Detecting Lateral Movement with Zeek

Analyze Zeek network logs to identify lateral movement techniques including SMB admin share access, DCE/RPC remote service creation, NTLM account spray, Kerberos ticket anomalies, and large internal data transfers indicative of staging or exfiltration between hosts.

When to Use

• Hunting for lateral movement after an initial compromise indicator is found on one endpoint
• Investigating suspected NTLM account spray or Pass-the-Ticket attacks across the internal network
• Monitoring SMB traffic for unauthorized file transfers to admin shares (C$, ADMIN$, IPC$)
• Detecting remote service execution via DCE/RPC (PsExec, schtasks, WMI lateral patterns)
• Building alerting rules for internal network anomalies in a Zeek-based NSMP deployment
• Performing post-incident timeline reconstruction using Zeek logs as a network-level evidence source

Do not use as a standalone detection mechanism. Zeek sees network traffic only; combine with endpoint telemetry (Sysmon, EDR) for full visibility. Encrypted SMB3 traffic may limit Zeek's visibility into file-level details.

Prerequisites