[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: [Bro] Intel::FILE_NAME and SMB_files behavior questions
From: James Gordon <gordonjamesr () gmail ! com>
Date: 2018-03-31 22:14:07
Message-ID: E0487939-B130-4419-8F9D-F56D7D375431 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hey everyone,
I have a few questions on behavioral issues with the intel framework and SMB / SMB \
file logging:
1. I'm not sure if this is expected behavior or not, but it doesn't look like \
filenames parsed in smb_files.log are properly being logged in files.log. We had a \
red team exercise recently where our red team was able to successfully retrieve the \
ntds.dit file off of one of our domain controllers. This transfer occurred over SMB, \
so I figured we could add ntds.dit to the Intel framework so that next time we don't \
have to dig in logs to find out that our domain is owned – we'll have a handy alert \
to tell us :) I did some testing with this though, and while I see ‘ntds.dit' \
logged clearly in the name field in smb_files.log, I don't have a corresponding entry \
in files.log for this file transfer, and therefore no Intel match. What makes this \
weirder is I have other irrelevant files from this connection logged in files.log, \
that I didn't actually touch or move during this connection:
bro@SObro:/nsm/bro/logs/current$ cat /opt/bro/share/bro/intel/intel.dat | grep \
ntds.dit ntds.dit Intel::FILE_NAME domain ownage - update \
your resume! F
bro@SObro:/nsm/bro/logs/2018-03-31$ zcat smb_files.16\:00\:00-17\:00\:00.log.gz | \
bro-cut uid id.orig_h id.resp_h id.resp_p action name | grep ntds.dit \
C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 445 SMB::FILE_OPEN share path\\and \
more\\more\\my testing directory\\ntds.dit C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 445 \
SMB::FILE_OPEN share path\\and more\\more\\my testing directory \\ntds.dit \
C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 445 SMB::FILE_OPEN share path\\and \
more\\more\\my testing directory \\ntds.dit C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 \
445 SMB::FILE_OPEN share path\\and more\\more\\my testing directory \\ntds.dit \
C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 445 SMB::FILE_OPEN ntds.dit \
C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 445 SMB::FILE_OPEN ntds.dit \
C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 445 SMB::FILE_OPEN ntds.dit \
C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 445 SMB::FILE_OPEN ntds.dit
If I search for "ntds.dit" in files log, I get nothing. If I search for the \
connection UID in files.log, there are some files logged – but not the only file I \
actually transferred over this connection!
bro@ SObro:/nsm/bro/logs/2018-03-31$ zcat files.16\:00\:00-17\:00\:00.log.gz | \
bro-cut conn_uids tx_hosts rx_hosts source filename | grep C35jBF1HlcrVNLiXW2 \
C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 SMB desktop.ini C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 SMB share path\\and more\\more\\not my testing directory!? \
\\desktop.ini C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 SMB share path\\and \
more\\more\\my testing directory \\random <> file that lives at this path.exe \
C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 SMB desktop.ini C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 SMB favorites\\desktop.ini C35jBF1HlcrVNLiXW2 1.1.1.1 \
2.2.2.2 SMB Random excel file that lives in my testing directory.xls \
C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 SMB random executable that lives in \
my testing directory.exe
Is there something wrong with my Bro instance? I feel like filenames from smb_files \
‘name' field should *all* be fed into files.log. I tested this with two different \
share paths and similar results – everything gets logged as I would expect in \
smb_files.log but this filename never shows up in files.log. How can I reliably alert \
on file names transferred over SMB?
2. As part of the above red team exercise, I found (what I suspect) are some \
instances of Meterpeter being transferred from popped hosts back to the adversary \
system over SMB. These were logged in "smb_files.log" with names like: \
"Temp\\PBetVKZU.tmp" and "Temp\\FapcPatS.tmp". I don't think the Intel framework \
supports wildcards – is there a way to alert on files transferred that match a \
regex such as "Temp\\[a-zA-Z]{8}.tmp", or even: "Temp\\*.tmp"?
3. Unrelated to the Intel framework - it seems like smb_files.log is super noisy. If \
I browse to a share drive, a massive amount of the contents of the share are \
enumerated in the smb_files log without taking any action (with the ‘action' field \
indicating SMB::FILE_OPEN). This feels like expected behavior in SMB. Is there any \
way to ‘filter' the log to only log files that are actually opened, written to, \
moved, deleted, or had any real operation occur against them?
We're running Bro 2.5.3 in Security Onion (Ubuntu 14.04). The intel framework is \
loaded and successfully fires on other indicators we have running.
Thanks!
