How to better tune Zeek to capture C2 Long Polling? #10577
Replies: 1 comment 1 reply
-
|
Would something like this help? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Hey Doug, Thanks for sharing this. I'll try this out and report back. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Very interesting 9-hour meterpreter session. This is all testing data inside my CyberLabz home lab environment. I'm trying to better understand how to tune Zeek to quickly capture and highlight initial C2 connections without waiting for the connection to close. It seems that Zeek will present the log in Kibana or "Hunt" once the connection is finally terminated.
The connection is initiated around 02:49 UTC and lasted for 9 hours.
After 9 hours the session is killed and only a handful of connections logs are found. The event duration is very high which could be an indicator. This to me looks like Long Polling which Zeek will log once the connection is closed.
This type of C2 communication would be hard to find. Are there any other ways to tune Zeek to better highlight potential long-polling C2 behavior?
Beta Was this translation helpful? Give feedback.
All reactions