[Bro] Crowdstrike Additional Intel types

Seth Hall seth at icir.org
Tue Jan 13 06:10:18 PST 2015

> On Jan 13, 2015, at 3:30 AM, Andrew Ratcliffe <Andrew.Ratcliffe at nswcsystems.co.uk> wrote:
> But does anyone know if the Intel::USER_NAME could be extended to CIFS/SMB where the username is in the clear? 

Even better is that development on the Authentication framework has been picked up again and is making some progress.  Personally I’d like to see it make it’s way into 2.4 so that we’d be able to have a generic, abstract implementation for authentication handling.  

In the case of SMB, we’d just have a script that feeds SMB authentication information into the authentication framework in the cases we can grab it, and there will be another script that handles new authentications and feeds them into the intel framework.  It should simplify and unify the work that Josh was aiming for with his scripts.  

Unfortunately, the authentication framework is difficult enough that it’s taken quite a few years and input from at least 4 people to cover a good set of the potential use cases.

> I have seen APT activity where service accounts that have been cracked and then used to attempt to authenticate to devices around the network. A simple CIFS honeypot might be used to attract an attacker to attempt authentication.     

Agreed, although in this case, your whole network would be the honeypot. :)

> If it were possible to extend the scripts to examine the SMB username then the Intel framework would pick up on this activity just using a list of usernames that should not appear on the network. 

Yep, that should be pretty easy to deal with once the rewritten SMB analyzer makes it into Bro along with the authentication framework which should make authentication handling much nicer for people writing scripts.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list