;\nmemory D SELECT\n          c.ts,\n          c.uid,\n          c.id_orig_h AS source_ip,\n          c.id_resp_h AS dest_ip,\n          h.method,\n          h.\"host\", -- Using quotes because LinkedIn will auto hyperlink this\n          h.uri,\n          h.user_agent,   -- Context: What tool is making the request?\n          c.orig_bytes,   -- Network: How much data did the client send? (Hunting Exfil)\n          c.resp_bytes,   -- Network: How much data did the server return?\n          h.status_code,\n          c.conn_state   -- Network: Did the connection finish normally or get abruptly reset?\n          FROM read_zeek('conn.log') AS c\n          JOIN read_zeek('http.log') AS h USING (uid)\n          ORDER BY c.orig_bytes DESC; -- Sorting by data sent out to look for exfil\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u252c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502              ts               \u2502        uid         \u2502   source_ip    \u2502    dest_ip     \u2502 method  \u2502         host          \u2502                uri                \u2502        user_agent        \u2502 orig_bytes \u2502 resp_bytes \u2502 status_code \u2502 conn_state \u2502\n\u2502   timestamp with time zone    \u2502      varchar       \u2502      inet      \u2502      inet      \u2502 varchar \u2502        varchar        \u2502              varchar              \u2502         varchar          \u2502   uint64   \u2502   uint64   \u2502   uint64    \u2502  varchar   \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 2026-04-14 09:23:46.86766-04  \u2502 C9I1o32GZkDMCaqjU1 \u2502 192.168.100.15 \u2502 88.221.169.152 \u2502 GET     \u2502 www.microsoft.com     \u2502 \/pkiops\/crl\/Microsoft ECC Product \u2502 Microsoft-CryptoAPI\/10.0 \u2502        484 \u2502       1917 \u2502         200 \u2502 RSTO       \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502  Root Certificate Authority 2018. \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 crl                               \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 2026-04-14 09:23:46.86766-04  \u2502 C9I1o32GZkDMCaqjU1 \u2502 192.168.100.15 \u2502 88.221.169.152 \u2502 GET     \u2502 www.microsoft.com     \u2502 \/pkiops\/crl\/Microsoft ECC Update  \u2502 Microsoft-CryptoAPI\/10.0 \u2502        484 \u2502       1917 \u2502         200 \u2502 RSTO       \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 Secure Server CA 2.1.crl          \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 2026-04-14 09:23:17.160462-04 \u2502 CERXXs2SXczhdsjGd2 \u2502 192.168.100.15 \u2502 204.79.197.203 \u2502 GET     \u2502 oneocsp.microsoft.com \u2502 \/ocsp\/MFQwUjBQME4wTDAJBgUrDgMCGgU \u2502 Microsoft-CryptoAPI\/10.0 \u2502        253 \u2502       1444 \u2502         200 \u2502 S1         \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 ABBQ3L3\/\/a6ADK8NraY2GXzVaYrHG4AQU \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 b6t+2v+XQ3LsO2d33oJhNYhHQoUCEzMAA \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 AAGb6JMMcOVb6sAAAAAAAY=           \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 2026-04-14 09:23:38.089325-04 \u2502 Cgbswa2jFzUocQtifg \u2502 192.168.100.15 \u2502 23.11.41.157   \u2502 GET     \u2502 ocsp.digicert.com     \u2502 \/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ5 \u2502 Microsoft-CryptoAPI\/10.0 \u2502        240 \u2502        641 \u2502         200 \u2502 S1         \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 0otx\/h0Ztl+z8SiPI7wEWVxDlQQUTiJUI \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 BiV5uNu5g\/6+rkS7QYXjzkCEAz1vQYrVg \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 L0erhQLCPM8GY=                    \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 2026-04-14 09:23:17.095191-04 \u2502 CqWV6W1GPWojiojYde \u2502 192.168.100.15 \u2502 23.11.41.157   \u2502 GET     \u2502 ocsp.digicert.com     \u2502 \/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTr \u2502 Microsoft-CryptoAPI\/10.0 \u2502        236 \u2502        485 \u2502         200 \u2502 S1         \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 jrydRyt+ApF3GSPypfHBxR5XtQQUs9tIp \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 PmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8m \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 y1oj8MfWpz\/7Y=                    \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 2026-04-14 09:23:26.479552-04 \u2502 CwBv002K9i2nSr9PW1 \u2502 192.168.100.15 \u2502 23.216.77.30   \u2502 GET     \u2502 crl.microsoft.com     \u2502 \/pki\/crl\/products\/MicRooCerAut201 \u2502 Microsoft-CryptoAPI\/10.0 \u2502        216 \u2502       1267 \u2502         200 \u2502 S1         \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 1_2011_03_22.crl                  \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 2026-04-14 09:23:26.599969-04 \u2502 CJNCiO1k6X4OK5cB6g \u2502 192.168.100.15 \u2502 23.59.18.102   \u2502 GET     \u2502 www.microsoft.com     \u2502 \/pkiops\/crl\/MicSecSerCA2011_2011- \u2502 Microsoft-CryptoAPI\/10.0 \u2502        209 \u2502       1359 \u2502         200 \u2502 S1         \u2502\n\u2502                               \u2502                    \u2502                \u2502                \u2502         \u2502                       \u2502 10-18.crl                         \u2502                          \u2502            \u2502            \u2502             \u2502            \u2502\n\u251c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2524\n\u2502 2026-04-14 09:24:04.219286-04 \u2502 CeRSW815NsWYrVvGod \u2502 192.168.100.15 \u2502 104.16.184.241 \u2502 GET     \u2502 icanhazip.com         \u2502 \/                                 \u2502 NULL                     \u2502         63 \u2502        584 \u2502         200 \u2502 S1         \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2534\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\nmemory D\n<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">By moving from text-parsing to SQL-querying, we stop fighting the logs and start asking better questions. Whether you are doing local IR or proactive threat hunting, the combination of Zeek\u2019s visibility and DuckDB\u2019s speed is a formidable addition to any toolkit.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Resources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"has-superbfont-xsmall-font-size\"><strong>Malware Sample:<\/strong> <a href=\"https:\/\/app.any.run\/tasks\/416d6034-086e-4a6f-b56c-6a7169730281\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN Task<\/a><\/li>\n\n\n\n<li class=\"has-superbfont-xsmall-font-size\"><strong>The Extension:<\/strong> <a href=\"https:\/\/github.com\/ynadji\/zeek-duckdb\" target=\"_blank\" rel=\"noreferrer noopener\">zeek-duckdb on GitHub<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Hunting through raw Zeek logs just got a massive upgrade. If you\u2019ve spent years in the SOC, you\u2019ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it\u2019s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[144,74,140,91,24,61,4],"tags":[],"class_list":["post-3877","post","type-post","status-publish","format-standard","hentry","category-detection","category-how-to","category-malware","category-open-source","category-pcaps","category-tools","category-zeek"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.8 - aioseo.com -->\n\t<meta name=\"description\" content=\"Hunting through raw Zeek logs just got a massive upgrade. If you\u2019ve spent years in the SOC, you\u2019ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it\u2019s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware\" \/>\n\t<meta name=\"robots\" content=\"max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n\t<meta name=\"author\" content=\"drkeithjones\"\/>\n\t<link rel=\"canonical\" href=\"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.8\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"DrKeithJones.com - A cybersecurity researcher&#039;s journey.\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL - DrKeithJones.com\" \/>\n\t\t<meta property=\"og:description\" content=\"Hunting through raw Zeek logs just got a massive upgrade. If you\u2019ve spent years in the SOC, you\u2019ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it\u2019s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/\" \/>\n\t\t<meta property=\"og:image\" content=\"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg\" \/>\n\t\t<meta property=\"og:image:secure_url\" content=\"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2026-04-14T17:32:01+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2026-04-22T15:48:41+00:00\" \/>\n\t\t<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/keithjjones\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:site\" content=\"@keithjjones\" \/>\n\t\t<meta name=\"twitter:title\" content=\"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL - DrKeithJones.com\" \/>\n\t\t<meta name=\"twitter:description\" content=\"Hunting through raw Zeek logs just got a massive upgrade. If you\u2019ve spent years in the SOC, you\u2019ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it\u2019s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware\" \/>\n\t\t<meta name=\"twitter:creator\" content=\"@keithjjones\" \/>\n\t\t<meta name=\"twitter:image\" content=\"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"BlogPosting\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#blogposting\",\"name\":\"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL - DrKeithJones.com\",\"headline\":\"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL\",\"author\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#person\"},\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#articleImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g\",\"width\":96,\"height\":96,\"caption\":\"drkeithjones\"},\"datePublished\":\"2026-04-14T13:32:01-04:00\",\"dateModified\":\"2026-04-22T11:48:41-04:00\",\"inLanguage\":\"en-US\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#webpage\"},\"articleSection\":\"Detection, How-To, Malware, Open Source, PCAPs, Tools, Zeek\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/drkeithjones.com\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/category\\\/zeek\\\/#listItem\",\"name\":\"Zeek\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/category\\\/zeek\\\/#listItem\",\"position\":2,\"name\":\"Zeek\",\"item\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/category\\\/zeek\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#listItem\",\"name\":\"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#listItem\",\"position\":3,\"name\":\"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/category\\\/zeek\\\/#listItem\",\"name\":\"Zeek\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#person\",\"name\":\"drkeithjones\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#personImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g\",\"width\":96,\"height\":96,\"caption\":\"drkeithjones\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/#author\",\"url\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/\",\"name\":\"drkeithjones\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g\",\"width\":96,\"height\":96,\"caption\":\"drkeithjones\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#webpage\",\"url\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/\",\"name\":\"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL - DrKeithJones.com\",\"description\":\"Hunting through raw Zeek logs just got a massive upgrade. If you\\u2019ve spent years in the SOC, you\\u2019ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it\\u2019s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/2026\\\/04\\\/14\\\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/index.php\\\/author\\\/drkeithjones_iitpux\\\/#author\"},\"datePublished\":\"2026-04-14T13:32:01-04:00\",\"dateModified\":\"2026-04-22T11:48:41-04:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#website\",\"url\":\"https:\\\/\\\/drkeithjones.com\\\/\",\"name\":\"DrKeithJones.com\",\"description\":\"A cybersecurity researcher's journey.\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/drkeithjones.com\\\/#person\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL - DrKeithJones.com","description":"Hunting through raw Zeek logs just got a massive upgrade. If you\u2019ve spent years in the SOC, you\u2019ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it\u2019s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware","canonical_url":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/","robots":"max-snippet:-1, max-image-preview:large, max-video-preview:-1","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"BlogPosting","@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#blogposting","name":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL - DrKeithJones.com","headline":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL","author":{"@id":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/#author"},"publisher":{"@id":"https:\/\/drkeithjones.com\/#person"},"image":{"@type":"ImageObject","@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#articleImage","url":"https:\/\/secure.gravatar.com\/avatar\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g","width":96,"height":96,"caption":"drkeithjones"},"datePublished":"2026-04-14T13:32:01-04:00","dateModified":"2026-04-22T11:48:41-04:00","inLanguage":"en-US","mainEntityOfPage":{"@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#webpage"},"isPartOf":{"@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#webpage"},"articleSection":"Detection, How-To, Malware, Open Source, PCAPs, Tools, Zeek"},{"@type":"BreadcrumbList","@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/drkeithjones.com#listItem","position":1,"name":"Home","item":"https:\/\/drkeithjones.com","nextItem":{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/#listItem","name":"Zeek"}},{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/#listItem","position":2,"name":"Zeek","item":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/","nextItem":{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#listItem","name":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL"},"previousItem":{"@type":"ListItem","@id":"https:\/\/drkeithjones.com#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#listItem","position":3,"name":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL","previousItem":{"@type":"ListItem","@id":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/#listItem","name":"Zeek"}}]},{"@type":"Person","@id":"https:\/\/drkeithjones.com\/#person","name":"drkeithjones","image":{"@type":"ImageObject","@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#personImage","url":"https:\/\/secure.gravatar.com\/avatar\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g","width":96,"height":96,"caption":"drkeithjones"}},{"@type":"Person","@id":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/#author","url":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/","name":"drkeithjones","image":{"@type":"ImageObject","@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/dee83de34730f3a340cb0cdf15ab1de7f04e96f129f78c426da03098df1912fb?s=96&d=retro&r=g","width":96,"height":96,"caption":"drkeithjones"}},{"@type":"WebPage","@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#webpage","url":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/","name":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL - DrKeithJones.com","description":"Hunting through raw Zeek logs just got a massive upgrade. If you\u2019ve spent years in the SOC, you\u2019ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it\u2019s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/drkeithjones.com\/#website"},"breadcrumb":{"@id":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/#breadcrumblist"},"author":{"@id":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/#author"},"creator":{"@id":"https:\/\/drkeithjones.com\/index.php\/author\/drkeithjones_iitpux\/#author"},"datePublished":"2026-04-14T13:32:01-04:00","dateModified":"2026-04-22T11:48:41-04:00"},{"@type":"WebSite","@id":"https:\/\/drkeithjones.com\/#website","url":"https:\/\/drkeithjones.com\/","name":"DrKeithJones.com","description":"A cybersecurity researcher's journey.","inLanguage":"en-US","publisher":{"@id":"https:\/\/drkeithjones.com\/#person"}}]},"og:locale":"en_US","og:site_name":"DrKeithJones.com - A cybersecurity researcher's journey.","og:type":"article","og:title":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL - DrKeithJones.com","og:description":"Hunting through raw Zeek logs just got a massive upgrade. If you\u2019ve spent years in the SOC, you\u2019ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it\u2019s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware","og:url":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/","og:image":"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg","og:image:secure_url":"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg","article:published_time":"2026-04-14T17:32:01+00:00","article:modified_time":"2026-04-22T15:48:41+00:00","article:publisher":"https:\/\/www.facebook.com\/keithjjones","twitter:card":"summary_large_image","twitter:site":"@keithjjones","twitter:title":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL - DrKeithJones.com","twitter:description":"Hunting through raw Zeek logs just got a massive upgrade. If you\u2019ve spent years in the SOC, you\u2019ve likely built up a library of complex awk chains and grep commands to parse Zeek data. It works, but it\u2019s brittle and hard to read. I recently used DuckDB and the zeek-duckdb extension to analyze a malware","twitter:creator":"@keithjjones","twitter:image":"https:\/\/drkeithjones.com\/wp-content\/uploads\/2023\/02\/ecb.jpg"},"aioseo_meta_data":{"post_id":"3877","title":"#post_title #separator_sa #site_title","description":"#post_excerpt","keywords":null,"keyphrases":{"focus":{"keyphrase":"","score":0,"analysis":{"keyphraseInTitle":{"score":0,"maxScore":9,"error":1}}},"additional":[]},"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":"","og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"BlogPosting","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":"-1","robots_max_videopreview":"-1","robots_max_imagepreview":"large","priority":null,"frequency":"default","local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":{"faqs":[],"keyPoints":[],"titles":[],"descriptions":[],"socialPosts":{"email":[],"linkedin":[],"twitter":[],"facebook":[],"instagram":[]}},"created":"2026-04-14 17:12:12","updated":"2026-04-23 14:44:24","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/drkeithjones.com\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/\" title=\"Zeek\">Zeek<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tBeyond the Grep: Hunting Malware with Zeek and DuckDB SQL\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/drkeithjones.com"},{"label":"Zeek","link":"https:\/\/drkeithjones.com\/index.php\/category\/zeek\/"},{"label":"Beyond the Grep: Hunting Malware with Zeek and DuckDB SQL","link":"https:\/\/drkeithjones.com\/index.php\/2026\/04\/14\/beyond-the-grep-hunting-malware-with-zeek-and-duckdb-sql\/"}],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/3877","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/comments?post=3877"}],"version-history":[{"count":0,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/3877\/revisions"}],"wp:attachment":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/media?parent=3877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/categories?post=3877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/tags?post=3877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}