<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 5 4 2 2 2 2 2 4;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>As a troubleshooting measure, perhaps you could add SMB::FILE_READ and SMB::FILE_WRITE to the list of logged file actions. Per the zeek article, the SMB::FILE_OPEN action alone is not representative of a file being transferred. The workstation would need to execute a READ action or a WRITE action. That may help narrow it down.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Mark<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> security devops <jackjill77777@gmail.com> <br><b>Sent:</b> Wednesday, June 17, 2020 1:56 AM<br><b>To:</b> Mark I Fernandez <mfernandez@mitre.org><br><b>Cc:</b> zeek@zeek.org<br><b>Subject:</b> Re: [EXT] [Zeek] Question on Zeek SMB Logs and action "SMB::FILE OPEN"<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Thanks Mark.<o:p></o:p></p><div><p class=MsoNormal>I have tested this scenario from 2 clients - one a VM running Win10 (1909) and the other a physical machine. Both displayed the same symptoms on Zeek even with AutoRun/ Play disabled.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>In the "bro_smb_files" event type, an action of "SMB::FILE OPEN" is observed for all the executables in the folder.<o:p></o:p></p></div><div><p class=MsoNormal>In the "bro_files" event type, these files are extracted.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Referencing previous queries on action "SMB::FILE OPEN", is it possible that this action caused executables to be extracted "on the fly"?<o:p></o:p></p></div><div><p class=MsoNormal><a href="http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-April/013049.html">http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-April/013049.html</a> <o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Tue, 16 Jun 2020 at 19:39, Mark I Fernandez <<a href="mailto:mfernandez@mitre.org">mfernandez@mitre.org</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>For the “SMB::FILE OPEN” action, I believe you would see this action when viewing a network shared folder. The SMB::FILE OPEN action applies to both files and directories, and I believe there is a flag in one of the SMB headers that specifies if it is a folder.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>For the “extracted files” issue, that sounds strange, but if the files appear in the “extracted” folder, then those executables are being transferred across the wire. I don’t think Zeek could collect those files otherwise. The only thing I can think of at the moment is that Microsoft Windows has a feature called AutoRun or AutoPlay. Best practice is to disable it, but if it is enabled on your Windows machines, then perhaps it could explain the behavior.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Microsoft article on how to disable AutoRun/AutoPlay:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><a href="https://docs.microsoft.com/en-us/windows/win32/shell/autoplay-reg" target="_blank">https://docs.microsoft.com/en-us/windows/win32/shell/autoplay-reg</a><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='color:#0033CC'>Mark</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> <a href="mailto:zeek-bounces@zeek.org" target="_blank">zeek-bounces@zeek.org</a> <<a href="mailto:zeek-bounces@zeek.org" target="_blank">zeek-bounces@zeek.org</a>> <b>On Behalf Of </b>security devops<br><b>Sent:</b> Tuesday, June 16, 2020 4:28 AM<br><b>To:</b> <a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br><b>Subject:</b> [EXT] [Zeek] Question on Zeek SMB Logs and action "SMB::FILE OPEN"<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'>Hi</span><o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'>I'm running Security Onion with Zeek 3.0.7.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'>I have a client accessing a NAS. Whenever a client accesses a folder containing executables, Zeek will detect a "bro_smb_files" event type for all the executable in the folder, even though the client did not open these executables.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'>There would be an action of "SMB::FILE OPEN" for all these executables and it would be extracted to the "nsm/bro/extracted" folder.</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'>Is this the default behaviour as it seems odd that the files are extracted even though they did not cross the wire?</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'>I'm also a little confused over "SMB::FILE OPEN" action when I referenced Zeek documentation. Does it mean the file was "open" even though the client only accessed the mapped folder?</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'>The follow up question on this would be forensic integrity of the files. Would this weird SMB behavior affect the "access" date of the file (I am referring to MACB dates of file).</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'>thank you</span><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.5pt;font-family:"Helvetica",sans-serif'> </span><o:p></o:p></p></div></div></div></div></div></blockquote></div></div></body></html>