James Gordon
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class=""><div style="margin: 0px; color: \
rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" \
class="">Hey everyone,<u class=""></u></div><div style="margin: 0px; color: rgb(34, \
34, 34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" \
class=""><u class=""></u> <u class=""></u></div><div style="margin: 0px; color: \
rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" \
class="">I have a few questions on behavioral issues with the intel framework and SMB \
/ SMB file logging:<u class=""></u><u class=""></u></div><div style="margin: 0px; \
color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: \
12.800000190734863px;" class=""><u class=""></u> <u class=""></u></div><div \
style="margin: 0px; color: rgb(34, 34, 34); font-size: 12.800000190734863px;" \
class=""><span style="font-family: arial, sans-serif;" class="">1. I'm not sure if \
this is expected behavior or not, but it doesn't look like filenames parsed in \
smb_files.log are properly being logged in files.log. We had a red team exercise \
recently where our red team was able to successfully retrieve the ntds.dit file off \
of one of our domain controllers. This transfer occurred over SMB, so I figured we \
could add ntds.dit to the Intel framework so that next time we don't have to dig in \
logs to find out that our domain is owned – we'll have a handy alert to tell \
us </span><font face="Wingdings" class="">:)</font><font face="arial, \
sans-serif" class=""> I did some testing with this though, and while I see \
‘ntds.dit' logged clearly in the name field in smb_files.log, I don't have a \
corresponding entry in files.log for this file transfer, and therefore no Intel \
match. What makes this weirder is I have other irrelevant files from this connection \
logged in files.log, that I didn't actually touch or move during this connection:<u \
class=""></u><u class=""></u></font></div><div style="margin: 0px; color: rgb(34, 34, \
34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" class=""><u \
class=""></u> <u class=""></u></div><div style="margin: 0px; color: rgb(34, 34, \
34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" \
class="">bro@SObro:/nsm/bro/logs/<wbr class="">current$ cat \
/opt/bro/share/bro/intel/<wbr class="">intel.dat | grep ntds.dit<u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" \
class="">ntds.dit \
Intel::FILE_NAME \
domain ownage - update your \
resume! \
F<u class=""></u><u class=""></u></div><div style="margin: 0px; color: rgb(34, 34, \
34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" class=""><u \
class=""></u> <u class=""></u></div><div style="margin: 0px; color: rgb(34, 34, \
34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" \
class="">bro@SObro:/nsm/bro/logs/2018-<wbr class="">03-31$ zcat \
smb_files.16\:00\:00-17\:00\:<wbr class="">00.log.gz | bro-cut uid id.orig_h \
id.resp_h id.resp_p action name | grep ntds.dit<u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" class="">C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 445 \
SMB::FILE_OPEN share path\\and more\\more\\my testing directory\\ntds.dit<u \
class=""></u><u class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); \
font-family: arial, sans-serif; font-size: 12.800000190734863px;" \
class="">C35jBF1HlcrVNLiXW2 1.1.1.1 2.2.2.2 \
445 SMB::FILE_OPEN share path\\and more\\more\\my \
testing directory <a href="smb://ntds.dit" class="">\\ntds.dit</a><u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" class="">C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 445 \
SMB::FILE_OPEN share path\\and more\\more\\my testing directory <a \
href="smb://ntds.dit" class="">\\ntds.dit</a><u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" class="">C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 445 \
SMB::FILE_OPEN share path\\and more\\more\\my testing directory <a \
href="smb://ntds.dit" class="">\\ntds.dit</a><u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" class="">C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 445 \
SMB::FILE_OPEN ntds.dit<u class=""></u><u class=""></u></div><div \
style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; \
font-size: 12.800000190734863px;" class="">C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 445 \
SMB::FILE_OPEN ntds.dit<u class=""></u><u class=""></u></div><div \
style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; \
font-size: 12.800000190734863px;" class="">C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 445 \
SMB::FILE_OPEN ntds.dit<u class=""></u><u class=""></u></div><div \
style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; \
font-size: 12.800000190734863px;" class="">C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 445 \
SMB::FILE_OPEN ntds.dit<u class=""></u><u class=""></u></div><div \
style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; \
font-size: 12.800000190734863px;" class=""><u class=""></u> <u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" class="">If I search for \
"ntds.dit" in files log, I get nothing. If I search for the connection UID in \
files.log, there are some files logged – but not the only file I actually \
transferred over this connection!<u class=""></u><u class=""></u></div><div \
style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; \
