[Bro] Crowdstrike Additional Intel types
andrew.ratcliffe at nswcsystems.co.uk
Tue Jan 13 00:30:25 PST 2015
I was trying out the Crowdstrike bro additional Intel framework types http://blog.crowdstrike.com/maximizing-network-threat-intel-bro/ and very cool they are too.
But does anyone know if the Intel::USER_NAME could be extended to CIFS/SMB where the username is in the clear?
I have seen APT activity where service accounts that have been cracked and then used to attempt to authenticate to devices around the network. A simple CIFS honeypot might be used to attract an attacker to attempt authentication.
Or even the metasploit module:
msf exploit(phpmyadmin_config) > use auxiliary/server/capture/smb
msf auxiliary(smb) > set JOHNPWFILE /root/johnpwfile
JOHNPWFILE => /root/johnpwfile
msf auxiliary(smb) > exploit
[*] Auxiliary module execution completed
msf auxiliary(smb) >
[*] Server started.
[*] SMB Captured - 2015-01-12 20:55:09 +0000
NTLMv2 Response Captured from 172.31.254.13:53729 - 172.31.254.13
USER:andy DOMAIN: OS:Mac OS X 10.10 LM:SMBFS 3.0.0
If it were possible to extend the scripts to examine the SMB username then the Intel framework would pick up on this activity just using a list of usernames that should not appear on the network.
Andrew.Ratcliffe at NSWCSystems.co.uk<mailto:Andrew.Ratcliffe at NSWCSystems.co.uk>
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro