Lab 04 — Find Malware on the Wire with Zeek¶
Hands-on lab · ← Back to the module concept
Setup¶
git clone https://github.com/plaintext-security/plaintext-labs
cd plaintext-labs/defensive/04-network-monitoring
make up
Run make demo to analyze a small curated seed of Zeek logs
(data/zeek/conn.log, dns.log, http.log) that model a real C2
compromise — beaconing at ~300 s intervals, DGA queries, a PowerShell
dropper download, and 8 MB of outbound exfil. The seed lets the demo run
fully offline.
For the full real-traffic exercise, fetch a public malicious capture and rebuild the logs from it:
make fetch-data # downloads a real Malware-Traffic-Analysis.net PCAP
# and runs Zeek over it → conn.log, dns.log, http.log
python3 analyze.py data/zeek # analyze the generated logs
make fetch-data pulls a specific dated MTA.net capture (NetSupport RAT C2),
unzips it with the site's infected password, and runs zeek -r to produce
the logs — see data/PROVENANCE.md for the exact source
URL, the pipeline, and the write-up to check your findings against. To use a
different capture, set PCAP=your-capture.pcap make zeek.
Scenario¶
Run Zeek over a real malicious PCAP and find the attack in its logs — fully self-contained, no prior track required.
Analyse only the public training PCAP (or your own captures).
Do¶
- [ ] Run Zeek over the PCAP to generate its logs (conn, dns, http, ssl, files).
- [ ] Find the suspicious activity: unusual DNS, a C2 connection, or a downloaded file. (Where would beaconing show up?)
- [ ] Extract the indicators (IPs, domains, hashes) — then check your findings against the site's write-up.
- [ ] Author a detection and prove it fires (the build half). Don't stop at "a detection I
could build" — build it. Author a detection for the behaviour you found — a Zeek/Sigma rule or a
codified check for the ~300 s beaconing interval, the DGA-style DNS, or the rare long-lived C2
connection — and run it over the bundled
data/zeek/logs to confirm it fires on the C2 activity. Then point it at a benign baseline (a few normalconn/dnslines you add, or a clean capture) and confirm it stays quiet. This mirrors module 05's custom Suricata rule: the find and the verified detection are equal halves.
Success criteria — you're done when¶
- [ ] Zeek logs are generated and you found the malicious activity in them.
- [ ] You extracted indicators and they match the published write-up.
- [ ] You authored a detection (Zeek/Sigma rule or scripted check) that fires on the C2 behaviour in the bundled logs and stays quiet on a benign baseline.
Deliverables¶
nsm.md: the Zeek logs that mattered, the indicators you pulled, and your authored detection plus
the fires-on-C2 / quiet-on-benign proof. Commit the rule/check alongside it.
AI acceleration¶
Have a model summarise a large Zeek log or explain a DNS pattern — then verify against the write-up. The model triages; the ground truth is the log plus the analyst's report.
Connects forward¶
These network indicators and detections feed module 05 (IDS), module 08 (detection-as-code), and module 12 (network hunting).
Marketable proof¶
"I run Zeek over real malicious traffic and pull C2/exfil indicators from its logs — network visibility that catches what endpoints miss."
Automate & own it¶
Required. Script a pass over the Zeek logs that flags the indicators (suspicious DNS, long connections, rare destinations); AI drafts, you validate against the known-bad PCAP; commit it.
Stretch¶
- Feed the Zeek logs into your Elastic pipeline (module 01) and build a dashboard.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).