font-size: 12.800000190734863px;" class=""><u class=""></u> <u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" \
class="">bro@ SObro:/nsm/<wbr class="">bro/logs/2018-03-31$ zcat \
files.16\:00\:00-17\:00\:00.<wbr class="">log.gz | bro-cut conn_uids tx_hosts \
rx_hosts source filename | grep C35jBF1HlcrVNLiXW2<u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" \
class="">C35jBF1HlcrVNLiXW2 1.1.1.1 \
2.2.2.2 SMB desktop.ini<u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" \
class="">C35jBF1HlcrVNLiXW2 1.1.1.1 \
2.2.2.2 SMB share path\\and more\\more\\<b class="">not \
my testing directory!?</b> <a href="smb://desktop.ini" \
class="">\\desktop.ini</a><u class=""></u><u class=""></u></div><div style="margin: \
0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: \
12.800000190734863px;" class="">C35jBF1HlcrVNLiXW2 \
1.1.1.1 2.2.2.2 SMB share path\\and \
more\\more\\my testing directory <a style="color: rgb(34, 34, 34);" \
class="">\\random</a> file that lives at this path.exe<u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" \
class="">C35jBF1HlcrVNLiXW2 1.1.1.1 \
2.2.2.2 SMB desktop.ini<u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" \
class="">C35jBF1HlcrVNLiXW2 1.1.1.1 \
2.2.2.2 SMB favorites\\desktop.ini<u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" \
class="">C35jBF1HlcrVNLiXW2 1.1.1.1 \
2.2.2.2 SMB Random excel file that lives in my testing \
directory.xls<u class=""></u><u class=""></u></div><div style="margin: 0px; color: \
rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" \
class="">C35jBF1HlcrVNLiXW2 1.1.1.1 \
2.2.2.2 SMB random executable that lives in my testing \
directory.exe<u class=""></u><u class=""></u></div><div style="margin: 0px; color: \
rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" \
class=""><u class=""></u> <u class=""></u></div><div style="margin: 0px; color: \
rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" \
class="">Is there something wrong with my Bro instance? I feel like filenames from \
smb_files ‘name' field should *<b class="">all</b>* be fed into files.log. I tested \
this with two different share paths and similar results – everything gets logged as \
I would expect in smb_files.log but this filename never shows up in files.log. How \
can I reliably alert on file names transferred over SMB?<u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" class=""><u \
class=""></u> <u class=""></u></div><div style="margin: 0px; color: rgb(34, 34, \
34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" class=""><u \
class=""></u> <u class=""></u></div><div style="margin: 0px; color: rgb(34, 34, \
34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" class="">2. As \
part of the above red team exercise, I found (what I suspect) are some instances of \
Meterpeter being transferred from popped hosts back to the adversary system over SMB. \
These were logged in "smb_files.log" with names like: "Temp\\PBetVKZU.tmp" and \
"Temp\\FapcPatS.tmp". I don't think the Intel framework supports wildcards – is \
there a way to alert on files transferred that match a regex such as \
"Temp\\[a-zA-Z]{8}.tmp", or even: "Temp\\*.tmp"?<u class=""></u><u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" class=""><u \
class=""></u> <u class=""></u></div><div style="margin: 0px; color: rgb(34, 34, \
34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" class=""><br \
class=""></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, \
sans-serif; font-size: 12.800000190734863px;" class="">3. Unrelated to the Intel \
framework - it seems like smb_files.log is super noisy. If I browse to a share drive, \
a massive amount of the contents of the share are enumerated in the smb_files log \
without taking any action (with the ‘action' field indicating SMB::FILE_OPEN). This \
feels like expected behavior in SMB. Is there any way to ‘filter' the log to only \
log files that are actually opened, written to, moved, deleted, or had any real \
operation occur against them? </div><div style="margin: 0px; color: rgb(34, 34, \
34); font-family: arial, sans-serif; font-size: 12.800000190734863px;" class=""><br \
class=""></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, \
sans-serif; font-size: 12.800000190734863px;" class=""><u class=""></u> <u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" class="">We're running Bro 2.5.3 \
in Security Onion (Ubuntu 14.04). The intel framework is loaded and successfully \
fires on other indicators we have running.<u class=""></u><u class=""></u></div><div \
style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; \
font-size: 12.800000190734863px;" class=""><u class=""></u> <u \
class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: \
arial, sans-serif; font-size: 12.800000190734863px;" class="">Thanks!<u \
class=""></u><u class=""></u></div><div style="margin: 0px; color: rgb(34, 34, 34); \
font-family: arial, sans-serif; font-size: 12.800000190734863px;" class=""><br \
class=""></div><div style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, \
sans-serif; font-size: 12.800000190734863px;" class="">James Gordon</div><div \
style="margin: 0px; color: rgb(34, 34, 34); font-family: arial, sans-serif; \
font-size: 12.800000190734863px;" class=""><u class=""></u> </div></body></html>
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic