[Bro] Intel::FILE_NAME and SMB_files behavior questions

James Gordon gordonjamesr at gmail.com
Sat Mar 31 15:14:07 PDT 2018 

Hey everyone,
 
I have a few questions on behavioral issues with the intel framework and SMB / SMB file logging:
 
1. I’m not sure if this is expected behavior or not, but it doesn’t look like filenames parsed in smb_files.log are properly being logged in files.log. We had a red team exercise recently where our red team was able to successfully retrieve the ntds.dit file off of one of our domain controllers. This transfer occurred over SMB, so I figured we could add ntds.dit to the Intel framework so that next time we don’t have to dig in logs to find out that our domain is owned – we’ll have a handy alert to tell us :) I did some testing with this though, and while I see ‘ntds.dit’ logged clearly in the name field in smb_files.log, I don’t have a corresponding entry in files.log for this file transfer, and therefore no Intel match. What makes this weirder is I have other irrelevant files from this connection logged in files.log, that I didn’t actually touch or move during this connection:
 
bro at SObro:/nsm/bro/logs/current$ cat /opt/bro/share/bro/intel/intel.dat | grep ntds.dit
ntds.dit                Intel::FILE_NAME            domain ownage - update your resume!              F
 
bro at SObro:/nsm/bro/logs/2018-03-31$ zcat smb_files.16\:00\:00-17\:00\:00.log.gz | bro-cut uid id.orig_h id.resp_h id.resp_p action name | grep ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  share path\\and more\\more\\my testing directory\\ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  share path\\and more\\more\\my testing directory \\ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  share path\\and more\\more\\my testing directory \\ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  share path\\and more\\more\\my testing directory \\ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  ntds.dit
C35jBF1HlcrVNLiXW2 1.1.1.1    2.2.2.2  445     SMB::FILE_OPEN  ntds.dit
 
If I search for “ntds.dit” in files log, I get nothing. If I search for the connection UID in files.log, there are some files logged – but not the only file I actually transferred over this connection!
 
bro@ SObro:/nsm/bro/logs/2018-03-31$ zcat files.16\:00\:00-17\:00\:00.log.gz | bro-cut conn_uids tx_hosts rx_hosts source filename | grep C35jBF1HlcrVNLiXW2
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     desktop.ini
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     share path\\and more\\more\\not my testing directory!? \\desktop.ini
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     share path\\and more\\more\\my testing directory \\random <> file that lives at this path.exe
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     desktop.ini
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     favorites\\desktop.ini
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     Random excel file that lives in my testing directory.xls
C35jBF1HlcrVNLiXW2      1.1.1.1    2.2.2.2  SMB     random executable that lives in my testing directory.exe
 
Is there something wrong with my Bro instance? I feel like filenames from smb_files ‘name’ field should *all* be fed into files.log. I tested this with two different share paths and similar results – everything gets logged as I would expect in smb_files.log but this filename never shows up in files.log. How can I reliably alert on file names transferred over SMB?
 
 
2. As part of the above red team exercise, I found (what I suspect) are some instances of Meterpeter being transferred from popped hosts back to the adversary system over SMB. These were logged in “smb_files.log” with names like:  “Temp\\PBetVKZU.tmp” and “Temp\\FapcPatS.tmp”. I don’t think the Intel framework supports wildcards – is there a way to alert on files transferred that match a regex such as “Temp\\[a-zA-Z]{8}.tmp”, or even: “Temp\\*.tmp”?
 

3. Unrelated to the Intel framework - it seems like smb_files.log is super noisy. If I browse to a share drive, a massive amount of the contents of the share are enumerated in the smb_files log without taking any action (with the ‘action’ field indicating SMB::FILE_OPEN). This feels like expected behavior in SMB. Is there any way to ‘filter’ the log to only log files that are actually opened, written to, moved, deleted, or had any real operation occur against them? 

 
We’re running Bro 2.5.3 in Security Onion (Ubuntu 14.04). The intel framework is loaded and successfully fires on other indicators we have running.
 
Thanks!

James Gordon
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180331/a70047a7/attachment.html

More information about the Bro mailing list