[Zeek] [EXT] Question on Zeek SMB Logs and action "SMB::FILE OPEN"

Mark I Fernandez mfernandez at mitre.org
Tue Jun 16 04:35:04 PDT 2020


For the “SMB::FILE OPEN” action, I believe you would see this action when viewing a network shared folder.  The SMB::FILE OPEN action applies to both files and directories, and I believe there is a flag in one of the SMB headers that specifies if it is a folder.



For the “extracted files” issue, that sounds strange, but if the files appear in the “extracted” folder, then those executables are being transferred across the wire.  I don’t think Zeek could collect those files otherwise.  The only thing I can think of at the moment is that Microsoft Windows has a feature called AutoRun or AutoPlay.  Best practice is to disable it, but if it is enabled on your Windows machines, then perhaps it could explain the behavior.



Microsoft article on how to disable AutoRun/AutoPlay:

https://docs.microsoft.com/en-us/windows/win32/shell/autoplay-reg



Mark



From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> On Behalf Of security devops
Sent: Tuesday, June 16, 2020 4:28 AM
To: zeek at zeek.org
Subject: [EXT] [Zeek] Question on Zeek SMB Logs and action "SMB::FILE OPEN"



Hi

I'm running Security Onion with Zeek 3.0.7.



I have a client accessing a NAS. Whenever a client accesses a folder containing executables, Zeek will detect a "bro_smb_files" event type for all the executable in the folder, even though the client did not open these executables.



There would be an action of "SMB::FILE OPEN" for all these executables and it would be extracted to the "nsm/bro/extracted" folder.



Is this the default behaviour as it seems odd that  the files are extracted even though they did not cross the wire?



I'm also a little confused over "SMB::FILE OPEN" action when I referenced Zeek documentation. Does it mean the file was "open" even though the client only accessed the mapped folder?



The follow up question on this would be forensic integrity of the files. Would this weird SMB behavior affect the "access" date of the file (I am referring to MACB dates of file).



thank you



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200616/b5069a4d/attachment-0001.html 


More information about the Zeek mailing list