In the process of Threat Hunting or even as a SOC Analyst, it is crucial to know your assets. You have to know which are the SSH Servers, the DNS Server, the Domain Controllers, and other systems in order to be able to understand which assets are the most valuable and which of them have the greater risk. Also if you know the purpose of its system it will be easier for you to detect abnormal things. This can be done by utilizing a CMDB and connecting it with your threat-hunting tool or your SIEM/SOAR. In that way, you can enrich your logs with hostnames, the operating system, and maybe the versions of the applications that run on these systems.
But many times if you work on an MSSP (and the client doesn’t have implemented a CMDB) or you are asked to monitor an unknown network (maybe for incident response purposes) or even if your company allows BYOD, most of the time you don’t have the option to enrich your logs through such asset management systems.
For that purpose, I decided to create a Zeek Module that utilizes the DHCP Protocol to enrich the Zeek logs with the hostname of the machine. The only requirement is for the machine to get its IP with DHCP. As so for systems with static IP assignment, you have to load the hostnames through a file which I will analyze in another post.
So the thing that actually the module does is monitor the DHCP Protocol communication and when a client asks for an IP from the DHCP Server, Zeek will check if the host_name field in the DHCP::Info record is set. If this is true, it will save it in a table along with the IP and the MAC address of the host. Also in the module you have the option to save the table only in memory, in cases, you don’t these data to persist. In case of persistence, you can change Passive_Entities::entities_store_persistency to Broker::SQLITE and the table will be saved in an SQLITE database. The table is also used the Broker Framework so the table will be synchronized in all the Zeek nodes. Hence the data will be in all the nodes of your Zeek Cluster even when you restart it.
Also, the module, every time a new DHCP log is created by Zeek, checks if the IP is taken from another host and updates the table in order to keep the table consistent with what happening on the network. Another feature is it tries to detect if the host changed its hostname and does the update.
At last, the module checks if the domain field also has a value, and if so it adds it to the enriched field. The enrichment with the hostname is being made on all the produced Zeek logs.
Below is a sample of an enriched conn.log. The first record has only the detected asset’s hostname and in the second one it has also detected the domain in which the system belongs.
{"ts":1361916444.804841,"uid":"CDmVGN1I7eEE85gwY4","id.orig_h":"172.16.133.40","id.orig_p":50297,"id.resp_h":"96.43.146.48","id.resp_p":443,"id.orig_hostname":"JDT096","proto":"tcp","service":"ssl","duration":3.39282488822937,"orig_bytes":1850,"resp_bytes":3079,"conn_state":"S1","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"ShADda","orig_pkts":12,"orig_ip_bytes":2342,"resp_pkts":9,"resp_ip_bytes":3451,"orig_l2_addr":"00:21:70:63:41:15","resp_l2_addr":"00:90:7f:3e:02:d0","community_id":"1:k2/On2MP068bpCHYtdVbqaxPjhA=","resp_geo.country_code":"US","resp_geo.latitude":37.751,"resp_geo.longitude":-97.822,"resp_asn.number":14340,"resp_asn.organization":"SALESFORCE"}
{"ts":1361916448.480786,"uid":"CBrZGC3h8QUak9swLa","id.orig_h":"172.16.133.34","id.orig_p":50719,"id.resp_h":"96.43.146.176","id.resp_p":443,"id.orig_hostname":"JDT168[jaalam.net]","proto":"tcp","service":"ssl","duration":3.4028120040893555,"orig_bytes":8381,"resp_bytes":12825,"conn_state":"S1","local_orig":true,"local_resp":false,"missed_bytes":0,"history":"ShADda","orig_pkts":19,"orig_ip_bytes":9153,"resp_pkts":20,"resp_ip_bytes":13637,"orig_l2_addr":"9c:8e:99:f3:8c:19","resp_l2_addr":"00:90:7f:3e:02:d0","community_id":"1:NRZMq/TxorOMcAZBa0OKyRs8cgc=","resp_geo.country_code":"US","resp_geo.latitude":37.751,"resp_geo.longitude":-97.822,"resp_asn.number":14340,"resp_asn.organization":"SALESFORCE"}More information about my Zeek Module can be found on my GitHub account (https://github.com/chrisanag1985/Zeek-Passive-Hostname-Detection).
