Does this replace EDR or Sysmon?

No, this is a network-centric detection tool. For comprehensive visibility, it should be used alongside endpoint telemetry like Sysmon or EDR to correlate network activity with local process execution.

Which specific logs does this skill analyze?

It parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to provide a holistic view of internal network movement.

Can this skill detect encrypted SMB3 traffic?

Zeek has limited visibility into the file-level details of encrypted SMB3 traffic; however, the skill can still identify suspicious connection patterns, source/destination metadata, and authentication attempts.

What version of Zeek is required?

This skill is designed for Zeek 6.0+ with the SMB, DCE/RPC, and Kerberos analyzers enabled in the configuration.

Zeek Network Lateral Movement Detection

Name: Zeek Network Lateral Movement Detection
Author: micsapp

bymicsapp

0•

セキュリティとテスト

Identifies and analyzes lateral movement patterns in network traffic by parsing Zeek logs for SMB, RPC, and NTLM activity.

This skill provides a specialized framework for cybersecurity professionals to hunt for lateral movement using Zeek (formerly Bro) network logs. It automates the analysis of complex log files like conn.log, smb_mapping.log, and dce_rpc.log to identify high-risk activities including administrative share access, remote service creation (PsExec/WMI patterns), and Pass-the-Hash authentication. By correlating network-level evidence with specific protocol behaviors, it helps security teams reconstruct attack timelines and detect unauthorized internal transitions that often bypass traditional perimeter defenses.

主な機能

01Internal traffic monitoring for anomalous WinRM and RPC connections

02Automated parsing of Zeek TSV and JSON log formats

03Identification of DCE/RPC remote service and scheduled task execution

04Analysis of NTLM and Kerberos logs for credential reuse indicators

05Detection of unauthorized SMB administrative share access (C$, ADMIN$)

060 GitHub stars

ユースケース

01Proactive threat hunting for unauthorized remote administration and lateral tool execution

02Post-incident forensic analysis to map a threat actor's movement through the internal network

03Continuous monitoring of internal VLANs for staging and data exfiltration patterns

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-lateral-movement-with-zeek

For use in Claude.ai and ChatGPT

主な機能

01Internal traffic monitoring for anomalous WinRM and RPC connections

02Automated parsing of Zeek TSV and JSON log formats

03Identification of DCE/RPC remote service and scheduled task execution

04Analysis of NTLM and Kerberos logs for credential reuse indicators

05Detection of unauthorized SMB administrative share access (C$, ADMIN$)

060 GitHub stars

ユースケース

01Proactive threat hunting for unauthorized remote administration and lateral tool execution

02Post-incident forensic analysis to map a threat actor's movement through the internal network

03Continuous monitoring of internal VLANs for staging and data exfiltration patterns

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-lateral-movement-with-zeek

For use in Claude.ai and ChatGPT